Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winweb security


  • Please log in to reply
1 reply to this topic

#1 pwf48

pwf48

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 09 December 2008 - 12:17 AM

Like the earlier report, I have been besieged by the winweb security virus ro whate ever it is. I have been folliwng this site and have done all of your suggestions to no avail. Icon still there - popo ups every 30 sec or so...

Here are the most recent logs:

#1 SDFix report:



SDFix: Version 1.240
Run by Peter Wims on Mon 12/08/2008 at 10:21 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\PETERW~1\LOCALS~1\Temp\tmp50.tmp - Deleted
C:\DOCUME~1\PETERW~1\LOCALS~1\Temp\tmp53.tmp - Deleted
C:\DOCUME~1\PETERW~1\LOCALS~1\Temp\tmp78.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 23:17:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BD0D7DC56593AA7809576E698CFF933C]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BD0D7DC56593AA7809576E698CFF933C\0000]
"Service"="bd0d7dc56593aa7809576e698cff933c"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="bd0d7dc56593aa7809576e698cff933c"
"Capabilities"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bd0d7dc56593aa7809576e698cff933c]
"c"="&registry_path=\Registry\Machine\System\CurrentControlSet\Services\bd0d7dc56593aa7809576e698cff933c&primary_ip=586742989&secondary_ip=586742989&primary_port=7000&secondary_port=7000&download_period=432000&first_download_delay=300&version=1&current_ip=1&name=bd0d7dc56593aa7809576e698cff933c&path=system32\bd0d7dc56593aa7809576e698cff933c.sys&idate=2008-12-06 12:50:58:058&last_download_time=2008-12-7 23:43:32.212"
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Tag"=dword:00000006
"ImagePath"=str(2):"system32\bd0d7dc56593aa7809576e698cff933c.sys"
"DisplayName"="bd0d7dc56593aa7809576e698cff933c"
"Group"="System Bus Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bd0d7dc56593aa7809576e698cff933c\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BD0D7DC56593AA7809576E698CFF933C]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BD0D7DC56593AA7809576E698CFF933C\0000]
"Service"="bd0d7dc56593aa7809576e698cff933c"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="bd0d7dc56593aa7809576e698cff933c"
"Capabilities"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\bd0d7dc56593aa7809576e698cff933c]
"c"="&registry_path=\Registry\Machine\System\CurrentControlSet\Services\bd0d7dc56593aa7809576e698cff933c&primary_ip=586742989&secondary_ip=586742989&primary_port=7000&secondary_port=7000&download_period=432000&first_download_delay=300&version=1&current_ip=1&name=bd0d7dc56593aa7809576e698cff933c&path=system32\bd0d7dc56593aa7809576e698cff933c.sys&idate=2008-12-06 12:50:58:058&last_download_time=2008-12-7 23:43:32.212"
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Tag"=dword:00000006
"ImagePath"=str(2):"system32\bd0d7dc56593aa7809576e698cff933c.sys"
"DisplayName"="bd0d7dc56593aa7809576e698cff933c"
"Group"="System Bus Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\bd0d7dc56593aa7809576e698cff933c\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\bd0d7dc56593aa7809576e698cff933c.sys 36864 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\LMI2D.tmp\\lmi_rescue.exe"="C:\\WINDOWS\\LMI2D.tmp\\lmi_rescue.exe:*:Enabled:LogMeIn Rescue"
"C:\\Documents and Settings\\Peter Wims\\Local Settings\\Temp\\7zS1.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Peter Wims\\Local Settings\\Temp\\7zS1.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
"C:\\WINDOWS\\LMIE.tmp\\lmi_rescue.exe"="C:\\WINDOWS\\LMIE.tmp\\lmi_rescue.exe:*:Enabled:LogMeIn Rescue"
"C:\\Documents and Settings\\Peter Wims\\Local Settings\\Temp\\7zS2.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Peter Wims\\Local Settings\\Temp\\7zS2.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 9 Dec 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Wed 7 Mar 2001 311,296 A..HR --- "C:\WINDOWS\system32\Tools\AC2K.exe"
Tue 20 Feb 2001 310,784 A..HR --- "C:\WINDOWS\system32\Tools\AC98.exe"
Tue 20 Feb 2001 311,296 A..HR --- "C:\WINDOWS\system32\Tools\ACL98.exe"
Tue 20 Feb 2001 311,808 A..HR --- "C:\WINDOWS\system32\Tools\ACLME.exe"
Fri 27 Apr 2001 327,168 A..HR --- "C:\WINDOWS\system32\Tools\All.exe"
Thu 23 Nov 2000 316,416 A..HR --- "C:\WINDOWS\system32\Tools\AutoClick.exe"
Tue 16 Oct 2001 363,008 A..HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Wed 10 Apr 2002 547,840 A..HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Thu 30 Aug 2001 381,440 A..HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Sun 20 Jan 2002 360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelDv.exe"
Mon 19 Mar 2001 532,480 A..HR --- "C:\WINDOWS\system32\Tools\DeleteFiles.exe"
Sun 20 Jan 2002 360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelT2.exe"
Sun 20 Jan 2002 360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelT2Dv.exe"
Wed 6 Mar 2002 360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelTools.exe"
Mon 11 Mar 2002 361,472 A..HR --- "C:\WINDOWS\system32\Tools\LostRun.exe"
Mon 2 Apr 2001 296,960 A..HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Thu 7 Mar 2002 369,152 A..HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Thu 7 Mar 2002 382,464 A..HR --- "C:\WINDOWS\system32\Tools\Restart.exe"
Thu 7 Mar 2002 374,784 A..HR --- "C:\WINDOWS\system32\Tools\RunAP.exe"
Thu 7 Mar 2002 360,960 A..HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Fri 2 Nov 2001 379,392 A..HR --- "C:\WINDOWS\system32\Tools\SDW98ME.exe"
Fri 9 Mar 2001 312,832 A..HR --- "C:\WINDOWS\system32\Tools\SoundDrv.exe"
Tue 6 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Thu 9 Dec 2004 4,348 A..H. --- "C:\Documents and Settings\Peter Wims\My Documents\My Music\License Backup\drmv1key.bak"
Mon 15 May 2006 20 A..H. --- "C:\Documents and Settings\Peter Wims\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 15 May 2006 488 A.SH. --- "C:\Documents and Settings\Peter Wims\My Documents\My Music\License Backup\drmv2key.bak"
Sun 28 Aug 2005 24,265,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0971adee3907f17c2ade78bf2da8efbe\BIT6C.tmp"

Finished!


#2 SuperAntispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/08/2008 at 01:42 AM

Application Version : 4.22.1014

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 01:56:55

Memory items scanned : 162
Memory threats detected : 0
Registry items scanned : 4442
Registry threats detected : 5
File items scanned : 41310
File threats detected : 0

Registry Cleaner Trial
HKCR\.03
HKCR\03_auto_file
HKCR\03_auto_file\shell
HKCR\03_auto_file\shell\open
HKCR\03_auto_file\shell\open\command

#3 Most Recent Malwarebytes log:
Malwarebytes' Anti-Malware 1.31
Database version: 1474
Windows 5.1.2600 Service Pack 2

12/8/2008 9:05:41 PM
mbam-log-2008-12-08 (21-05-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 84056
Time elapsed: 5 hour(s), 35 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



This is the most recent, yet the icon and the pop-ups continue. Must be a way to permanently get rid or it, I hope!!! Help!!!

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,312 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:28 AM

Posted 09 December 2008 - 12:33 PM

The malware you have changes constantly to hide from the security programs. It is likely that the next updates for SAS and MBAM will remove the malware.

Until then you can try blocking the popups by installing WinPatrol. http://www.winpatrol.com/

Once it is installed open it and see if you can find the task item(s) under either the "scheduled tasks" or "active tasks" tabs.
If you find them, Kill them.

There is another program that you could use to block known bad Active X in IE and possibly the sites the malware is using. It only requires you to manually update it every two weeks or so. Uses no computer resources.
http://www.javacoolsoftware.com/spywareblaster.html

Clean up the temporary files, logs, cookies, etc. using Ccleaner. During install you will be offered the Yahoo Toolbar. UNcheck if not wanted. http://www.ccleaner.com/

After you get rid of the malware, you should consider using the Firefox browser with the NoScript addon that will prevent the
driveby installs of malware and many more. It is the best protection while surfing the web.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users