Autodialer Virus

[Calyxa]

Here is the scenario ... my machine started to get slow, and starts freeze for no apparent reason. When I do a hard reboot, I noticed that there is this ghost face icon appearing in my system tray. When I go to mouse over it to see what the hell it is, it disappears and does not return. Ok, I definitely have a virus b/c I have never seen this icon before.

So, I wonder what this process is in the system tray. I go to the Windows Task Manager and look. I see a bunch of processes… a lot of them, I am not really sure what they are but I see a tell-tale clue… a process called WebRebates.exe and one called Bargins.exe…. I kill them and AVG detects a virus called WebRebates.exe. I quarantine it and it seems to give me the same virus warning three times, asking what I want to do with the file. I repeat and quarantine the others.

Then I delete my cookies, temporary Internet files and my trash can. I update my virus definitions and do a virus scan w. AVG. AVG gives me a clean bill of PC health. I scan for spyware using Spybot Search & Destroy, and scanned for more spyware using Ad-aware . I found a few tracking cookies and I killed them, but I found nothing that would explain my problem. Next day, my machine still kept freezing! I do a few more hard reboots and try searching through my hard drives manually for strange file folders and deleting them, then dump my trash can to be sure it is gone. I was smart enough to take a screen shot after one of my reboots (and before I move my mouse, because it disappears when I move the mouse to the tray ..lol) so I can get a photo of this ghost icon in the tray.

There is a virus here, but Spybot and Ad-aware aren’t finding it. AVG is finding it but not until it is running strong in my system. So, I tweak Ad-aware to make sure it is searching registry keys, temp files and all, in case some autodialer installed somehow and is causing my symptoms.

Wouldn't ya know it << ? >> i found a new registry key named bargains and WebRebates! I killed them both with Ad-aware. But, yes the next day my pc is still slow, and freezes again. I do a hd reboot AGAIN and I go looking for this cute little program called [color=blue]Add/Remove 4 Good[color] which goes farther than the windows add/remove programs utility and removes all files of an application from your pc - it recognizes all installed programs even if they do not write to the windows registry on install. (its awesome go get it!)

Anyhow, so I removed the programs using add/remove and here is day 3 and I wanted to share the saga w. u guys in case someone has this problem or has any more advice.

Here is a snapshot of the ghost face what WebRebates.exe put in my taskbar tray. Freaky I know.

[greffov]

hmmm...

[Calyxa]

dood...

[greffov]

where's my pc?

[DreamCaster]

Go and get yourself a copy of Bazooka for free and do a scan with it. If it finds something it'll give you a link with a description of the problem as well as how to eradicate it

Here's the link: Clickety-Click

[JamesT]

I have that exact same problem! Theres a file WebRebates, Rebates and a process called WinComm which whenever i shut down the process, it creates a new one and i cant stop it. What should i download to fix it?

[DreamCaster]

Here's a little more info on removing WebRebates: Click

Hijack This is a free proggy you can find here

Just make sure you read up on it before removing stuff

[berks]

those are a couple of nice links DC!

[Calyxa]

U know, i think someone should change the name of the thread to WebRebates.exe Virus.

Good links Dreamcaster, ty. Good reading.

JamesT: Do what i did, if you can.
- hit Ctrl+Alt + Delete buttons to get to the Task Manager.
-Under the tab called Processes
identify and stop all offending processes.
- if you are able to, download Ad-aware and run it. Be sure to tell it what drives to scan if you have several hard drives on the machine. My Ad-aware found WebRebates and Bargins as registry entries, follow the instructions and fix the problem.
-Then to be totally sure you got to the bottom of the problem, browse to the folder where it installed. Mine was in its own little folder like any other program under C:/Program Files>WebRebates>
If you find the same, delete the whole folder, then dumped your trash can files.
- if you want to get really tailled out, run msconfig and uncheck the program if it is listed.
To do that : go to the Start Menu> Run> type: msconfig, hit enter and go to the tab called Start Up and uncheck WebRebates and WinComm if they are listed.
-Then i used a program i have called AddRemove 4 Good to uninstall the program becasue i knew it was likely that some web page or corrupt p2p file installed the WebRebates program on my system.

Make sure your antivirus and firewall software is up to date.

WinComm.exe
It seems that this WinComm.exe is a totally different worm/virus you have running on your system and according to this article here it may have been passed to you through IRC. This gives you information on it but dosen't offer and advice for how to get rid of it.

This article describes the default processes under the Tasks Manager. Use this to help you decipher what should be there and which ones are foreign.
Default Processes in Windows 2000
For processes not listed in the above article ProcessLibrary.com has a free search tool. It will tell you what the process does and which program it belongs to.

[Calyxa]

I still don't know which program was causing the ghost in my system tray but i do know i also had something called msbb.exe on the machine, it was much like WebRebates and i believe accompanyed it when it was installed. Remember to look for this one too, JamesT and to treat it just like WebRebates .

[Calyxa]

opps, duh.... the little ghost face is yahoo instant messanger! I guess that's how it looks when you use it and sign off and the process is still running.


ROLMAO

[tiremonkey2000]

I just had a problem with my puter also everytime my screensaver came on a trojan downloader program would appear ran all my programs AVG,adaware,housecall everything couldnt find anything finally called lion he knows everything all we did is clear out system restore trojan went bye bye he said it was a ghost program i dunno but it worked i also got back 3 gbts on hard drive cool huh