Someone Please Help - Webcry

kate

Hi, my computer has been infected with Webcry and it continually sends me pop ups, **** ads or

internet explorer just shuts down. Could someone please help me? I need my computer for school work.

This is URGENT. My younger siblings are constantly downloading extras for the computer game The Sims,

I was thinking that they may have downloaded something?

I have downloaded HijackThis and here is the code; I'm not sure where to go from here.

Could someone please tell me what to do?! I believe I have to delete certain files, but I'm not

sure which to delete. HELP!!

Here is the code. PLEASE HELP ME.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:57:57 PM, on 2/11/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PSIService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\WinZip E-Mail Companion\loadwzco.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Belkin\F5D9050\Belkinwcui.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\AIM6\aolsoftware.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\TEMP\G87-tmpui.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\XoftSpySE\xoftspy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Adobe PDF Reader Link Helper - {54A98DD5-0357-4EF1-A698-BB08E73CF725} - C:\WINDOWS\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202683068.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "C:\Program Files\WinZip E-Mail Companion\loadwzco.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Console] wkssvc.exe

O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Allison')

O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-1005\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Allison')

O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Emily')

O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest')

O4 - S-1-5-21-1547161642-573735546-839522115-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Allison')

O4 - S-1-5-21-1547161642-573735546-839522115-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Allison')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Belkin Wireless Client Utility.lnk = C:\Program Files\Belkin\F5D9050\Belkinwcui.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Distributed Transaction Coordinator MSDTCCryptSvc (MSDTCCryptSvc) - Unknown owner - C:\WINDOWS\System32\actmovieh.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

End of file - 7398 bytes

Find more posts tagged with

Comments

alexcrist

Hello Kate,

First of all, I want to ask you to send us some infected samples, for analysis. The files we need are:

C:\WINDOWS\TEMP\G87-tmpui.exe

C:\WINDOWS\AcroIEHelper.dll

C:\Program Files\Helper\1202683068.dll (if you could send everything from this folder, would be even better)

C:\WINDOWS\System32\actmovieh.exe

wkssvc.exe (this file might be in C:\Windows, or in C:\Windows\System32. If it's not there, search your entire computer for it)

If you cannot find these files, it means that they might be hidden. Read this topic to make them visible: http://forum.bitdefender.com/index.php?showtopic=3573

To send us the files, please put hem in an archive (preferably ZIP) protected by the password infected. Read this for details: http://forum.bitdefender.com/index.php?showtopic=84

After that, attach the archive(s) to your next post.

The upload limit is 2MB/file, so if the archive is larger than 2MB, split it into smaller archives (put the files in different archives, so every archive is smaller than 2MB).

After you upload the samples, you can delete the archive(s) from your PC.

It's important that you first send us the above files, and only after that you can apply the below cleaning advices. If you do it viceversa, the files will be deleted and you will not be able to send them to us.

To clean the files:

In HijackThis!, fix these lines (put a checkmark in front of them, then press Fix selected):

O2 - BHO: Adobe PDF Reader Link Helper - {54A98DD 5-0357-4EF1-A698-BB08E73CF725} - C:\WINDOWS\AcroI EHelper.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD- 7DD20B8622FF} - C:\Program Files\Helper\120268306 8.dll
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O23 - Service: Distributed Transaction Coordinato r MSDTCCryptSvc (MSDTCCryptSvc) - Unknown owner - C:\WINDOWS\System32\act movieh.exe

After that, delete the following files and folders:

C:\WINDOWS\TEMP\  (all files from this folder, but leave the folder)
C:\WINDOWS\AcroIEHelper.dll
C:\Program Files\Helper\  (all files in this folder, including the folder)
C:\WINDOWS\System32\actmovieh.exe
wkssvc.exe (wherever this file is located...)

Advice! To be sure that you don't, accidentaly, delete something that is legit, I suggest that you first move all the above files to a secure location (maybe put them in an archive). If in the next few days you don't have any problems (errors, warnings, etc...) you can fully delete them. In case of problems, you can restore the files to their original location.

Some other advices I could give you:

- you have installed Windows XP SP1. It is highly recommended that you install Service Pack 2 (SP2), because it has a many fixed and security patches. Also, it is adviced that you keep your Windows up-to-date with the latest updates released by Microsoft by Automatic Updates.

- You have no Antivirus installed (nor any other security solution). For an internet-connected computer, an Antivirus software (as well as an Antispyware solution) is highly recommended.

- Also, a Firewall is needed. You have absolutely no firewall active on your computer (not even the Windows Firewall, because that is a part of SP2).

Please post if you have problems cleaning this infection.

Also, please post the samples.

Cris.