Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winweb infection


  • Please log in to reply
5 replies to this topic

#1 mablung

mablung

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 December 2008 - 09:40 PM

Hi I recently got infected with this nasty bugger. I can't even get to this site on the infected machine. I tried running malewarebytes but with no success. I changed the name of the setup file to something else prior to moving it to the machine which got me past that hurdle but after installing it won't do anything. Please any help would be greatly appreciated.

Edited by Orange Blossom, 10 December 2008 - 09:36 PM.
Move from HiJack This forum to Am I Infected as there are no logs. ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:02 PM

Posted 10 December 2008 - 09:39 PM

Hello mablung,

In order to assist you, we need a bit more information.

What is your operating system: Windows XP, Vista, etc.?

What security programs do you have installed? Please name them.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 mablung

mablung
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 11 December 2008 - 08:22 AM

I am using Windows xp and have Mcafee antivirus.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:02 PM

Posted 16 December 2008 - 10:35 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 mablung

mablung
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 17 December 2008 - 10:16 PM

4. Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.


Nothing happens after I hit Run.

#6 mablung

mablung
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 18 December 2008 - 01:57 PM

well got it to work. ran avg anti-rootkit and got rid of the ones that were blocking me from scanning. here is the sdfix report.


SDFix: Version 1.240
Run by michael on Thu 12/18/2008 at 01:22 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSmqlt.sys

TDSSserv.sys - Deleted


AUTOEXEC.NT Restored from backups

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\system32\drivers\TDSSmqlt.sys - Deleted
C:\WINDOWS\system32\TDSSoiqt.dll - Deleted
C:\WINDOWS\system32\TDSShrxr.dll - Deleted
C:\WINDOWS\system32\TDSSabql.dll - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\SYSTEM32\TDSSHRXR.dll - Deleted
C:\WINDOWS\SYSTEM32\TDSSABQL.dll - Deleted
C:\WINDOWS\system32\TDSSlrvd.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSLRVD.dat - Deleted
C:\WINDOWS\system32\TDSSkkbi.log - Deleted
C:\WINDOWS\SYSTEM32\TDSSKKBI.log - Deleted



Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 13:35:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
"C:\\Program Files\\Google\\Google Media Server\\GoogleMediaServer.exe"="C:\\Program Files\\Google\\Google Media Server\\GoogleMediaServer.exe:*:Enabled:Google Media Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 14 Aug 2007 1,750,377 A.SH. --- "C:\WINDOWS\SYSTEM32\knnmp.tmp"
Fri 23 Apr 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users