Bit of a computer issue ...

[Neoscryer]

Okay. I don't know how this happened (honestly, I haven't been to any dangerous sites lately ... my brother must've been looking for porn again. Ugh)

Anyway, this spyware/malware called 'WinWeb Security' is downloaded now, popping up bull claims that I have like fifteen Trojans on my computer and I HAVE to buy their product to fix it about once a minute. I'm not an idiot, I know that's a load of crap. But it's a little more than that. I can't use Google, I have to use the direct link otherwise the damned thing re-directs me to sites that are probably only making this worse. I can't open the virus protection I DO have, and manually searching for this program in my files would take hours I don't have.

And I can't seem to download any of the removal programs I have found. ... Help?

[FastChapter]

If you've got something that's preventing you from downloading virus protection, anti-spyware, and the like... and it's actively hijacking your browsers, you need to restart your computer in SAFE MODE (smash F8 as it reboots) and try running your antivirus then.

If you still can't do it, reinstall windows and make sure you reformat your hard drive in the process. I'd try saving what vital files you can to a jump drive or something, but be 100% sure you aren't moving infections onto it as well.

[Demus]

Google to the rescue!

Of course, first you could try eliminating the process via task manager, which should set your internet free for at least a short amount of time.

Second, I don't trust the removal programs either, so I'd suggest the manual way. Someone has found those files for you already, you see :3

Delete registry values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "WinwebSecurity"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\Browser Helper Objects\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}

Delete files:
c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\config.udb
c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\init.udb
c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\WinwebSecurity.exe
c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\Languages\\English.lng

Delete directories:
C:\Documents and Settings\All Users\Application Data\WinwebSecurity

Although I'm not sure how to deal with registry values... Somebody who has smarts, please?

[avwolf]

Although I'm not sure how to deal with registry values... Somebody who has smarts, please?

Start->Run
Regedit
In the Registry editor that pops up, choose Edit->Search and then paste in the key you want to find. Otherwise you can troll the tree structure of the registry to find the key and delete it.

Be careful! Mucking about in the registry and deleting things you don't know you want to delete is a bad idea. Only delete those registry entries you know are bad.

Another thing to check for is the proxy settings for your computer/IE (under Control Panels: Internet Options) and possibly also Firefox. It's either using a local proxy to redirect all your traffic or it's changed your HOSTS file (in C:\WINDOWS\system32\drivers\etc it's the file called "hosts"). That's a plaintext file without an extension that should probably only have one line that doesn't start with '#'

Code: Select all

127.0.0.1         localhost

If there are any other lines in that file below that line, they're probably evil and should be deleted. Don't be surprised if your malware readds them if it's still running though.

-- Bugger, Fast! --
A reformat? He got some malware, he wasn't hacked! That might just be a bit of overkill.

[Neoscryer]

Although I'm not sure how to deal with registry values... Somebody who has smarts, please?

Start->Run
Regedit
In the Registry editor that pops up, choose Edit->Search and then paste in the key you want to find. Otherwise you can troll the tree structure of the registry to find the key and delete it.

Be careful! Mucking about in the registry and deleting things you don't know you want to delete is a bad idea. Only delete those registry entries you know are bad.

Another thing to check for is the proxy settings for your computer/IE (under Control Panels: Internet Options) and possibly also Firefox. It's either using a local proxy to redirect all your traffic or it's changed your HOSTS file (in C:\WINDOWS\system32\drivers\etc it's the file called "hosts"). That's a plaintext file without an extension that should probably only have one line that doesn't start with '#'

Code: Select all

127.0.0.1         localhost

If there are any other lines in that file below that line, they're probably evil and should be deleted. Don't be surprised if your malware readds them if it's still running though.

-- Bugger, Fast! --
A reformat? He got some malware, he wasn't hacked! That might just be a bit of overkill.

Okay start>run ... I got that, but in the run menu, there isn't an 'edit' button. Err, am I doing something wrong?

'She', by the way. Sorry, I'm a little picky about that.

*EDIT* Oh, and no "Application Data" either.

[Demus]

Write "regedit" and press enter.
Av mentioned it, but seems to have slipped past your eyes ^^

[Neoscryer]

Write "regedit" and press enter.
Av mentioned it, but seems to have slipped past your eyes ^^

Ahh, I'm sorry.

[avwolf]

'She', by the way. Sorry, I'm a little picky about that.

My apologies. I'll remember in the future.

I think Demus covered the regedit issue.

*EDIT* Oh, and no "Application Data" either.

Application Data is a hidden directory. In your open directory (folder), go to Tools->Folder Options. Then under the "View" tab, look for the radio button for "Show hidden files and folders." Select that option, click "Apply" and then click "Okay." You should be able to see Application Data now. It'll be sort of ghosted to mark it as hidden, but you should have no problem getting into it to delete what needs removed.

[Neoscryer]

Application Data is a hidden directory. In your open directory (folder), go to Tools->Folder Options. Then under the "View" tab, look for the radio button for "Show hidden files and folders." Select that option, click "Apply" and then click "Okay." You should be able to see Application Data now. It'll be sort of ghosted to mark it as hidden, but you should have no problem getting into it to delete what needs removed.

Okay ... now I have the Application Data, but no Winweb. And the registry editor just brought me to my brother's Starcraft files. Er, I'm failing at this. I'm sorry guys.

[avwolf]

You can walk through the registry using the tree navigation on the left side. Try using that to get to the keys you're looking for.

HKEY_LOCAL_MACHINE...Run will have a lot of values there, make sure you don't accidentally delete any you don't want to delete (I'd right click on the specific entry in the right side and choose delete from the context menu, personally).

You could try searching your registry for "Winweb." It's a safe bet that pretty much anything you find can be deleted.

I don't know what's in the Application Data directory on your system, so I can't really offer any suggestions there, other than to also check the Application Data for your specific user as well as "All Users."

[Neoscryer]

Thank you all - it's gone now. I was getting really sick of it.

[avwolf]

Excellent news. I hope we were at least some sort of help.

-- Edit --
I apparently experienced a typing fail there. Missing letters have been restored.

[FastChapter]

I just hit the big red panic button whenever my computers hiccup.

*glitch* OVERRIDE THE OPERATING SYSTEM AND HIT DELETE!!

[Demus]

I still get nightmares about my computer's condition couple years back.

Found out I had loose cable on hard-drive.

I formatted it anyway.