Jump to content


Photo

"only the best" popups& random dll hijack


  • Please log in to reply
3 replies to this topic

#1 muckdizzy

muckdizzy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 July 2004 - 12:31 PM

I have been hit by the only the best popups and randomm dll brower hijacker. First of all I have read the FAQ and followed the steps. I ran updated versions of Ad-aware and Spy S&D. I have tried other methods found on other sites and it is still there, please help.
Logfile of HijackThis v1.98.0
Scan saved at 1:26:08 PM, on 7/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\netwq32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ipxg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Documents and Settings\Jackie\Desktop\Antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qmnuc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ED9E1188-DD79-D9A6-01FD-CC124FC74649} - C:\WINDOWS\appcx.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ipxg.exe] C:\WINDOWS\ipxg.exe
O4 - HKLM\..\RunOnce: [netwq32.exe] C:\WINDOWS\netwq32.exe
O4 - HKLM\..\RunOnce: [winsu.exe] C:\WINDOWS\system32\winsu.exe
O4 - HKLM\..\RunOnce: [apire32.exe] C:\WINDOWS\system32\apire32.exe
O4 - HKLM\..\RunOnce: [netdd32.exe] C:\WINDOWS\netdd32.exe
O4 - HKLM\..\RunOnce: [netwr.exe] C:\WINDOWS\netwr.exe
O4 - HKLM\..\RunOnce: [apiiu32.exe] C:\WINDOWS\apiiu32.exe
O4 - HKLM\..\RunOnce: [addar32.exe] C:\WINDOWS\system32\addar32.exe
O4 - HKLM\..\RunOnce: [mspz32.exe] C:\WINDOWS\system32\mspz32.exe
O4 - HKLM\..\RunOnce: [addwa32.exe] C:\WINDOWS\addwa32.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [winiq32.exe] C:\WINDOWS\winiq32.exe
O4 - HKLM\..\RunOnce: [apizs.exe] C:\WINDOWS\system32\apizs.exe
O4 - HKLM\..\RunOnce: [sdkof.exe] C:\WINDOWS\sdkof.exe
O4 - HKLM\..\RunOnce: [ippo32.exe] C:\WINDOWS\system32\ippo32.exe
O4 - HKLM\..\RunOnce: [d3zn.exe] C:\WINDOWS\system32\d3zn.exe
O4 - HKLM\..\RunOnce: [syshf32.exe] C:\WINDOWS\system32\syshf32.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab


Thank you,
Ryan

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 26 July 2004 - 07:50 PM

Hello please download About:Buster and unzip it to your desktop. Donīt run it yet.

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Donīt use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R333 18.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

4. Reboot to Safe Mode
How to start the computer in
Safe mode


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qmnuc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ED9E1188-DD79-D9A6-01FD-CC124FC74649} - C:\WINDOWS\appcx.dll
O4 - HKLM\..\Run: [ipxg.exe] C:\WINDOWS\ipxg.exe
O4 - HKLM\..\RunOnce: [netwq32.exe] C:\WINDOWS\netwq32.exe
O4 - HKLM\..\RunOnce: [winsu.exe] C:\WINDOWS\system32\winsu.exe
O4 - HKLM\..\RunOnce: [apire32.exe] C:\WINDOWS\system32\apire32.exe
O4 - HKLM\..\RunOnce: [netdd32.exe] C:\WINDOWS\netdd32.exe
O4 - HKLM\..\RunOnce: [netwr.exe] C:\WINDOWS\netwr.exe
O4 - HKLM\..\RunOnce: [apiiu32.exe] C:\WINDOWS\apiiu32.exe
O4 - HKLM\..\RunOnce: [addar32.exe] C:\WINDOWS\system32\addar32.exe
O4 - HKLM\..\RunOnce: [mspz32.exe] C:\WINDOWS\system32\mspz32.exe
O4 - HKLM\..\RunOnce: [addwa32.exe] C:\WINDOWS\addwa32.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [winiq32.exe] C:\WINDOWS\winiq32.exe
O4 - HKLM\..\RunOnce: [apizs.exe] C:\WINDOWS\system32\apizs.exe
O4 - HKLM\..\RunOnce: [sdkof.exe] C:\WINDOWS\sdkof.exe
O4 - HKLM\..\RunOnce: [ippo32.exe] C:\WINDOWS\system32\ippo32.exe
O4 - HKLM\..\RunOnce: [d3zn.exe] C:\WINDOWS\system32\d3zn.exe
O4 - HKLM\..\RunOnce: [syshf32.exe] C:\WINDOWS\system32\syshf32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab





7. Delete the following files if present.
C:\WINDOWS\ipxg.exe
C:\WINDOWS\appcx.dll
C:\WINDOWS\system32\qmnuc.dll
C:\WINDOWS\netwq32.exe
C:\WINDOWS\system32\winsu.exe
C:\WINDOWS\system32\apire32.exe
C:\WINDOWS\netdd32.exe
C:\WINDOWS\netwr.exe
C:\WINDOWS\apiiu32.exe
C:\WINDOWS\system32\addar32.exe
C:\WINDOWS\system32\mspz32.exe
C:\WINDOWS\addwa32.exe
C:\WINDOWS\system32\crlb.exe
C:\WINDOWS\winiq32.exe
C:\WINDOWS\system32\apizs.exe
C:\WINDOWS\sdkof.exe
C:\WINDOWS\system32\ippo32.exe
C:\WINDOWS\system32\d3zn.exe
C:\WINDOWS\system32\syshf32.exe


8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan HERE. Let it remove any infected files found.

#3 muckdizzy

muckdizzy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 09:24 PM

Here is the updated Hijack This log. I tried doing the online scan here and everytime that it was attempted my IE crashed. Thank you for the help.

Logfile of HijackThis v1.98.0
Scan saved at 10:12:19 PM, on 7/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Jackie\Desktop\Antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jackie\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jackie\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5EC0CB0A-39D9-4C5F-B874-1FDE8ACEE1DF} - C:\WINDOWS\System32\ammaga.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O18 - Filter: text/html - {BB21622E-4309-4AC1-846C-F40B6CCAB5E3} - C:\WINDOWS\System32\ammaga.dll
O18 - Filter: text/plain - {BB21622E-4309-4AC1-846C-F40B6CCAB5E3} - C:\WINDOWS\System32\ammaga.dll

Ryan

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 28 July 2004 - 08:32 AM

Do not reboot

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmnuc.dll/sp.html#96676
O2 - BHO: (no name) - {5EC0CB0A-39D9-4C5F-B874-1FDE8ACEE1DF} - C:\WINDOWS\System32\ammaga.dll (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O18 - Filter: text/html - {BB21622E-4309-4AC1-846C-F40B6CCAB5E3} - C:\WINDOWS\System32\ammaga.dll
O18 - Filter: text/plain - {BB21622E-4309-4AC1-846C-F40B6CCAB5E3} - C:\WINDOWS\System32\ammaga.dll


delete the file C:\WINDOWS\system32\qmnuc.dll

Double click AboutBuster.exe, run the program twice, save both logs.
Scan with Adaware again and let it remove any bad files found.

Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here: http://www.spywarein...es.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywarein...s.html#sdhelper
and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

Now letīs get rid of the other infection that youīve got now.

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button