Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Suspected spyware hack 1

Status
Not open for further replies.

cjkoontz

MIS
Aug 9, 2000
102
US
I have gotten a curious error with my IE 6 browser ever since being invaded by the AproposClient virus --

When ever I try to navigate to a non-existant domain, I get a web page that reads --

"Search the Web - Incorrect Error Page"

This web page has some sort of search input field, links to things like Business and Adult Entertainment.

And the links appear to point back to contexualsearch.com.

How do I get rid of this annoying web page?

(I believe that I have followed all the steps to get rid of Apropos.)

The log from SpyKiller:

Scan initialized on 2/23/2004 7:33:29 PM
========================================

Started memory scan
====================
Running processes:
1: \SystemRoot\System32\smss.exe
2: \??\C:\WINDOWS\system32\winlogon.exe
3: C:\WINDOWS\system32\services.exe
4: C:\WINDOWS\system32\lsass.exe
5: C:\WINDOWS\system32\svchost.exe
6: C:\WINDOWS\System32\svchost.exe
7: C:\WINDOWS\system32\spoolsv.exe
8: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
9: C:\Program Files\Norton AntiVirus\navapsvc.exe
10: C:\WINDOWS\System32\svchost.exe
11: C:\WINDOWS\Explorer.EXE
12: C:\WINDOWS\System32\hkcmd.exe
13: C:\Program Files\HP\HP Software Update\HPWuSchd.exe
14: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
15: C:\PROGRA~1\NORTON~1\navapw32.exe
16: C:\WINDOWS\System32\ctfmon.exe
17: C:\Program Files\Messenger\msmsgs.exe
18: C:\Program Files\Belkin\F1U201.401\usbshare.exe
19: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
20: C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
21: C:\WINDOWS\System32\taskmgr.exe
22: C:\Program Files\Internet Explorer\iexplore.exe
23: C:\Program Files\HistoryKill\histkill.exe
24: C:\Program Files\HistoryKill\hkPopupKiller.exe
25: C:\Program Files\SpyKiller\SpyKiller.exe

Memory scan result:
Total modules found:25
Suspicious modules found: 0

Started registry scan
====================
RVP HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\...

SpyWare/AdWare - RVP
Registry scan result:
Suspicious keys found: 1

Started folder scan
====================

Folder scan result:
Folder processed: 0
Suspicious folders found: 0

Started file scan
====================

File scan result:
Suspicious files found: 0

Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 1
Suspicious folders found: 0
Suspicious files found: 0
====================

Components ignored:0
Total components found:1
 
Did you look at what you've posted? One of my shortcomings is that I can't read gibber...sorry.
Try downloading Hijack This! from here:

Scan you r pc and post the log back here in its entirety.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Look at thread760-758572 to see if that helps. Apropos is a real pain! All of my anti-spyware saw it but none could completely delete it. I finally used tasklist /svc at the command prompt to see what was running. I also ran tasklist on another machine and compared the two logs. Then I went into the registry using regedt32 and searched for those processes and deleted them.

James P. Cottingham

There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
 
From HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 7:38:31 AM, on 2/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jkoontz\Local Settings\Temporary Internet Files\Content.IE5\O3UH8HAZ\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E898AA4D-C31D-28F4-A97D-EC0CD0C9FD35} - C:\PROGRA~1\OBJSTY~1\win ooze.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {A82A6D82-B27F-22E3-615D-2BACDDE1FA6E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
 
I am new at this, but here are my thoughts:

I don't like the name of this, but it could be valid (I can't find it anywhere):
O2 - BHO: (no name) - {E898AA4D-C31D-28F4-A97D-EC0CD0C9FD35} - C:\PROGRA~1\OBJSTY~1\win ooze.dll

Delete this:
O3 - Toolbar: (no name) - {A82A6D82-B27F-22E3-615D-2BACDDE1FA6E} - (no file)

Never seen this:
O4 - Global Startup: F1U201.401.lnk = ?

Something doesn't look right here, it can be deleted and will reload if it is a valid file from MS:
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
I am sure someone will have better knowledge than I have...

Terry
**************************
* General Disclaimor - Please read *
**************************
Please make sure your post is in the CORRECT forum, has a descriptive title, gives as much detail to the problem as possible, and has examples of expected results. This will enable me and others to help you faster...
 
THoey,

I think your suggestions worked.

After doing what you suggested, rebooting, and navigating a link in IE, no more Error (Page) Hijack.
 
JKoontz and THoey

If the system runs Windows XP or Me, as indicated in the HijackThis log, it is worth disabling system restore and removing all restore points prior to removing the items with HijackThis, then re enabling afterwards, otherwise there is a risk of the virus/worm/spyware reinstating itself if the system is rolled back.

This also goes for systems with system rollback features such as Roxio GoBack installed.

John
 
Very true jrbarnett, I forgot about that point. jkoontz, if your symptoms return, this is probably the cause.

I will try to make (steal) a FAQ today on turning off the system restore and on booting in safe mode.

Terry
**************************
* General Disclaimor - Please read *
**************************
Please make sure your post is in the CORRECT forum, has a descriptive title, gives as much detail to the problem as possible, and has examples of expected results. This will enable me and others to help you faster...
 
THoey

Look at Symantec's document number 2000092513515106 - it is very clear about how to do this.

John
 
Thanks John...

Terry
**************************
* General Disclaimor - Please read *
**************************
Please make sure your post is in the CORRECT forum, has a descriptive title, gives as much detail to the problem as possible, and has examples of expected results. This will enable me and others to help you faster...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top