What is webshlock.txt?

I just had a malware warning on an exe file in windows temp that avast was unable to delete or move to chest. I manually deleted it. Discovered a file folder avast4 and inside a file called webshlock.txt what is this and why can’t I delete it? Plus outside the file is all these Perflib_Perfdata_428.dat type files. Are they normal or should I be worried or what?

Thanks.

:slight_smile:

It is an avast protected file it is related to the Web Shield and that folder is where the web shield unpacks/scans files before they are allowed to go to your browser cache.

Do you mean these files are inside the avast4 folder, I rather think not ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

“Win32:Neredr [Drp]” has been found in “C:\WINDOWS\Temp\wpv891243627542.exe\install.exe” file.

That is the file that I had to manualy delete.

In this same Temp folder is another folder that says avast and yes, as I clearly stated above ‘A FILE’ called webshlock.txt is in that avast folder. The OTHER files are not.

This is the first ‘virus’ that avast was unable to do anything about.

It appear that the file is a Rustock dropper.

I suggest you download and run MBAM and post a log.

Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

All right, I downloaded the Malware program as asked and here is the log:

[b]Malwarebytes’ Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/10/2009 9:23:41 PM
mbam-log-2009-08-10 (21-23-29).txt

Scan type: Full Scan (C:|)
Objects scanned: 207793
Time elapsed: 59 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) → No action taken.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) → No action taken.
HKEY_CLASSES_ROOT\Interface{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) → No action taken.
HKEY_CLASSES_ROOT\CLSID{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) → No action taken.
HKEY_CLASSES_ROOT\Typelib{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) → No action taken.
HKEY_CLASSES_ROOT\AppID{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2 Driver (Backdoor.Bot) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Service (Backdoor.Bot) → No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) → No action taken.

Files Infected:
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) → No action taken.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) → No action taken.
C:\Documents and Settings\Owner\Application Data\wiaserva.log (Malware.Trace) → No action taken.
C:\WINDOWS\zaponce52689.dat (Worm.Koobface) → No action taken.
C:\WINDOWS\smdat32a.sys (Rootkit.Agent) → No action taken.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) → No action taken.
[/b]

Why does it say ‘no action taken’? I thought it deleted the viruses? And what pisses me off is that just a few hours ago I used Avast and Avast did not detect ANY viruses. So is Avast broken? Do I have to reinstall? Why isn’t it working?

WHAT DO I DO TO GET RID OF THESE THINGS?

I did not even update the Malware program before using. Should I get the updates and use again?

Thanks
:slight_smile:

I also did the boot scan thing just now and Avast did not detect anything. I tried to erase the files listed in the Malware log myself but they are not there. I have my folder options set to show hidden files but I don’t know if there is some reason they are not showing or if they have in fact been deleted by the Malware program.

Whatever.

Let me know what you think.

:slight_smile:

Update MBAM definitions as the latest I see is 2597 then run it again then let MBAM remove whatever it finds by clicking Remove then reboot to remove locked items.

I see Windows 5.1.2600 Service Pack 2 and Windows Service Pack 3 has been available for over a year that provides several Critical Security updates and performance improvements so should be applied in IE by going to Tools then Windows Update then downloading and installing all updates.

You should go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

You should install User Profile Hive Cleanup Service to help with slow log off and unreconciled profile problems:
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Run Secunia Online Software Inspector to see what other applications are vulnerable to infection:
http://secunia.com/vulnerability_scanning/online

Hey, Thank you for the reply. I changed the setting in updates and downloaded the profile clean-up thing but I’ll have to wait until I can back up all my files on something before the SP3 download. I was reading the Microsoft thing on what to do and system requirements and all that and they said I should back up my data so I have to do that but thanks for telling me I’ll download it soon as I can.

Thanks
:slight_smile:


Did you also run MBAM again and let it remove what it finds? ???


Not to worry: the folder C:\windows\temp_avast4_ and the file webshlock.txt in it are created by avast! every time in opens in Windows. If you right-click on the avast! icon in your system tray and then click Stop On-Access Protection, the file will be deleted and you can then also delete the folder. If you again right-click on the avast! icon in your system tray and then click Start On-Access Protection they will be recreated. In short, don’t worry.

Welcome to the forums.

Great to see you taking an active interest, but this topic dates from 27 July 2009 to 11 August 2009.

I’m glad the poster took the time to post to an old question because he’s the only one in the thread who actually answered the question asked and it was just what I was looking for.

I beg to differ as I answered the question “what is webshlock.txt?” in the first reply.