Someone Please Help - Webcry

kate
kate
edited February 2008 in Malware talk

Hi, my computer has been infected with Webcry and it continually sends me pop ups, **** ads or


internet explorer just shuts down. Could someone please help me? I need my computer for school work.


This is URGENT. My younger siblings are constantly downloading extras for the computer game The Sims,


I was thinking that they may have downloaded something?


I have downloaded HijackThis and here is the code; I'm not sure where to go from here.


Could someone please tell me what to do?! I believe I have to delete certain files, but I'm not


sure which to delete. HELP!!


Here is the code. PLEASE HELP ME.


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 5:57:57 PM, on 2/11/2008


Platform: Windows XP SP1 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\System32\nvsvc32.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\System32\PSIService.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Viewpoint\Common\ViewpointService.exe


C:\Program Files\MSN Messenger\usnsvc.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\WinZip E-Mail Companion\loadwzco.exe


C:\WINDOWS\System32\RUNDLL32.EXE


C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe


C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe


C:\WINDOWS\System32\RunDll32.exe


C:\Program Files\QuickTime\qttask.exe


C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe


C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


C:\Program Files\AIM6\aim6.exe


C:\Program Files\Belkin\F5D9050\Belkinwcui.exe


C:\Program Files\WinZip\WZQKPICK.EXE


C:\Program Files\AIM6\aolsoftware.exe


C:\WINDOWS\system32\cmd.exe


C:\WINDOWS\TEMP\G87-tmpui.exe


C:\WINDOWS\System32\wuauclt.exe


C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\XoftSpySE\xoftspy.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


O2 - BHO: Adobe PDF Reader Link Helper - {54A98DD5-0357-4EF1-A698-BB08E73CF725} - C:\WINDOWS\AcroIEHelper.dll


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll


O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll


O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202683068.dll


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx


O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "C:\Program Files\WinZip E-Mail Companion\loadwzco.exe"


O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup


O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"


O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"


O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKLM\..\Run: [Windows Console] wkssvc.exe


O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup


O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background


O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp


O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Allison')


O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-1005\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Allison')


O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Emily')


O4 - HKUS\S-1-5-21-1547161642-573735546-839522115-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest')


O4 - S-1-5-21-1547161642-573735546-839522115-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Allison')


O4 - S-1-5-21-1547161642-573735546-839522115-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Allison')


O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


O4 - Global Startup: Belkin Wireless Client Utility.lnk = C:\Program Files\Belkin\F5D9050\Belkinwcui.exe


O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE


O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE


O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab


O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab


O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab


O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab


O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe (file missing)


O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: Distributed Transaction Coordinator MSDTCCryptSvc (MSDTCCryptSvc) - Unknown owner - C:\WINDOWS\System32\actmovieh.exe


O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe


O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--


End of file - 7398 bytes

Comments

  • alexcrist
    alexcrist
    edited February 2008

    Hello Kate,


    First of all, I want to ask you to send us some infected samples, for analysis. The files we need are:


    C:\WINDOWS\TEMP\G87-tmpui.exe


    C:\WINDOWS\AcroIEHelper.dll


    C:\Program Files\Helper\1202683068.dll (if you could send everything from this folder, would be even better)


    C:\WINDOWS\System32\actmovieh.exe


    wkssvc.exe (this file might be in C:\Windows, or in C:\Windows\System32. If it's not there, search your entire computer for it)


    If you cannot find these files, it means that they might be hidden. Read this topic to make them visible: http://forum.bitdefender.com/index.php?showtopic=3573


    To send us the files, please put hem in an archive (preferably ZIP) protected by the password infected. Read this for details: http://forum.bitdefender.com/index.php?showtopic=84


    After that, attach the archive(s) to your next post.


    The upload limit is 2MB/file, so if the archive is larger than 2MB, split it into smaller archives (put the files in different archives, so every archive is smaller than 2MB).


    After you upload the samples, you can delete the archive(s) from your PC.


    It's important that you first send us the above files, and only after that you can apply the below cleaning advices. If you do it viceversa, the files will be deleted and you will not be able to send them to us.


    To clean the files:

    • In HijackThis!, fix these lines (put a checkmark in front of them, then press Fix selected):
    O2 - BHO: Adobe PDF Reader Link Helper - {54A98DD 5-0357-4EF1-A698-BB08E73CF725} - C:\WINDOWS\AcroI EHelper.dll
    O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD- 7DD20B8622FF} - C:\Program Files\Helper\120268306 8.dll
    O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
    O23 - Service: Distributed Transaction Coordinato r MSDTCCryptSvc (MSDTCCryptSvc) - Unknown owner - C:\WINDOWS\System32\act movieh.exe


    After that, delete the following files and folders:


    C:\WINDOWS\TEMP\  (all files from this folder, but leave the folder)
    C:\WINDOWS\AcroIEHelper.dll
    C:\Program Files\Helper\  (all files in this folder, including the folder)
    C:\WINDOWS\System32\actmovieh.exe
    wkssvc.exe (wherever this file is located...)


    Advice! To be sure that you don't, accidentaly, delete something that is legit, I suggest that you first move all the above files to a secure location (maybe put them in an archive). If in the next few days you don't have any problems (errors, warnings, etc...) you can fully delete them. In case of problems, you can restore the files to their original location.


    Some other advices I could give you:


    - you have installed Windows XP SP1. It is highly recommended that you install Service Pack 2 (SP2), because it has a many fixed and security patches. Also, it is adviced that you keep your Windows up-to-date with the latest updates released by Microsoft by Automatic Updates.


    - You have no Antivirus installed (nor any other security solution). For an internet-connected computer, an Antivirus software (as well as an Antispyware solution) is highly recommended.


    - Also, a Firewall is needed. You have absolutely no firewall active on your computer (not even the Windows Firewall, because that is a part of SP2).


    Please post if you have problems cleaning this infection.


    Also, please post the samples.


    Cris.

All Time Leaders

Categories

Defenders of the month