spyware keeps reappearing seconds after deletion and/or reboot

Discussion in 'adware, spyware & hijack cleaning' started by efralope, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. efralope

    efralope Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    11
    ok, this is the 3rd time I've written up this post after spending forever writing 2 really long ones that got deleted... :(

    anyway, I've run Ad-Aware and Spybot (lastest reference files) several times, seconds after running Ad-Aware I'd run it again and it would find the files I'd just deleted (not just quarantine)... I've run both programs at reboot and both find the same spyware objects over and over again...

    AdAware finds:

    -3 possible browser hijack attempt objects
    -several coolwebsearch objects (one of which Ad-Aware says I need to restart and run Ad-Aware again to delete, which I've done but doesn't work)

    SpyBot finds:

    -Alexa Tangent objects
    -advertising.com objects
    -DSO exploits (registry change related I think)

    also, everytime IE starts, Office 2003 starts doing some weird things like installing components or searching for files to install

    also, everytime I start IE I can't seem to keep the homepage I want...

    here is my HiJackThis log from the first time I typed this up (like 20-30 min. ago)
    this is a second scan I just did after having openend Word and Clipboard Viewer:


    pretty weird, huh?

    looks like stuff just starting appearing on it's own all of a sudden...

    I hope you guys can help somehow please...

    BTW, this is from a laptop with Windows 2000, the last time I had problems it was the family computer with Window 98, and that one seems to have keep pretty clear of stuff...
     
    Last edited: Jun 30, 2004
  2. efralope

    efralope Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    11
    ok, I just re-ran Norton, Ad-Aware, and Spybot, here the HiJack log I got seconds ago...

    plz help if possible...
     
  3. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Can you find the service mentioned in
    https://www.wilderssecurity.com/showthread.php?t=28658&page=2&pp=25 ?

    There is a newer HJT available at http://computercops.net/downloads-file-328.html

    These are the items which currently show in HJT

    Processes
    C:\WINNT\system32\apikj.exe
    C:\WINNT\netvs.exe



    Startup entries
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wpodv.dll/sp.html#10213
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wpodv.dll/sp.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\wpodv.dll/sp.html#10213
    O2 - BHO: (no name) - {55870715-1D2A-F55F-6A5E-8260CB6F81D1} - C:\WINNT\apiov.dll
    O4 - HKLM\..\Run: [apikj.exe] C:\WINNT\system32\apikj.exe
     
  4. efralope

    efralope Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    11
    wow, thanks for the help man...

    yeah, those items looked suspicious, but to be honest I'm really new at all this..

    I didn't even know what CWB meant, I thought it was something like a company or something like Norton...

    I'll go ahead and delete those you've listed...

    actually, I was just about to ask you what HJT was, but then I realized, like "duh"...

    ok, I'll download the newer one and delete those

    thanks :)
     
  5. efralope

    efralope Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    11
    hmm, looks better now...

    The first time I ran this new HJT it didn't fine the R0 file, just the R1's, so I deleted them, then I ran it again and it found it, then I ran it again (w/ out fixing), and it didn't find it....

    weird, but it's probably cause I hadn't closed by Mozilla window the first time...

     
  6. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    It's changed
    These can be a bear if you don't get it all

    C:\WINNT\system32\apikj.exe
    C:\WINNT\mscp.exe

    and

    O2 - BHO: (no name) - {10C089B7-77FD-C65D-35F0-BFA1479FFB41} - C:\WINNT\sysfi32.dll

    ---------
    Download FindnFix http://downloads.subratam.org/FINDnFIX.exe

    Double Click on the FindnFix.exe you downloaded and it will install into its own folder.
    That folder should be C:\FINDnFIX
    Browse to the folder
    Close all other open windows.
    Run (double click on) the !LOG!.bat file

    Have a coffee

    When it's done
    From the FindnFix folder.
    - Post (paste) the contents of Log.txt in this thread.
    - Attach file Win.txt to the same post. (Please attach, do not paste -- it's large)
     
  7. efralope

    efralope Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    11
    ok, here it is...

     

    Attached Files:

  8. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    You will need to use Start > Run and type services.msc then OK to stop the "Network Security Service"
    Set it to disabled on startup as well

    Add these files to 'things to delete' along with all the others mentioned so far
    C:\WINNT\SYSTEM32\CRBZ.DLL
    C:\WINNT\SYSTEM32\GWDIW.DLL


    This might be best done from SAFE mode.
    How to start the computer in Safe mode


    Do you know how to use the recovery console to delete files?
     
Thread Status:
Not open for further replies.