Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help running combofix to remove WinWeb in my PC.


  • Please log in to reply
9 replies to this topic

#1 Yupicon

Yupicon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 10 December 2008 - 11:58 AM

Hi everyone,

I need your help fixing my PC. It got infected about a week ago.

It kills any attempts to run McAfee, access the McAfee website. I did a full search for all the files that are recommended to delete, with no luck.

Please advise me what to do. I have not downloaded combofix yet, the machine has been off until now.

What's next?

Thanks a lot in advance,

Yupicon.

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 10 December 2008 - 03:44 PM

I have not downloaded combofix yet,


Please don't :flowers:

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.

THIS scan may help you with your problems



Please download Malwarebytes Anti-Malware and save it to your Desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan.

    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Please post the report from THAT scan for someone to check for you :thumbsup:

#3 Yupicon

Yupicon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 11 December 2008 - 01:36 AM

Ruby1,

Thanks for the reply. I already ran MBAM late last week when I first identified the issue and before learning about bleepingcomputer.com forums (which I believe are the best! ) :thumbsup:

I ran a Quick Scan and 3 Full scans, please see the logs before in chronological order below. The WinWeb seems to be removed from the toolbar, however, if I try to run McAfee or access mcafee from a browser, it gets closed down.

Please let me know if I need to run MBAM more time(s) or re-install McAfee.

Your help is greatly appreciated! :flowers: :trumpet:

Here are the Logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3

05/12/2008 9:36:30 PM
mbam-log-2008-12-05 (21-36-30).txt

Scan type: Quick Scan
Objects scanned: 87037
Time elapsed: 26 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4b18dd50-c996-44fc-ac52-0fecff82ed58} (Spyware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Hotbar (Adware.Hotbar) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3af1472b4970696fbdc7d660b029e796.sys (Trojan.Agent) -> Quarantined and deleted successfully.


-------------

Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3

05/12/2008 11:19:09 PM
mbam-log-2008-12-05 (23-19-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 52910
Time elapsed: 38 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------

Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 3

10/12/2008 5:09:04 PM
mbam-log-2008-12-10 (17-09-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 257993
Time elapsed: 2 hour(s), 39 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


------------------


Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 3

10/12/2008 10:17:24 PM
mbam-log-2008-12-10 (22-17-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 258347
Time elapsed: 2 hour(s), 25 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\3af1472b4970696fbdc7d660b029e796.sys (Trojan.Agent) -> Quarantined and deleted successfully.


-----__End of Logs.

#4 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 11 December 2008 - 03:33 AM

Please fully update the Malawarebytes program, reboot the computer and run a full scan again, allow the computer to reboot and run another scan and post both those reports;

However, due to new Forum guidelines
http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/


I beleive you may need a tool that I am not permitted to suggest for you to try; but lets see the reports from that re-scan and go from there?

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:13 PM

Posted 11 December 2008 - 07:10 AM

I think most of the problem may be McAfee here, it's happened with me cleaning clients computers.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

In this link QM7 tells how to disable programs that can interfer with cleaning

I know teatimer from spybot is one of the worst in this regard

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894

Let's try ATF cleaner and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#6 Yupicon

Yupicon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 11 December 2008 - 11:18 AM

Thanks ruby1 and DaChew.

I will proceed as recommended this evening. I have to go to work right now.

I am downloading the latest MBAM update and will leave a Full Scan running.

Then, I will re-boot and re-run and then I will post both logs here again.

Thanks for all your help thus far. We are almost there, I can feel it.

Kindest regards,

Yupicon :thumbsup:

#7 Yupicon

Yupicon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 12 December 2008 - 03:35 AM

Ruby1/DaChew,

I had to wait almost 8 hours for SAS to finish.

Here are the logs for both, MBAM and SAS. Please let me know what should the next step be.

Thanks a lot in advance,

Yupiocon.

MBAM Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1489
Windows 5.1.2600 Service Pack 3

11/12/2008 3:42:40 PM
mbam-log-2008-12-11 (15-42-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 258337
Time elapsed: 2 hour(s), 26 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------

SAS in Safe Mode Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/12/2008 at 00:08 AM

Application Version : 4.23.1006

Core Rules Database Version : 3671
Trace Rules Database Version: 1650

Scan type : Complete Scan
Total Scan Time : 07:54:06

Memory items scanned : 242
Memory threats detected : 0
Registry items scanned : 7355
Registry threats detected : 0
File items scanned : 174454
File threats detected : 2

Trojan.Unclassified
C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOUNT.TXT

Rogue.Dropper/Gen
C:\WINDOWS\SYSTEM32\WS123123.DLL

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:13 PM

Posted 12 December 2008 - 05:29 AM

It looks pretty clean, what remaining symptoms of malware do you have?

An older computer with IDE hard drives uses pio mode when in safe mode and is dog slow, newer sata drives don't depend upon dma

Here's a guide to an online scan which is very good, guide and the scanner

http://www.malwarebytes.org/forums/index.php?showtopic=2306
Chewy

No. Try not. Do... or do not. There is no try.

#9 Yupicon

Yupicon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 15 December 2008 - 10:44 PM

When I start it in regular Windows XP Pro, I notice anything to do with McAfee, gets killed without a chance.

If I try to access McAfee from a browser, the browser is closed.
If I try to open the McAfee Security Center, something closes the application.
If I try to re-install the application, the job is killed by somthing.

Any ideas as of what I should do next?

Thanks,

Yupicon

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:13 PM

Posted 16 December 2008 - 02:06 AM

I would reccomend uninstalling McAfee, use their special tool

The most simple and effective way to remove all your McAffee products is to download the McAffee removal tool, this will get rid of, in full...
McAfee Security Center
McAfee VirusScan
McAfee Personal Firewall Plus
McAfee Privacy Service
McAfee SpamKiller
McAfee Wireless Network Security
McAfee SiteAdvisor
McAfee Data Backup
McAfee Network Manager
McAfee Easy Network
McAfee AntiSpyware

http://download.mcafee.com/products/licens...atches/MCPR.exe

Then proceed with malware removal

Rerun all programs
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users