Webcry

jrheavymetal
jrheavymetal
in Malware talk

Okay, I bought this new computer, an e-machines, with vista windows, McAfee security, defender, and I have dialup through netzero. Somehow I have had this webcry thing attach itself to my browser, or something in my computer. It only becomes active at google, any other search engine and I have no problems. But go to google, click onto anything, and webcry comes up in the search box, and steers me to an ad page. I have to go backwards and reclick onto where I want to go to finally get there. Happens every single time, but at google only. Any other search engine, no problems.


Now in tools, under manage addons, I came across something that didn't look right, "browser redirect" it read, so I unabled it, went to google, and it kind of solved part of my problems, now when I click onto something at google, I webcry comes up in the address box, but instead of being redirected to an add, I'm quickly taken to a blank page, every time. I then go backwards, and still have to click onto where I first clicked onto, then I get to where I want to go.


So the browser redirect thing in manage addons clearly was part of the webcry thing. My main problem now is finding out where the rest of this thing is hiding. If I didn't like google so much, I would simply solve the problem by using another search engine, but who knows if this webcry is just going to put, or if it will spread to other areas? I really don't want to take that chance.


To date, heres the steps I've taken to try and solve this; bought and downloaded spywarebot, did a scan, then a deep scan, webcry still there. Got error killer, a privacy control software, and anti spywarebot, did scans, webcry still there. I also did the adwarealert 7000, still there. I have also run a program called vundo, or something like that, reccomended by another site, webcry still there. So today I downloaded bitdefender, the free version, ran it, webcry still there.And I just want to add, I am a novice at all this, this being my first new computer. So what haven't I tried???

Comments

  • Niels
    Niels

    Hello jrheavymetal


    Most bho (browser helper objects = toolbars) are located under the manage add-on section.


    I suggest that you download the following programs:


    superantispyware Install it double click on the shortcut when you have done that rightclick on the bug (insect) icon near the system clock and choose for check for updates and download them. Reboot you pc now but press several times on the F 8 BUTTON before the windows loading screen choose select safe mode press enter. Log in start the program but choose now for scan for spyware adware malware,scan your computer,select perform complete scan and press on next. Reboot after the scan is finished.


    Download hijack this


    Install it run the program and select the option do a system scan and save a logfile please post the logfile into your next reply.


    Best regards


    Niels

  • anonymousprimegathrone
    anonymousprimegathrone

    Download this 2 files "a-squared free" & "spyware terminator" ..


    install dont forget to add these application "toolbar crawler" and enabled realtime shield protections, don't forget to updates your definition files, no scan required for it to bypass webcry .. to make sure it's clean run scan in safe mode that's all.. end of game i hate this one nyahahaa..

  • Niels
    Niels
    Download this 2 files "a-squared free" & "spyware terminator" ..


    install dont forget to add these application "toolbar crawler" and enabled realtime shield protections, don't forget to updates your definition files, no scan required for it to bypass webcry .. to make sure it's clean run scan in safe mode that's all.. end of game i hate this one nyahahaa..


    Hello anonymousprimegathrone


    I suppose this issue is already solved.


    Best regards


    Niels

  • ultimateNOOB109
    ultimateNOOB109

    okay. so i've been having this problem recently and got it fixed by doing what Niels suggested. I hope i don't come across any other viruses that are connected to this -_-... but anyway, I wanna ask what does "hijack this" do, and why you ask for the logfile reports?


    but nonetheless, here is mine.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 10:37:13 AM, on 2/16/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe


    C:\Program Files\Microsoft IntelliPoint\ipoint.exe


    C:\Program Files\Lexmark 6200 Series\lxbumon.exe


    C:\Program Files\Lexmark 6200 Series\ezprint.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\program files\valve\steam\steam.exe


    C:\Program Files\Microsoft ActiveSync\wcescomm.exe


    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


    C:\Program Files\Common Files\Apple\Mobile Device


    Support\bin\AppleMobileDeviceService.exe


    C:\PROGRA~1\MICROS~3\rapimgr.exe


    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe


    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe


    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\WINDOWS\system32\PnkBstrA.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\lxbucoms.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\PROGRA~1\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet


    Settings,ProxyOverride = *.local


    O2 - BHO: Adobe PDF Reader Link Helper -


    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program


    Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


    O2 - BHO: Media Holding Enterprises, LLC -


    {0A2A22E9-C506-4079-94A9-3653B7927D69} - C:\Program


    Files\Anonystat\Anonystat-1.dll (file missing)


    O2 - BHO: D-i-v-X AV Codec Pack Toolbar Helper -


    {E001FD9F-D3C0-4a37-8250-0AF61F601AC7} - C:\Program Files\D-i-v-X AV


    Codec Pack Toolbar\v2.0.0.5\D-i-v-X_AV_Codec_Pack_Toolbar.dll


    O2 - BHO: Media Holding Enterprises, LLC -


    {E82E0739-0AAE-4E99-9052-B40F7DABFA34} - C:\Program


    Files\ErrorsTool\ErrorsTool-2.dll (file missing)


    O3 - Toolbar: D-i-v-X AV Codec Pack Toolbar -


    {53794874-5F35-486c-AE93-D924D0E681B9} - C:\Program Files\D-i-v-X AV


    Codec Pack Toolbar\v2.0.0.5\D-i-v-X_AV_Codec_Pack_Toolbar.dll


    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI


    Technologies\ATI.ACE\cli.exe" runtime -Delay


    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe


    /STARTUP


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft


    IntelliPoint\ipoint.exe"


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program


    Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200


    Series\lxbumon.exe"


    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200


    Series\ezprint.exe"


    O4 - HKLM\..\Run: [tempreg] regsvr32 /s "C:\Program


    Files\s300\s300_1202878776.dll"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent


    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft


    ActiveSync\wcescomm.exe"


    O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program


    Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]


    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]


    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK


    SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]


    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]


    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')


    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program


    Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    O8 - Extra context menu item: E&xport to Microsoft Excel -


    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -


    C:\Program Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console -


    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program


    Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll


    O9 - Extra button: Create Mobile Favorite -


    {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -


    C:\PROGRA~1\MICROS~3\INetRepl.dll


    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -


    C:\PROGRA~1\MICROS~3\INetRepl.dll


    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -


    {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -


    C:\PROGRA~1\MICROS~3\INetRepl.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -


    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -


    C:\Program Files\AIM95\aim.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -


    C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger -


    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program


    Files\Messenger\msmsgs.exe


    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll


    O12 - Plugin for .ipp: C:\Program Files\Internet


    Explorer\Plugins\npimth32.dll


    O12 - Plugin for .ipt: C:\Program Files\Internet


    Explorer\Plugins\npimth32.dll


    O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) -


    http://gamedownload.ijjimax.com/gamedownlo...tart/HGPlugin11


    USA.cab


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl


    Class) -


    http://www.update.microsoft.com/microsoftu...rols/en/x86/cli


    ent/muweb_site.cab?1201563855187


    O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B}


    (TInterActXInstallObject) -


    http://www.mathxl.com/wizmodules/interact/...ActXInstall.cab


    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA


    Class) -


    http://gamedownload.ijjimax.com/gamedownlo...tart/HGPlugin9U


    SA.cab


    O20 - Winlogon Notify: !SASWinLogon - C:\Program


    Files\SUPERAntiSpyware\SASWINLO.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program


    Files\Common Files\Apple\Mobile Device


    Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -


    C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: ATI Smart - Unknown owner -


    C:\WINDOWS\system32\ati2sgag.exe


    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -


    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe


    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -


    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe


    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -


    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##


    (Bonjour Service) - Apple Computer, Inc. - C:\Program


    Files\Bonjour\mDNSResponder.exe


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -


    C:\Program Files\Common Files\Macrovision Shared\FLEXnet


    Publisher\FNPLicensingService.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program


    Files\iPod\bin\iPodService.exe


    O23 - Service: lxbu_device - Lexmark International, Inc. -


    C:\WINDOWS\system32\lxbucoms.exe


    O23 - Service: PnkBstrA - Unknown owner -


    C:\WINDOWS\system32\PnkBstrA.exe


    --


    End of file - 7280 bytes


    thanks a million! :]

  • alexcrist
    alexcrist

    Hello ultimateNOOB109,


    Fix these entries:


    O2 - BHO: Media Holding Enterprises, LLC - {0A2A2 2E9-C506-4079-94A9-3653B7927D69} - C:\Program Fil es\Anonystat\Anonystat-1 .dll (file missing)
    O2 - BHO: Media Holding Enterprises, LLC - {E82E0 739-0AAE-4E99-9052-B40F7DABFA34} - C:\Program Fil es\ErrorsTool\ErrorsTool -2.dll (file missing)


    Also, this entry looks very suspicious:


    O4 - HKLM\..\Run: [tempreg] regsvr32 /s "C:\Program Files\s300\s300_1202878776.dll"


    Please find that file, put it in a ZIP archive (with the password infected) and attach it to your next post. It will be analyzed, and you will get an answer if this is an infection or not.


    If you cannot find the file, read this: http://forum.bitdefender.com/index.php?showtopic=3573


    Cris.

  • ultimateNOOB109
    ultimateNOOB109

    hmm. oddly enough, i did all that it said in your other thread about showing hidden folders, but i couldn't find anything in the s300 folder. would putting the empty folder itself in a zip and attaching it be of any help? :huh:

  • alexcrist
    alexcrist

    Sorry for the late response.


    No, adding an empty folder to an archive doesn't help.


    If following the steps in the link I posted doesn't reveal any files, then just fix, with HijackThis, the line:


    O4 - HKLM\..\Run: [tempreg] regsvr32 /s "C:\Program Files\s300\s300_1202878776.dll"


    After that, you could post a new HijackThis log, to be sure that it's OK.


    Cris.

All Time Leaders

Categories

Defenders of the month