Internet Explorer default page hijacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

praimer135

Thread Starter
Joined
Apr 22, 2004
Messages
1
My IE has been taken over, below is the logfile. Can you please help me with this matter.

Thanks,

Phi

Logfile of HijackThis v1.97.7
Scan saved at 10:41:26 PM, on 4/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\FPAPLI.EXE
C:\WINDOWS\IRXFER.EXE
C:\WINDOWS\SYSTEM\HKEYMAN.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\D-LINK\AIRPLUS XTREME G\AIRPLUSCFG.EXE
C:\PROGRAM FILES\ALPHA NETWORKS\ANIWZCS SERVICE\WZCSLDR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NEW DELETE EQ\REAL CHIN.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\DISKSERV.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 4.0 SE\CALCHECK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://myoqnr.t.muxa.cc/s.php?aid=446 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://myoqnr.t.muxa.cc/s.php?aid=446 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myoqnr.t.muxa.cc/h.php?aid=446 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://myoqnr.t.muxa.cc/s.php?aid=446 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://myoqnr.t.muxa.cc/h.php?aid=446 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://myoqnr.t.muxa.cc/s.php?aid=446 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://myoqnr.t.muxa.cc/s.php?aid=446 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://myoqnr.t.muxa.cc/s.php?aid=446 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://myoqnr.t.muxa.cc/h.php?aid=446 (obfuscated)
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\SYSTEM\1HIA4MAEFB.DLL
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\SYSTEM\WER1306.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [touch pad scroller] c:\windows\SYSTEM\fpapli.exe
O4 - HKLM\..\Run: [Hotkey] c:\windows\SYSTEM\hkeyman.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] c:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [creativerule] C:\PROGRA~1\New Delete Eq\Real Chin.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PowerProf] PowerProf.exe
O4 - HKCU\..\Run: [Disk Master] C:\windows\diskserv.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - DefaultPrefix: http://prolivation.com/cgi-bin/r.cgi?
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} (ctadlctrl Class) - http://www.clicktracking.info/ctadl1.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.8247106482
 
Joined
Feb 23, 2003
Messages
16,274
Download CWShredder:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
Unzip, run and hit the ->fix tab to fix all found problems

CWShredder takes advantage of seurity holes in windows so you should install all critical as well as hotfixes available from windows update.


Then repost a fresh Hijack this log .

Download 'Hijack This!'. http://www.tomcoyote.org/hjt/ and save it to a folder on your desktop.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top