Avast WEBforum
Other => Viruses and worms => Topic started by: BreezyCricket on January 20, 2012, 05:53:00 PM
-
Unless I have missed it somehow, I have been unable to find any way on this Forum to search to see if this topic has already been covered.
Regardless, does anyone know how widdit.com can be removed.
It appears to have managed to by-pass all antivirus programs, including Avast.
Many Thanks.
-
Use listed manual removal instructions below to remove Widdit.com
(1) Backup Reminder: Always be sure to back up your computer before making any changes.
(2) Stop Widdit.com process as below:
random.exe (find using taskbar ro find up)
(3) Delete the associated files of Widdit.com:
%AppData%[trojan name]toolbarcouponscategories.xml
%AppData%[trojan name]toolbarcouponsmerchants.xml
%AppData%[trojan name]toolbarcouponsmerchants2.xml
%AppData%[trojan name]toolbardtx.ini
%AppData%[trojan name]toolbarguid.dat
%AppData%[trojan name]toolbarlog.txt
%AppData%[trojan name]toolbarpreferences.dat
%AppData%[trojan name]toolbarstat.log
%AppData%[trojan name]toolbarstats.dat
%AppData%[trojan name]toolbaruninstallIE.dat
%AppData%[trojan name]toolbaruninstallStatIE.dat
%AppData%[trojan name]toolbarversion.xml
%Temp%[trojan name]toolbar-manifest.xml
(4) Remove the related registry entries of Widdit.com:
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{99079a25-328f-4bd4-be04-00955acaa0a7}InprocServer32 “C:PROGRA~1WINDOW~4ToolBar[trojan name]dtx.dll”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{99079a25-328f-4bd4-be04-00955acaa0a7} “[trojan name] Toolbar”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}VersionIndependentProgID “[trojan name]IEHelper.UrlHelper”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}ProgID “[trojan name]IEHelper.UrlHelper.1″
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115} “UrlHelper Class”
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuardCurVer
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuardCLSID
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuard
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuard.1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar “[trojan name] Toolbar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper.UrlHelper”
Or ask for the help from one of our qualified malware removers like essexboy, oldman etc,
polonus
-
Many Thanks for the reply.
I had already tried this but I can't find random.exe or any of the other files listed.
I haven't bothered with the registry items yet because I thought it would be a waste of time doing only half the procedure.
If it is of any importance I am using Windows 7 on the infected machine.
Cheers.
-
Follow the guide here and attach the logs (not copy and paste)
http://forum.avast.com/index.php?topic=53253.0
-
The log is attached.
-
The log must be saved as ANSI....if not we cant read it....looks chinese
also attach the other logs
-
Just an adware registry key
-
Hi Pondus:
I thought I should only proceed to the next step if MBAM encountered a problem.
Should I proceed to the next step, and , if, so, what is OTL
As to the Log I included, I don't know what the problem is but it looks perfectly legible to me.
This is it.
Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.21.02
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Brian :: SATURN [administrator]
Protection: Enabled
21/01/2012 2:01:19 PM
mbam-log-2012-01-21 (14-01-19).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192936
Time elapsed: 10 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Whilst essexboy said it is just an adware registry key (and your MBAM run has removed that), I don't know if he would also want you to proceed top to the next step, but it wouldn't hurt.
OTL is firstly an analysis tool to gather information on possible malware on your system.
From that first analysis run it create the two logs which need to be attached to your next post. These are analysed by a malware removal specialist and a fix formulated if required. This fix you then run in the next run of OTL, instructions on what to do are given at that time.
-
Hi ye all,
Agree with DavidR here. Seems a bit of an overkill to me too, but as that is what the user wants and he wants to be certain nothing aside of that what was being found up exists, he is perfectly entitled to it.
Essexboy will declare him "good to go", I assume. Again the victim should feel safe and secure, that comes first,
polonus
-
Hi there,
Our applications are in no way virus or harmful. We follow a very strict and user-facing privacy policy on our site. The service itself is ad-free and focuses on features that empower users’ search and enhance the experience.
If you're still looking to disable the service, we’ve made it easy with detailed instructions on our support page at:
http://widdit.com/howtoremove.aspx
We’ll also highly appreciate if you can submit your comments on our feedback page (http://widdit.com/missuse/) – this can help us track any source of misuse.
Thanks!
Widdit Support
-
To Widdit Support.
What you say is simply not true.
Your Malware hijacks browsers and re-directs a search to a search engine of your choice. I was using Chrome and you DEFINITELY hijacked that, and there was no way I could use Google as my search engine.
The way your Malware slowed down my PC made it almost impossible to use, and I am told that this delay was Widdit scanning my machine for passwords and other personal information.
I have now changed to another browser and got rid of Avast Anti-Virus because I suspected they were in cahoots with you and since then my system has returned to normal.
-
Here we can have a view what technology has been used: http://w3techs.com/sites/info/widdit.com
BrightCloud gives it a green 84 rep index - Trustworthy, and a 100/100 rep here: http://www.webutation.net/go/review/widdit.com
polonus
-
Unfortunately, it is possible to buy any favourable report on any product one chooses, so most of these can be taken with a 'pinch of salt'.
As far as Widdit is concerned, I trust my observations more than a report that could have been bought.
-
I dont see any direct threat just by going to the site...how did u get the adware?? did u download something from there??
http://anubis.iseclab.org/?action=result&task_id=104a936a3f3e2887465755385bb41dd9f&format=html
-
I don't know how I got this.
I certainly did not download it, and was surprised that Avast did not stop it.
-
The only security issue at that site that it gives away the full version number of the server software.
That is only an issue for the webmaster or hosting party.
Then there is one deobfuscated write see attached, which could be called prematurely in IE
for htxp://widdit.com/banner/lib/prototype-1.6.0.2.js 200
and that is the only bug I can report....
see: htxp://wepawet.iseclab.org/view.php?hash=3dc60a6eddbbe405d3eee550ef3f3416&t=1334170300&type=js
And then htxps://www.virustotal.com/url/c798d18facbc50ec0bfe2a548e1900415a674a1159975c55bd3dd85767292697/analysis/1334170376/
Also the report for the hoster is secure:
http://zulu.zscaler.com/submission/show/62eb9fbd1a33cf866d1523d87ba4ae78-1334165168 and also this external link: http://zulu.zscaler.com/submission/show/f7f181f1d629a4baa587430c7bb25466-1334165489
Do not see any other than an outside request to google-analytics dot com
Also see here: http://urlquery.net/queued.php?id=41095
You are entitled to your own opinion but I do not see anything security wise there,
AS issues report: hxtp://live.dshield.org/asdetailsascii.html?as=8551
polonus
-
Hello again,
As previously stated, Widdit or any of its products are by no means malware or virus. Our products help users to refine their search and present them with optimized results. None of Widdit’s products gather personal information about you or your machine.
If you still doubt us, please scan our products with any anti-virus software available, or with tools like virustotal.com and threatexpert.com.
For any other questions or inquiries, please contact us at support@widdit.com.
Have a great day,
The Widdit Team.
-
Hello again,
As previously stated, Widdit or any of its products are by no means malware or virus. Our products help users to refine their search and present them with optimized results. None of Widdit’s products gather personal information about you or your machine.
If you still doubt us, please scan our products with any anti-virus software available, or with tools like virustotal.com and threatexpert.com.
For any other questions or inquiries, please contact us at support@widdit.com.
Have a great day,
The Widdit Team.
Your replying to and bringing back a topic that is nine months old.