MajorGeeks Support Forums

MajorGeeks Support Forums (http://forums.majorgeeks.com/index.php)
-   Malware Removal (http://forums.majorgeeks.com/forumdisplay.php?f=35)
-   -   family computer with bad spyware! (http://forums.majorgeeks.com/showthread.php?t=36198)

davidW 07-02-04 02:49

family computer with bad spyware!
 
Well, let me start by saying that I have read over the various links and messages and notes here and now Im going to post my question before I get REALLY confused!

My family has a family computer and somehow (probably our teenage son! http://forums.spywareinfo.com/html/emoticons/smile.gif ) Internet Explorer has a new homepage that is infected with something nasty.

I have the following URL on my IE homepage:
res://apmza.dll/index.html#27063

I have run:
Search and destroy
AdWare
Spy Sweeper
Hijackthis
CWSshredder
and Norton

I have also changed my homepage URL in the tools/options section and everything will get cleaned up, BUT as soon as I restart our computer I get this from Adware....

http://img14.exs.cx/img14/9406/screen34.jpg



so it keeps coming back! and then when I open IE .....the URL is changed once again to the corrupted homepage.

We are at our witts end, can someone please help??

This is my logline from hijackthis....im not sure what this stuff means, hopefully someone will be kind enough to help us.

Thanks alot!

davidW

------
Logfile of HijackThis v1.98.0
Scan saved at 10:01:49 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\documents and settings\owner\local settings\temp\0JFW4D5.exe
C:\WINDOWS\crcj32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\netlk32.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {61BB595D-A6B2-4293-216F-8317630E1849} - C:\WINDOWS\system32\crtq.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [0JFW4D5] C:\documents and settings\owner\local settings\temp\0JFW4D5.exe
O4 - HKLM\..\Run: [crcj32.exe] C:\WINDOWS\crcj32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {52ADE293-85E8-11D2-BB22-00104B0EA281} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v7/ticker.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab

jddtheman 07-02-04 03:06

Re: family computer with bad spyware!
 
Well First if you have Spy Sweeper make sure all of your shields are on, because it will notify you if your hompage is being changed or internet settings, and you can change them back. I am not too sure about the threads, but manually deleting the infected registry key's may help. Go to start run and type in regedit and then look at the path from the infected registry keys from Adaware. (Just go to item details) Follow that path and delete what it leads too. Ex. Hkey\software\microsoft\internet explorer\main\search bar. After that go into your temp internet files by going to start run and typing %run% and then delete everything in there.
If that fails do a full system scan on adaware heres how to set it up to peform a full system scan ( Make sure you have todays new reference list):http://www.lavahelp.com/howto/fullscan/index.html That should work

chaslang 07-02-04 12:18

Re: family computer with bad spyware!
 
Do not edit the registry manually. That will not help. Neither will just running any of the scanners by themselves. You need to follow the procedures here: http://www.majorgeeks.com/vb/showthread.php?t=35917

It works. Problem is that you have started playing with things and you current log does not show the typcially R0 & R1 hijack lines now. But you do have the "Only the Best" hijack problem (along with some other stuff too).

Your O2 BHO line (mentioned in the generic fix) is:

O2 - BHO: (no name) - {61BB595D-A6B2-4293-216F-8317630E1849} - C:\WINDOWS\system32
\crtq.dll

Your O4 line (the only one showing right now) is:
O4 - HKLM\..\Run: [crcj32.exe] C:\WINDOWS\crcj32.exe

In your process list two items to delete the files (see the generic fix where it tells you to do this) are:

C:\WINDOWS\netlk32.exe
C:\WINDOWS\crcj32.exe

also the DLL will have to be delete too.
C:\WINDOWS\system32\crtq.dll

If you look at the procedure this will become clearer. One key item is in step 6 with the Network Security Service. Two other key points that must be followed in the procedure: disconnect from the internet when told and find the dll mentioned in the res:// line and edit it with notepad. RIght now your DLL is not shown but you indicated in your message that it was previously res://apmza.dll
By now it may have changed names but you could look for:
c:\windows\system32\apmxa.dll or
c:\windows\system\apmxa.dll or
c:\windows\apmxa.dll

davidW 07-02-04 12:26

Re: family computer with bad spyware!
 
Ok, im confused....can you explain a little better for me?

davidW 07-02-04 12:27

Re: family computer with bad spyware!
 
Can I just delete Internet Explorer and reinstall it?????

chaslang 07-02-04 13:18

Re: family computer with bad spyware!
 
Quote:

Originally Posted by davidW
Can I just delete Internet Explorer and reinstall it?????

No! Most users who have tried that could not even uninstall Internet Explorer and it they just tried to reinstall over it that failed in the middle. That could leave you totally broken.


All times are GMT -5. The time now is 18:01.

Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger