Jump to content


Photo

WEBBAIT.EXE


  • Please log in to reply
2 replies to this topic

#1 Hogsfoot

Hogsfoot

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 January 2007 - 08:05 AM

Just thought I'd see if anyone has come across this one. I use Windows Defender and Spyware Doctor and Norton AV 2006. None of these picked this up, or were able to cure it.
I am running IE7, and everytime I opened it, I would be subject to other IE windows opening every few minutes or so, pointing to site like 888.com, and other various ones advertising things. I also noticed that IE7's tabs were not working. If you right-clicked on a link and selected "open in new tab" it would always open in a new window. Also, every link you clicked on was seen as a popup, not a link (IE7 would display the "Pop up blocked" bar at the top of the screen), and you would have to enable popups to open the link.
I noticed in task manager that even when IE was not open, two instances of it were running, and one was using around 50MB of memory. When you manually terminated it, for a brief second, a programme calle WEBBAIT.EXE would appear in the list, then be replaced by another instance of iexplore.exe.
On searching my system for WEBBAIT.EXE, I found the following:

A folder called C:\Documents and Settings\All Users\Application Data\4 Dumb Glue Flaw
This contained the files WEBBAIT.EXE and a hidden file called Teamref01

The file WEBBAIT.EXE was being executed at startup due to a registry entry, so I removed the entry, rebooted in safe made and deleted the above folder and two files. Job done!

If anyone else has come across this, I'd be interested to know, as I can't find anything on the Internet about the file WEBBAIT.EXE, or "4 dumb glue flaw"!

#2 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 7,082 posts

Posted 23 January 2007 - 08:40 AM

I moved your topic to a more appropriate forum.

The infection you describe is LOP and it is nothing new. While you may have removed what you can see, there is a very good chance that you have not removed it completely and it will likely reinfect. I would suggest that you review the forum FAQ, open a new topic in the forum Malware Removal and then post your HijackThis log in your new topic.

Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

 


#3 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 23 January 2007 - 09:33 AM

Hi,

If anyone else has come across this, I'd be interested to know, as I can't find anything on the Internet about the file WEBBAIT.EXE, or "4 dumb glue flaw"!


Well, those ones are random and are related with LOP aka swizzor:
http://vil.mcafeesec...nt/v_136491.htm
http://www.sophos.co...jswizzoraw.html

As far as I know, this one is getting installed with programs like Messenger Plus !3 (if you choose to install the sponsor), Bitroll, Bitgrabber, Netpumper..
You can also get it when you visit certain cracksites where they ask you to install an additional plugin called "Download Plugin for Internet Explorer"
This one installs Swizzor as well.
Recent variants do have an uninstaller in add/remove programs called "Zone Media" or "CiD Help" and I have seen "CiD Manager" as well.
The uninstaller works pretty good and removes every leftover present.
If you uninstall it, it will look like this:

Posted Image

Ofcourse, the number there will be different everytime.

Hogsfoot, since you only removed one related folder, it may be a good idea to post a Hijackthislog in the Hijackthislog section of this forum, because many leftovers may still be present.
This one also creates a random named job in your Windows\tasks folder (which is hidden) and another random named folder in your %appdata% (which is Documents and Settings\Your Username\Application Data) + in some cases also a random named folder in your Program Files. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button