Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WINWEB Malware


  • Please log in to reply
8 replies to this topic

#1 therocher

therocher

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 08 December 2008 - 05:43 AM

I ran Malawarebytes' Anti-Malware scan as instructed 5 times.

The first time it found 54 objects infected and says it successfully removed them. The WINWEB intrusions continued and the WINWEB icon continued to reside on the Quick Launch task bar.

The next four times it only found one object infected (HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1), the same one each time and said it successfully removed it. Obviously, it didn't. The intrusions and the icon remain.

I sure could use some help.

Thanx.

BC AdBot (Login to Remove)

 


#2 TSalarek

TSalarek

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky and Florida, USA
  • Local time:10:05 PM

Posted 08 December 2008 - 08:38 PM

WINWEB removal @ BC

WINWEB @ MBAM forums

WINWEB fact sheet @ PCThreat.com

It's a variant of Zlob/Zotob, a particularly nasty bug.

see also:

(Help me Remove) VirusResponse Lab 2009 @ BC multiple Zlob/Zotob info links on here, I didn't feel like reposting them ;)

Try stopping the WINWEB services before scan and see if that makes any difference. Good luck!!

#3 therocher

therocher
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 09 December 2008 - 12:13 AM

tsalerek........thank you for your reply. I am so grateful for anyone offering to help.

Unfortunately, I went to all the sites that you sent me and I am no further on than before. I couldn't find anything that led me to eliminating WinWeb. It keeps attacking and attacking.

I've run Malwarebytes many times and, as I said, it cannot remove WinWeb.

I tried Spyhunter and its scan runs into an undefinded error and aborts.

I am not experienced at this kind of thing and I am totally lost.

What do I do?

Thanx,

Peter

#4 TSalarek

TSalarek

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky and Florida, USA
  • Local time:10:05 PM

Posted 09 December 2008 - 12:23 AM

these are the specific files to delete:

WinwebSecurity.exe
Setup[1].exe
1818636568.exe

and these are the processes to stop in order to debug:

WinwebSecurity.exe
Setup[1].exe
1818636568.exe

Open MBAM and seleect the Update tab. Update from malwarebytes.org. when it's done delete the top three files above and manually terminate the second three services in task manager (right click, stop)

then run MBAM (quick scan in normal boot or full scan in safe mode)

#5 therocher

therocher
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 09 December 2008 - 12:33 AM

TSalerek:

Thank you for your patience.

I clicked on update for Malwarebytes. It says I have the latest version.

How do I delete the three files you speak of? I search for them in Windows Search and it does not find them.

Also, pardon my ignorance, but how do I find the "Task Manager" to delete the three services with "right click, stop". I talked to two friends and they don't know how to find it, either.

Thanx,]

Peter

#6 TSalarek

TSalarek

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky and Florida, USA
  • Local time:10:05 PM

Posted 09 December 2008 - 01:42 PM

it may be hiding it's exe file under a rename...they do that sometimes..


Moderately risky option to access services:

task manager: ctrl - alt - delete all at the same time

**CAUTION: do NOT hit these keys a second time as it will cause a Shut down of the system. ctrl-alt-delete used to be referred to as "keys of death" for just that reason.

**CAUTION: when using Task manager as to change too much of the variables may cause a system crash

on XP it'll just load Task Manager when you hit the keys, on VISTA the keys will give you a blue Windows menu screen with options; select Task Manager


slightly less risky option to access services:

Start menu - control panel - (on Vista hit "Classic View" here) - administrative tools - services - (on Vista hit "allow" at prompt)


don't make any changes yet. You're just viewing to verify if the programs and/or services posted above are listed

#7 therocher

therocher
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 09 December 2008 - 08:43 PM

TSalarek

Thanx for your continuing patience and help.

The task manager sometimes lists WinWeb Malware as a running application.

You asked me to go to Services to "verify if the programs and/or services posted above are listed". I'm not sure what you mean by the ones "posted above". WinWeb Security is not listed......is that what you mean?

(please pardon my ignorance). :0)

Meanwhile, WinWeb keeps attacking and their icon is still on the task bar.

Peter

#8 therocher

therocher
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 09 December 2008 - 11:28 PM

GOOD NEWS!

After running both the quick scan and the full scan on both Malwarebytes and Superantispyware a few times, I just ran the full scan again on Superantispyware and, apparently, IT WORKED.

I think it might be that the definitions affecting Winweb were updated.

Thank you so much for your help.

Peter

#9 TSalarek

TSalarek

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky and Florida, USA
  • Local time:10:05 PM

Posted 10 December 2008 - 08:26 PM

yw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users