Webcry
Okay, I bought this new computer, an e-machines, with vista windows, McAfee security, defender, and I have dialup through netzero. Somehow I have had this webcry thing attach itself to my browser, or something in my computer. It only becomes active at google, any other search engine and I have no problems. But go to google, click onto anything, and webcry comes up in the search box, and steers me to an ad page. I have to go backwards and reclick onto where I want to go to finally get there. Happens every single time, but at google only. Any other search engine, no problems.
Now in tools, under manage addons, I came across something that didn't look right, "browser redirect" it read, so I unabled it, went to google, and it kind of solved part of my problems, now when I click onto something at google, I webcry comes up in the address box, but instead of being redirected to an add, I'm quickly taken to a blank page, every time. I then go backwards, and still have to click onto where I first clicked onto, then I get to where I want to go.
So the browser redirect thing in manage addons clearly was part of the webcry thing. My main problem now is finding out where the rest of this thing is hiding. If I didn't like google so much, I would simply solve the problem by using another search engine, but who knows if this webcry is just going to put, or if it will spread to other areas? I really don't want to take that chance.
To date, heres the steps I've taken to try and solve this; bought and downloaded spywarebot, did a scan, then a deep scan, webcry still there. Got error killer, a privacy control software, and anti spywarebot, did scans, webcry still there. I also did the adwarealert 7000, still there. I have also run a program called vundo, or something like that, reccomended by another site, webcry still there. So today I downloaded bitdefender, the free version, ran it, webcry still there.And I just want to add, I am a novice at all this, this being my first new computer. So what haven't I tried???
Comments
-
Hello jrheavymetal
Most bho (browser helper objects = toolbars) are located under the manage add-on section.
I suggest that you download the following programs:
superantispyware Install it double click on the shortcut when you have done that rightclick on the bug (insect) icon near the system clock and choose for check for updates and download them. Reboot you pc now but press several times on the F 8 BUTTON before the windows loading screen choose select safe mode press enter. Log in start the program but choose now for scan for spyware adware malware,scan your computer,select perform complete scan and press on next. Reboot after the scan is finished.
Download hijack this
Install it run the program and select the option do a system scan and save a logfile please post the logfile into your next reply.
Best regards
Niels0 -
Download this 2 files "a-squared free" & "spyware terminator" ..
install dont forget to add these application "toolbar crawler" and enabled realtime shield protections, don't forget to updates your definition files, no scan required for it to bypass webcry .. to make sure it's clean run scan in safe mode that's all.. end of game i hate this one nyahahaa..0 -
Download this 2 files "a-squared free" & "spyware terminator" ..
install dont forget to add these application "toolbar crawler" and enabled realtime shield protections, don't forget to updates your definition files, no scan required for it to bypass webcry .. to make sure it's clean run scan in safe mode that's all.. end of game i hate this one nyahahaa..
Hello anonymousprimegathrone
I suppose this issue is already solved.
Best regards
Niels0 -
okay. so i've been having this problem recently and got it fixed by doing what Niels suggested. I hope i don't come across any other viruses that are connected to this ... but anyway, I wanna ask what does "hijack this" do, and why you ask for the logfile reports?
but nonetheless, here is mine.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:13 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxbucoms.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC -
{0A2A22E9-C506-4079-94A9-3653B7927D69} - C:\Program
Files\Anonystat\Anonystat-1.dll (file missing)
O2 - BHO: D-i-v-X AV Codec Pack Toolbar Helper -
{E001FD9F-D3C0-4a37-8250-0AF61F601AC7} - C:\Program Files\D-i-v-X AV
Codec Pack Toolbar\v2.0.0.5\D-i-v-X_AV_Codec_Pack_Toolbar.dll
O2 - BHO: Media Holding Enterprises, LLC -
{E82E0739-0AAE-4E99-9052-B40F7DABFA34} - C:\Program
Files\ErrorsTool\ErrorsTool-2.dll (file missing)
O3 - Toolbar: D-i-v-X AV Codec Pack Toolbar -
{53794874-5F35-486c-AE93-D924D0E681B9} - C:\Program Files\D-i-v-X AV
Codec Pack Toolbar\v2.0.0.5\D-i-v-X_AV_Codec_Pack_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI
Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft
IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200
Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200
Series\ezprint.exe"
O4 - HKLM\..\Run: [tempreg] regsvr32 /s "C:\Program
Files\s300\s300_1202878776.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .ipp: C:\Program Files\Internet
Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet
Explorer\Plugins\npimth32.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) -
http://gamedownload.ijjimax.com/gamedownlo...tart/HGPlugin11
USA.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl
Class) -
http://www.update.microsoft.com/microsoftu...rols/en/x86/cli
ent/muweb_site.cab?1201563855187
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B}
(TInterActXInstallObject) -
http://www.mathxl.com/wizmodules/interact/...ActXInstall.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA
Class) -
http://gamedownload.ijjimax.com/gamedownlo...tart/HGPlugin9U
SA.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
(Bonjour Service) - Apple Computer, Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -
C:\Program Files\Common Files\Macrovision Shared\FLEXnet
Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. -
C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: PnkBstrA - Unknown owner -
C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 7280 bytes
thanks a million! :]0 -
Hello ultimateNOOB109,
Fix these entries:O2 - BHO: Media Holding Enterprises, LLC - {0A2A2 2E9-C506-4079-94A9-3653B7927D69} - C:\Program Fil es\Anonystat\Anonystat-1 .dll (file missing)
O2 - BHO: Media Holding Enterprises, LLC - {E82E0 739-0AAE-4E99-9052-B40F7DABFA34} - C:\Program Fil es\ErrorsTool\ErrorsTool -2.dll (file missing)
Also, this entry looks very suspicious:O4 - HKLM\..\Run: [tempreg] regsvr32 /s "C:\Program Files\s300\s300_1202878776.dll"
Please find that file, put it in a ZIP archive (with the password infected) and attach it to your next post. It will be analyzed, and you will get an answer if this is an infection or not.
If you cannot find the file, read this: http://forum.bitdefender.com/index.php?showtopic=3573
Cris.0 -
hmm. oddly enough, i did all that it said in your other thread about showing hidden folders, but i couldn't find anything in the s300 folder. would putting the empty folder itself in a zip and attaching it be of any help?
0 -
Sorry for the late response.
No, adding an empty folder to an archive doesn't help.
If following the steps in the link I posted doesn't reveal any files, then just fix, with HijackThis, the line:O4 - HKLM\..\Run: [tempreg] regsvr32 /s "C:\Program Files\s300\s300_1202878776.dll"
After that, you could post a new HijackThis log, to be sure that it's OK.
Cris.0