Author Topic: New Virus - widdit.com  (Read 10560 times)

Offline BreezyCricket

  • Newbie
  • *
  • Posts: 7
  • I'm a llama!
    • Personal Message (Offline)
New Virus - widdit.com
« on: January 20, 2012, 03:53:00 PM »
Unless I have missed it somehow, I have been unable to find any way on this Forum to search to see if this topic has already been covered.
 
Regardless, does anyone know how widdit.com can be removed.

It appears to have managed to by-pass all antivirus programs, including Avast.

Many Thanks.

Online polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20149
  • Gender: Male
  • malware fighter
    • Personal Message (Online)
Re: New Virus - widdit.com
« Reply #1 on: January 20, 2012, 04:32:00 PM »
Use listed manual removal instructions below to remove Widdit.com
(1) Backup Reminder: Always be sure to back up your computer before making any changes.

(2) Stop Widdit.com process as below:

random.exe (find using taskbar ro find up)
(3) Delete the associated files of Widdit.com:

%AppData%[trojan name]toolbarcouponscategories.xml
%AppData%[trojan name]toolbarcouponsmerchants.xml
%AppData%[trojan name]toolbarcouponsmerchants2.xml
%AppData%[trojan name]toolbardtx.ini
%AppData%[trojan name]toolbarguid.dat
%AppData%[trojan name]toolbarlog.txt
%AppData%[trojan name]toolbarpreferences.dat
%AppData%[trojan name]toolbarstat.log
%AppData%[trojan name]toolbarstats.dat
%AppData%[trojan name]toolbaruninstallIE.dat
%AppData%[trojan name]toolbaruninstallStatIE.dat
%AppData%[trojan name]toolbarversion.xml
%Temp%[trojan name]toolbar-manifest.xml
(4) Remove the related registry entries of Widdit.com:

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{99079a25-328f-4bd4-be04-00955acaa0a7}InprocServer32 “C:PROGRA~1WINDOW~4ToolBar[trojan name]dtx.dll”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{99079a25-328f-4bd4-be04-00955acaa0a7} “[trojan name] Toolbar”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}VersionIndependentProgID “[trojan name]IEHelper.UrlHelper”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}ProgID “[trojan name]IEHelper.UrlHelper.1″
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A40DC6C5-79D0-4ca8-A185-8FF989AF1115} “UrlHelper Class”
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuardCurVer
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuardCLSID
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuard
HKEY_LOCAL_MACHINESOFTWAREClasses[trojan name]IEHelper.DNSGuard.1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar “[trojan name] Toolbar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper.UrlHelper”

Or ask for the help from one of our qualified malware removers like essexboy, oldman etc,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline BreezyCricket

  • Newbie
  • *
  • Posts: 7
  • I'm a llama!
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #2 on: January 20, 2012, 05:19:22 PM »
Many Thanks for the reply.

I had already tried this but I can't find random.exe or any of the other files listed.

I haven't bothered with the registry items yet because I thought it would be a waste of time doing only half the procedure.

If it is of any importance I am using Windows 7 on the infected machine.

Cheers.


Online Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21734
  • Gender: Male
    • Personal Message (Online)
Re: New Virus - widdit.com
« Reply #3 on: January 20, 2012, 08:53:59 PM »
Follow the guide here and attach the logs (not copy and paste)
http://forum.avast.com/index.php?topic=53253.0
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline BreezyCricket

  • Newbie
  • *
  • Posts: 7
  • I'm a llama!
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #4 on: January 21, 2012, 09:31:11 PM »
The log is attached.

Online Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21734
  • Gender: Male
    • Personal Message (Online)
Re: New Virus - widdit.com
« Reply #5 on: January 21, 2012, 09:46:38 PM »
The log must be saved as ANSI....if not we cant read it....looks chinese


also attach the other logs
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Online essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29040
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Online)
Re: New Virus - widdit.com
« Reply #6 on: January 21, 2012, 10:09:52 PM »
Just an adware registry key


Offline BreezyCricket

  • Newbie
  • *
  • Posts: 7
  • I'm a llama!
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #7 on: January 21, 2012, 11:27:58 PM »
Hi Pondus:

I thought I should only proceed to the next step if MBAM encountered a problem.

Should I proceed to the next step, and , if, so, what is OTL

As to the Log I included, I don't know what the problem is but it looks perfectly legible to me.

This is it.

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.21.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Brian :: SATURN [administrator]

Protection: Enabled

21/01/2012 2:01:19 PM
mbam-log-2012-01-21 (14-01-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192936
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69218
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #8 on: January 21, 2012, 11:52:00 PM »
Whilst essexboy said it is just an adware registry key (and your MBAM run has removed that), I don't know if he would also want you to proceed top to the next step, but it wouldn't hurt.

OTL is firstly an analysis tool to gather information on possible malware on your system.

From that first analysis run it create the two logs which need to be attached to your next post. These are analysed by a malware removal specialist and a fix formulated if required. This fix you then run in the next run of OTL, instructions on what to do are given at that time.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20149
  • Gender: Male
  • malware fighter
    • Personal Message (Online)
Re: New Virus - widdit.com
« Reply #9 on: January 21, 2012, 11:59:19 PM »
Hi ye all,

Agree with DavidR here. Seems a bit of an overkill to me too, but as that is what the user wants and he wants to be certain nothing aside of that what was being found up exists, he is perfectly entitled to it.
Essexboy will declare him "good to go", I assume. Again the victim should feel safe and secure, that comes first,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Widdit

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #10 on: April 11, 2012, 02:36:26 PM »
Hi there,

Our applications are in no way virus or harmful. We follow a very strict and user-facing privacy policy on our site. The service itself is ad-free and focuses on features that empower users’ search and enhance the experience.

If you're still looking to disable the service, we’ve made it easy with detailed instructions on our support page at:
http://widdit.com/howtoremove.aspx

We’ll also highly appreciate if you can submit your comments on our feedback page – this can help us track any source of misuse.

Thanks!

Widdit Support

Offline BreezyCricket

  • Newbie
  • *
  • Posts: 7
  • I'm a llama!
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #11 on: April 11, 2012, 04:28:53 PM »
To Widdit Support.

What you say is simply not true.

Your Malware hijacks browsers and re-directs a search to a search engine of your choice. I was using Chrome and you DEFINITELY hijacked that, and there was no way I could use Google as my search engine.

The way your Malware slowed down my PC made it almost impossible to use, and I am told that this delay was Widdit scanning my machine for passwords and other  personal information.

I have now changed to another browser and got rid of Avast Anti-Virus because I suspected they were in cahoots with you and since then my system has returned to normal.

Online polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20149
  • Gender: Male
  • malware fighter
    • Personal Message (Online)
Re: New Virus - widdit.com
« Reply #12 on: April 11, 2012, 04:39:57 PM »
Here we can have a view what technology has been used: http://w3techs.com/sites/info/widdit.com
BrightCloud gives it a green 84 rep index - Trustworthy, and a 100/100 rep here: http://www.webutation.net/go/review/widdit.com

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline BreezyCricket

  • Newbie
  • *
  • Posts: 7
  • I'm a llama!
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #13 on: April 11, 2012, 05:19:10 PM »
Unfortunately, it is possible to buy any favourable report on any product one chooses, so most of these can be taken with a 'pinch of salt'.

As far as Widdit is concerned, I trust my observations more than a report that could have been bought.

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 728
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: New Virus - widdit.com
« Reply #14 on: April 11, 2012, 05:22:59 PM »
I dont see any direct threat just by going to the site...how did u get the adware?? did u download something from there??
http://anubis.iseclab.org/?action=result&task_id=104a936a3f3e2887465755385bb41dd9f&format=html

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now