Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winweb Security scroll bar icon


  • Please log in to reply
8 replies to this topic

#1 jpietrykowski

jpietrykowski

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 December 2008 - 05:11 PM

I'm sure this has been answered already in a previous thread, but I'm a brand new user and with being at work, am unable to search thru all previous topics to find the answer. Please bare with me.

I'm on a community work computer. At some point in the past 2 days, the computer got infected with the Winweb Security Virus. Due to the lack of computer knowledge my staff has, they kept tinkering around with the Winweb virus scans.....over, and over, and over again.

I have installed the Malwarebytes' Anit-Malware that has been suggested on this site. Followed all the steps. Various files were detected and quarantined. Did the reboot that was suggested, and the scroll bar icon was still present. (its the icon that looks like Symantec Anti-Virus, only upright and with slanted black stripes).

Removed all the old Java installs, and installed the newest Java update. Did a reboot, and this scroll bar icon is still present.

Did another scan with Malwarebytes, and then updated my Virus Definitions for live update, and did a full system virus scan. Did a full reboot of the computer once more, and this Icon is still located on the computer.

I've done searches, control panel searches, and cannot locate anywhere on the computer where I can delete this icon. It won't allow me to right click on it and delete it either. Roughly every 45 seconds a pop up in regards to Winweb Security happens.

Can someone walk me thru how to fix this problem, and rid the system of this icon/virus?

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:29 PM

Posted 03 December 2008 - 05:14 PM

Can you post that MBAM log for staff review? You can find the log under the Logs tab of MBAM. Open up the log (it should open as a .txt file), then copy and paste it in your next reply.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#3 jpietrykowski

jpietrykowski
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 December 2008 - 05:22 PM

I have 3 logs. I'll post all three, and separate them with "bold" numeric order. Sorry if posting all 3 is excessive reading, for someone to get to the route of the computer issue.

#1

Malwarebytes' Anti-Malware 1.30
Database version: 1454
Windows 5.1.2600 Service Pack 3

12/3/2008 12:56:09 PM
mbam-log-2008-12-03 (12-56-09).txt

Scan type: Quick Scan
Objects scanned: 54915
Time elapsed: 10 minute(s), 54 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 12

Memory Processes Infected:
C:\Program Files\GetModule\GetModule30.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule30 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Downloader) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\manager\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\manager\Local Settings\Temp\orz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\manager\Local Settings\Temp\wJQs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\manager\Local Settings\Temporary Internet Files\Content.IE5\GK43HUNO\taskmgr[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule30.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\manager\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\manager\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\manager\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv941228088431.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


#2

Malwarebytes' Anti-Malware 1.30
Database version: 1454
Windows 5.1.2600 Service Pack 3

12/3/2008 1:05:23 PM
mbam-log-2008-12-03 (13-05-23).txt

Scan type: Quick Scan
Objects scanned: 54984
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#3

Malwarebytes' Anti-Malware 1.30
Database version: 1454
Windows 5.1.2600 Service Pack 3

12/3/2008 2:10:49 PM
mbam-log-2008-12-03 (14-10-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 90533
Time elapsed: 22 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.

#4 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:29 PM

Posted 04 December 2008 - 01:18 PM

Ack! I'll find help for you as no one as picked yours up.

While I'm at that, please update MBAM (Version 1.31, Database 1460) and do a full scan. Post those results afterwards.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#5 jpietrykowski

jpietrykowski
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 04 December 2008 - 02:28 PM

this is what I got for you. going to do a restart now to finish the process.


Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3

12/4/2008 1:19:13 PM
mbam-log-2008-12-04 (13-19-13).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 91214
Time elapsed: 21 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Delete on reboot.

#6 jpietrykowski

jpietrykowski
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 04 December 2008 - 02:37 PM

did the restart, and as everything was booting up it was there once again. wish I could do a screen shot for you, but I'm sure you're well aware of what the scroll bar icon looks like, as well as what the pop ups say/show.

but as programs are booting up from the restart, it goes right into the fake virus scan. close it, and then the pop ups start all over again. Can't locate it in the task manager, can't locate it on the computer in the control panel, and doing virus scans isn't working either.

I'm running Internet Explorer and the IT department at corp. refuses to allow me to install FireFox or any other system on the computer besides Internet Explorer.

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 04 December 2008 - 04:38 PM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 jpietrykowski

jpietrykowski
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 04 December 2008 - 07:38 PM

Everything seems to be fixed at face value. No pops, not scroll bar icon. Thank you very much for you help. Here is the Scan Log Results.




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/04/2008 at 06:15 PM

Application Version : 4.22.1014

Core Rules Database Version : 3663
Trace Rules Database Version: 1643

Scan type : Complete Scan
Total Scan Time : 00:25:15

Memory items scanned : 551
Memory threats detected : 1
Registry items scanned : 5203
Registry threats detected : 13
File items scanned : 36600
File threats detected : 2

Rogue.WinWebSecurity
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\579021166\224446760.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\579021166\224446760.EXE
[224446760] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\579021166\224446760.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}
HKCR\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}
HKCR\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}
HKCR\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}#ThreadingModel
HKCR\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}\InProcServer32
HKCR\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}\ProgID
HKCR\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}\TypeLib
HKCR\CLSID\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}\Version
HKCR\BHOws.TBHOws
HKCR\TypeLib\{66B4B3C3-689F-488A-AA87-3D01A6B50E2A}
C:\WINDOWS\SYSTEM32\WS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}
HKU\S-1-5-21-1343024091-162531612-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 05 December 2008 - 02:27 AM

Please run this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users