Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Browser Hijacking

919 views 5 replies 2 participants last post by  esspee 
#1 ·
Hi all, as with many computer users my IE6 browser has been hijacked and wont relinquish its grip. The following comes up in the address bar -

res://ufjhn.dll/index.html#96676

I have Adaware6.0, SpywareBlaster and HiJackThis installed.
I regularily run Adaware and find the same 31 malware files day after day.

Day after day I quarantine and delete them only to have them reappear.
Heres what I do-
 Scan with Adaware6.0
 Quarantine and delete offending items
 Rescan with Adaware6.0
 All will be OK, nothing found.

However if I now launch IE6 (without even being connected to the internet) and rescan with Adaware6.0 I will find the same browser hijackers reinstalled ............. why ??

Not only this but my internet security settings keep changing to enable all ActiveX controls and plug-ins ........ not good.

Can anyone suggest what is going on and what I need to post here to rid myself of this evil ??

Thanks in adavnce ............ SP
 
See less See more
#2 ·
go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 
#3 ·
dvk01,

I already have HijackThis. Just scanned, below are results

Logfile of HijackThis v1.98.2
Scan saved at 9:48:34 PM, on 12/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\iehj32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\services\msxmidi.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\sbvdlt.exe
C:\WINDOWS\system32\ipdf32.exe
C:\WINDOWS\System32\zatt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\p4\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ufjhn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ufjhn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ufjhn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ufjhn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ufjhn.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ufjhn.dll/index.html#96676
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {BB197B27-4CA3-A24A-52B6-F425942B6006} - C:\WINDOWS\crih32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [onilrmbymkbhw] C:\WINDOWS\System32\sbvdlt.exe
O4 - HKLM\..\Run: [ipdf32.exe] C:\WINDOWS\system32\ipdf32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Euaw] C:\Documents and Settings\p4\Application Data\anbs.exe
O4 - HKCU\..\Run: [Icvcohj] C:\WINDOWS\System32\zatt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Shortcut to CalCheck.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4CA5641-D739-4DB9-8844-D32FD39D2E26}: NameServer = 203.49.70.92 139.134.2.190
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini (file missing)
 
#6 ·
Oh well this problem solved itself in a big way ............ the dreaded XP blue screen of death. Had to have HD reformatted and XP reinstalled. Able to rescue most of my files, now comes the long process of reinstalling everything. The good thing is I now have a fresh, clean HD from which to start

Question - how do I prevent this malicious stuff from lobbing on my PC again ??

Thanks ............... SP
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top