Expert: Brian Benosky - 12/15/2008

Question
QUESTION: I'm infected with Win Web Security registry files need to get rid of the files and pop ups by sending a removal software that is instance to get rid of the problem..please respond ASAP!!!!

ANSWER: Hi Don

Let's try running a Malwarebytes scan, preferably in Safe Mode.  Please download Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
 o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.  Do not run a scan yet.

Restart the computer in Safe Mode by continuously tapping the F8 key on boot until a black screen with a menu appears.  Choose to Start Windows in Safe Mode.  Log on as usual.  Open Malwarebytes and run a Full Scan.

* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.  Save that log and reboot normally.

After rebooting, please download HijackThis to your desktop from here:
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
Make sure you close EVERY open window and ALL browser windows. The only thing that should be open is the HijackThis program.
Double-click on the file you just downloaded.
Click on the "Install" button.
Upon install, HijackThis should open for you.
Should it not open, go to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
Choose 'Do a system scan and save a log file'.
Copy the text file which opens in Notepad and paste it in your follow-up, along with the Malwarebytes log.
   * Do not fix any entries in HijackThis, as they may be harmless.

Brian



---------- FOLLOW-UP ----------

QUESTION: Brian,
Follow-up to the Follow-up would give you more insight to the problem..The pop up warning is an infected worm Lsas.Blasterkeyloger to a remote host..searching for financial information.

Answer
Hi Don

Just found some information for you from another web forum:

WARNING: Winweb Security is a SCAM!
DO NOT continue with winweb as it will steal critical/personal information!
It reports that Lsas.Blaster.Keyloger is the culprit, but that is not the case.  Lsas.Blaster.Keyloger is either a part of Winweb, or does not exist.
The best way to get rid of Winweb is to restart your computer in Safe Mode, then search all files including
hidden files and folders for:

1806188250

That is the filename that Winweb goes by.


I am not certain that the above method will work, as I have not tested it.  I would still like to see the log files to check for other infected processes.

Brian