Author Topic: New Virus - widdit.com  (Read 17309 times)

0 Members and 1 Guest are viewing this topic.

BreezyCricket

  • Guest
New Virus - widdit.com
« on: January 20, 2012, 05:53:00 PM »
Unless I have missed it somehow, I have been unable to find any way on this Forum to search to see if this topic has already been covered.
 
Regardless, does anyone know how widdit.com can be removed.

It appears to have managed to by-pass all antivirus programs, including Avast.

Many Thanks.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: New Virus - widdit.com
« Reply #1 on: January 20, 2012, 06:32:00 PM »
Use listed manual removal instructions below to remove Widdit.com
(1) Backup Reminder: Always be sure to back up your computer before making any changes.

(2) Stop Widdit.com process as below:

random.exe (find using taskbar ro find up)
(3) Delete the associated files of Widdit.com:

%AppData%[trojan name]toolbarcouponscategories.xml
%AppData%[trojan name]toolbarcouponsmerchants.xml
%AppData%[trojan name]toolbarcouponsmerchants2.xml
%AppData%[trojan name]toolbardtx.ini
%AppData%[trojan name]toolbarguid.dat
%AppData%[trojan name]toolbarlog.txt
%AppData%[trojan name]toolbarpreferences.dat
%AppData%[trojan name]toolbarstat.log
%AppData%[trojan name]toolbarstats.dat
%AppData%[trojan name]toolbaruninstallIE.dat
%AppData%[trojan name]toolbaruninstallStatIE.dat
%AppData%[trojan name]toolbarversion.xml
%Temp%[trojan name]toolbar-manifest.xml
(4) Remove the related registry entries of Widdit.com:

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{99079a25-328f-4bd4-be04-00955acaa0a7}InprocServer32 “C:PROGRA~1WINDOW~4ToolBar[trojan name]dtx.dll”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{99079a25-328f-4bd4-be04-00955acaa0a7} “[trojan name] Toolbar”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}VersionIndependentProgID “[trojan name]IEHelper.UrlHelper”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}ProgID “[trojan name]IEHelper.UrlHelper.1″
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115} “UrlHelper Class”
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuardCurVer
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuardCLSID
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuard
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuard.1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar “[trojan name] Toolbar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper.UrlHelper”

Or ask for the help from one of our qualified malware removers like essexboy, oldman etc,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

BreezyCricket

  • Guest
Re: New Virus - widdit.com
« Reply #2 on: January 20, 2012, 07:19:22 PM »
Many Thanks for the reply.

I had already tried this but I can't find random.exe or any of the other files listed.

I haven't bothered with the registry items yet because I thought it would be a waste of time doing only half the procedure.

If it is of any importance I am using Windows 7 on the infected machine.

Cheers.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: New Virus - widdit.com
« Reply #3 on: January 20, 2012, 10:53:59 PM »
Follow the guide here and attach the logs (not copy and paste)
http://forum.avast.com/index.php?topic=53253.0

BreezyCricket

  • Guest
Re: New Virus - widdit.com
« Reply #4 on: January 21, 2012, 11:31:11 PM »
The log is attached.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: New Virus - widdit.com
« Reply #5 on: January 21, 2012, 11:46:38 PM »
The log must be saved as ANSI....if not we cant read it....looks chinese


also attach the other logs

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: New Virus - widdit.com
« Reply #6 on: January 22, 2012, 12:09:52 AM »
Just an adware registry key


BreezyCricket

  • Guest
Re: New Virus - widdit.com
« Reply #7 on: January 22, 2012, 01:27:58 AM »
Hi Pondus:

I thought I should only proceed to the next step if MBAM encountered a problem.

Should I proceed to the next step, and , if, so, what is OTL

As to the Log I included, I don't know what the problem is but it looks perfectly legible to me.

This is it.

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.21.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Brian :: SATURN [administrator]

Protection: Enabled

21/01/2012 2:01:19 PM
mbam-log-2012-01-21 (14-01-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192936
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: New Virus - widdit.com
« Reply #8 on: January 22, 2012, 01:52:00 AM »
Whilst essexboy said it is just an adware registry key (and your MBAM run has removed that), I don't know if he would also want you to proceed top to the next step, but it wouldn't hurt.

OTL is firstly an analysis tool to gather information on possible malware on your system.

From that first analysis run it create the two logs which need to be attached to your next post. These are analysed by a malware removal specialist and a fix formulated if required. This fix you then run in the next run of OTL, instructions on what to do are given at that time.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: New Virus - widdit.com
« Reply #9 on: January 22, 2012, 01:59:19 AM »
Hi ye all,

Agree with DavidR here. Seems a bit of an overkill to me too, but as that is what the user wants and he wants to be certain nothing aside of that what was being found up exists, he is perfectly entitled to it.
Essexboy will declare him "good to go", I assume. Again the victim should feel safe and secure, that comes first,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Widdit

  • Guest
Re: New Virus - widdit.com
« Reply #10 on: April 11, 2012, 04:36:26 PM »
Hi there,

Our applications are in no way virus or harmful. We follow a very strict and user-facing privacy policy on our site. The service itself is ad-free and focuses on features that empower users’ search and enhance the experience.

If you're still looking to disable the service, we’ve made it easy with detailed instructions on our support page at:
http://widdit.com/howtoremove.aspx

We’ll also highly appreciate if you can submit your comments on our feedback page – this can help us track any source of misuse.

Thanks!

Widdit Support

BreezyCricket

  • Guest
Re: New Virus - widdit.com
« Reply #11 on: April 11, 2012, 06:28:53 PM »
To Widdit Support.

What you say is simply not true.

Your Malware hijacks browsers and re-directs a search to a search engine of your choice. I was using Chrome and you DEFINITELY hijacked that, and there was no way I could use Google as my search engine.

The way your Malware slowed down my PC made it almost impossible to use, and I am told that this delay was Widdit scanning my machine for passwords and other  personal information.

I have now changed to another browser and got rid of Avast Anti-Virus because I suspected they were in cahoots with you and since then my system has returned to normal.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: New Virus - widdit.com
« Reply #12 on: April 11, 2012, 06:39:57 PM »
Here we can have a view what technology has been used: http://w3techs.com/sites/info/widdit.com
BrightCloud gives it a green 84 rep index - Trustworthy, and a 100/100 rep here: http://www.webutation.net/go/review/widdit.com

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

BreezyCricket

  • Guest
Re: New Virus - widdit.com
« Reply #13 on: April 11, 2012, 07:19:10 PM »
Unfortunately, it is possible to buy any favourable report on any product one chooses, so most of these can be taken with a 'pinch of salt'.

As far as Widdit is concerned, I trust my observations more than a report that could have been bought.

true indian

  • Guest
Re: New Virus - widdit.com
« Reply #14 on: April 11, 2012, 07:22:59 PM »
I dont see any direct threat just by going to the site...how did u get the adware?? did u download something from there??
http://anubis.iseclab.org/?action=result&task_id=104a936a3f3e2887465755385bb41dd9f&format=html