family computer with bad spyware!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by davidW, Jul 2, 2004.

  1. davidW

    davidW Private E-2

    Well, let me start by saying that I have read over the various links and messages and notes here and now Im going to post my question before I get REALLY confused!

    My family has a family computer and somehow (probably our teenage son! [​IMG] ) Internet Explorer has a new homepage that is infected with something nasty.

    I have the following URL on my IE homepage:
    res://apmza.dll/index.html#27063

    I have run:
    Search and destroy
    AdWare
    Spy Sweeper
    Hijackthis
    CWSshredder
    and Norton

    I have also changed my homepage URL in the tools/options section and everything will get cleaned up, BUT as soon as I restart our computer I get this from Adware....

    [​IMG]



    so it keeps coming back! and then when I open IE .....the URL is changed once again to the corrupted homepage.

    We are at our witts end, can someone please help??

    This is my logline from hijackthis....im not sure what this stuff means, hopefully someone will be kind enough to help us.

    Thanks alot!

    davidW

    ------
    Logfile of HijackThis v1.98.0
    Scan saved at 10:01:49 PM, on 7/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\documents and settings\owner\local settings\temp\0JFW4D5.exe
    C:\WINDOWS\crcj32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 9.0b\aoltray.exe
    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\netlk32.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {61BB595D-A6B2-4293-216F-8317630E1849} - C:\WINDOWS\system32\crtq.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [0JFW4D5] C:\documents and settings\owner\local settings\temp\0JFW4D5.exe
    O4 - HKLM\..\Run: [crcj32.exe] C:\WINDOWS\crcj32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O9 - Extra button: Microsoft® JavaScript® Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx
    O9 - Extra 'Tools' menuitem: JavaScript Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx
    O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
    O9 - Extra button: Microsoft® JavaScript® Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {52ADE293-85E8-11D2-BB22-00104B0EA281} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v7/ticker.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab
     
  2. jddtheman

    jddtheman Private E-2

    Well First if you have Spy Sweeper make sure all of your shields are on, because it will notify you if your hompage is being changed or internet settings, and you can change them back. I am not too sure about the threads, but manually deleting the infected registry key's may help. Go to start run and type in regedit and then look at the path from the infected registry keys from Adaware. (Just go to item details) Follow that path and delete what it leads too. Ex. Hkey\software\microsoft\internet explorer\main\search bar. After that go into your temp internet files by going to start run and typing %run% and then delete everything in there.
    If that fails do a full system scan on adaware heres how to set it up to peform a full system scan ( Make sure you have todays new reference list):http://www.lavahelp.com/howto/fullscan/index.html That should work
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do not edit the registry manually. That will not help. Neither will just running any of the scanners by themselves. You need to follow the procedures here: http://www.majorgeeks.com/vb/showthread.php?t=35917

    It works. Problem is that you have started playing with things and you current log does not show the typcially R0 & R1 hijack lines now. But you do have the "Only the Best" hijack problem (along with some other stuff too).

    Your O2 BHO line (mentioned in the generic fix) is:

    O2 - BHO: (no name) - {61BB595D-A6B2-4293-216F-8317630E1849} - C:\WINDOWS\system32
    \crtq.dll

    Your O4 line (the only one showing right now) is:
    O4 - HKLM\..\Run: [crcj32.exe] C:\WINDOWS\crcj32.exe

    In your process list two items to delete the files (see the generic fix where it tells you to do this) are:

    C:\WINDOWS\netlk32.exe
    C:\WINDOWS\crcj32.exe

    also the DLL will have to be delete too.
    C:\WINDOWS\system32\crtq.dll

    If you look at the procedure this will become clearer. One key item is in step 6 with the Network Security Service. Two other key points that must be followed in the procedure: disconnect from the internet when told and find the dll mentioned in the res:// line and edit it with notepad. RIght now your DLL is not shown but you indicated in your message that it was previously res://apmza.dll
    By now it may have changed names but you could look for:
    c:\windows\system32\apmxa.dll or
    c:\windows\system\apmxa.dll or
    c:\windows\apmxa.dll
     
  4. davidW

    davidW Private E-2

    Ok, im confused....can you explain a little better for me?
     
  5. davidW

    davidW Private E-2

    Can I just delete Internet Explorer and reinstall it?????
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Most users who have tried that could not even uninstall Internet Explorer and it they just tried to reinstall over it that failed in the middle. That could leave you totally broken.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds