MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 07-02-04, 02:49
davidW davidW is offline
Private E-2
 
Join Date: Jul 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default family computer with bad spyware!

Well, let me start by saying that I have read over the various links and messages and notes here and now Im going to post my question before I get REALLY confused!

My family has a family computer and somehow (probably our teenage son! ) Internet Explorer has a new homepage that is infected with something nasty.

I have the following URL on my IE homepage:
res://apmza.dll/index.html#27063

I have run:
Search and destroy
AdWare
Spy Sweeper
Hijackthis
CWSshredder
and Norton

I have also changed my homepage URL in the tools/options section and everything will get cleaned up, BUT as soon as I restart our computer I get this from Adware....





so it keeps coming back! and then when I open IE .....the URL is changed once again to the corrupted homepage.

We are at our witts end, can someone please help??

This is my logline from hijackthis....im not sure what this stuff means, hopefully someone will be kind enough to help us.

Thanks alot!

davidW

------
Logfile of HijackThis v1.98.0
Scan saved at 10:01:49 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\documents and settings\owner\local settings\temp\0JFW4D5.exe
C:\WINDOWS\crcj32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\netlk32.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {61BB595D-A6B2-4293-216F-8317630E1849} - C:\WINDOWS\system32\crtq.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [0JFW4D5] C:\documents and settings\owner\local settings\temp\0JFW4D5.exe
O4 - HKLM\..\Run: [crcj32.exe] C:\WINDOWS\crcj32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {EB805938-3FD5-40FD-B30E-AB323F6C1824} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {52ADE293-85E8-11D2-BB22-00104B0EA281} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v7/ticker.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab
Reply With Quote
Sponsored links
  #2  
Old 07-02-04, 03:06
jddtheman's Avatar
jddtheman jddtheman is offline
Private E-2
 
Join Date: Jul 2004
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: family computer with bad spyware!

Well First if you have Spy Sweeper make sure all of your shields are on, because it will notify you if your hompage is being changed or internet settings, and you can change them back. I am not too sure about the threads, but manually deleting the infected registry key's may help. Go to start run and type in regedit and then look at the path from the infected registry keys from Adaware. (Just go to item details) Follow that path and delete what it leads too. Ex. Hkey\software\microsoft\internet explorer\main\search bar. After that go into your temp internet files by going to start run and typing %run% and then delete everything in there.
If that fails do a full system scan on adaware heres how to set it up to peform a full system scan ( Make sure you have todays new reference list):http://www.lavahelp.com/howto/fullscan/index.html That should work
__________________
Remember just because we won the battle dosn't mean you lost the war... Your just on your way
Reply With Quote
  #3  
Old 07-02-04, 12:18
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,712
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: family computer with bad spyware!

Do not edit the registry manually. That will not help. Neither will just running any of the scanners by themselves. You need to follow the procedures here: http://www.majorgeeks.com/vb/showthread.php?t=35917

It works. Problem is that you have started playing with things and you current log does not show the typcially R0 & R1 hijack lines now. But you do have the "Only the Best" hijack problem (along with some other stuff too).

Your O2 BHO line (mentioned in the generic fix) is:

O2 - BHO: (no name) - {61BB595D-A6B2-4293-216F-8317630E1849} - C:\WINDOWS\system32
\crtq.dll

Your O4 line (the only one showing right now) is:
O4 - HKLM\..\Run: [crcj32.exe] C:\WINDOWS\crcj32.exe

In your process list two items to delete the files (see the generic fix where it tells you to do this) are:

C:\WINDOWS\netlk32.exe
C:\WINDOWS\crcj32.exe

also the DLL will have to be delete too.
C:\WINDOWS\system32\crtq.dll

If you look at the procedure this will become clearer. One key item is in step 6 with the Network Security Service. Two other key points that must be followed in the procedure: disconnect from the internet when told and find the dll mentioned in the res:// line and edit it with notepad. RIght now your DLL is not shown but you indicated in your message that it was previously res://apmza.dll
By now it may have changed names but you could look for:
c:\windows\system32\apmxa.dll or
c:\windows\system\apmxa.dll or
c:\windows\apmxa.dll
Reply With Quote
  #4  
Old 07-02-04, 12:26
davidW davidW is offline
Private E-2
 
Join Date: Jul 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: family computer with bad spyware!

Ok, im confused....can you explain a little better for me?
Reply With Quote
  #5  
Old 07-02-04, 12:27
davidW davidW is offline
Private E-2
 
Join Date: Jul 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: family computer with bad spyware!

Can I just delete Internet Explorer and reinstall it?????
Reply With Quote
Sponsored links
  #6  
Old 07-02-04, 13:18
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,712
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: family computer with bad spyware!

Quote:
Originally Posted by davidW
Can I just delete Internet Explorer and reinstall it?????
No! Most users who have tried that could not even uninstall Internet Explorer and it they just tried to reinstall over it that failed in the middle. That could leave you totally broken.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Only The Best" Spyware on my Computer weirdocreep Malware Removal 2 06-17-04 20:41
Computer Tweaks eclayton Software 10 01-27-04 08:56
Understanding, Cleaning And Preventing Spyware Major Attitude Malware (Spam, viruses, trojans) 0 01-06-04 20:02
Computer slowing down more every day snow scorpion Malware Removal 10 10-10-03 04:09


All times are GMT -5. The time now is 21:59.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger