Skip to content


Reply
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012
Accepted Solution

Persistent Web Threat from http://x-web.in/

[ Edited ]

I have been using Trend Micro Internet Security for almost 10 years and I have never seen a contiuous Web Threat like this before.  In Trend Micro Titanium Internet Security 2012, it is blocking a continuous increasing count of Web Threats from a website.  The website is showing up as:

 

x-web.in/Y2x8MS40fGI1M2M4YmU0ZGZhZjY2YWZjZTE2NGMzZGMyOTZkYTc2fDE1Ng==

 

I exported the log report and used Excel to count the number of threats in 1 minute.  It varies, but I was seeing 370 to 380 entries per minute!

 

The details of the log include:

 

Rating: Dangerous Page (49)

Response: Blocked

Detected By: Web Reputation

 

Of course I did a scan and TM didn't find anything.  I ran ComboFix and the Web Threat is still counting.  It allocates so fast, it's like a ticker counter.

 

Has anyone ever seen this before?

 

Thank you.   

Please use plain text.
Stone Esquire
bobfield
Posts: 3
Registered: ‎02-07-2012

Re: Persistent Web Threat from http://x-web.in/

i have the same exact problem with the same website, and cant stop this from happening

Please use plain text.
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

It looks like I found the trojans that were causing it.  I downloaded the free version of Malwarebytes Anti-Malware and did a quick scan.  It found 2 trojan agents and several other suspect folders and files:

 

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 3904 -> Delete on reboot.

 

Files Detected:

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

 

The other folders and files that it detected and removed were related to PUP.PlaySushi, which I have no idea what it is. 

 

After cleaning the files, Trend Micro is no longer continuously blocking the Web Threat.

 

Hopefully this will benefit others who may run into this trojan.

 

Please use plain text.
Stone Esquire
bobfield
Posts: 3
Registered: ‎02-07-2012

Re: Persistent Web Threat from http://x-web.in/

[ Edited ]

i found 2 trojans as well when i ran the malwarebytes scan, but once i restarted the computer, I still received these constant web threats from x-web.in

Please use plain text.
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

Yes, after re-starting the computer and waiting for a short period, the Web Threat does resume.  Hmmm.  I wonder if it's an actual trojan or if Trend Micro is incorrectly reporting it as a Web Threat?

 

The problem still persists...

 

   

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,926
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

Welcome aboard! Posted Image

Please follow the below instructions to resolve your issues...

 

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

I attached the Combo Fix log report.  I don't know how attachments work on this forum.

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,926
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

[ Edited ]

how is your computer running now?

 

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

The computer has been running fine all of this time.  However, Trend Micro is just continuously blocking the same Web Threat.  I don't know if it's a trojan that is on my computer or if it's just an outside threat that is trying to get into my computer. 

 

The Malwarebytes program found the same 2 files as before (svchost.exe), however, upon reboot nothing has changed.  TM is still blocking the Web Threat.   Anyway, here is the Malwarebytes log:

 

 

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

 

Database version: v2012.02.13.01

 

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)

Internet Explorer 9.0.8112.16421

 

2/14/2012 5:39:42 PM

mbam-log-2012-02-14 (17-39-42).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P

Objects scanned: 211032

Time elapsed: 7 minute(s), 29 second(s)

 

Memory Processes Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> 956 -> Delete on reboot.

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

 

(end)

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,926
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

Then that needs investigation...

 

Download aswmbr.exe ( 1.8mb ) to your desktop. 

http://public.avast.com/~gmerek/aswMBR.htm
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

  • Click the [Scan] button to start scan

  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.