Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

[solved]Internet Explorer Hijacked Website

2K views 7 replies 3 participants last post by  cybertech 
#1 ·
Hi

Have the following as my default web page and can not get rid of it. res://xabcj.dll/index.html#12802. Have tried somethings but nothing has worked. Any sugesstions would be appreciated.
Thanks
Printer
 
#2 ·
Hiya

Moved you to Security, where you should get a good response. In the meantime, go to www.spychecker.com/program/hijackthis.html , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Regards

eddie
 
#3 ·
Eddie

Thanks. Have done as you asked, the results are pasted below:

Logfile of HijackThis v1.97.7
Scan saved at 6:37:50 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ipua32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\mfcfq32.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Documents and Settings\IMI\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xabcj.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xabcj.dll/index.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xabcj.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xabcj.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xabcj.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xabcj.dll/sp.html#12802
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7FF81754-B075-711C-84D6-0AA53EC4307B} - C:\WINDOWS\system32\atlxm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mfcfq32.exe] C:\WINDOWS\system32\mfcfq32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [ipua32.exe] C:\WINDOWS\system32\ipua32.exe
O4 - HKLM\..\RunOnce: [mfctl.exe] C:\WINDOWS\mfctl.exe
O4 - HKLM\..\RunOnce: [iegb.exe] C:\WINDOWS\system32\iegb.exe
O4 - HKLM\..\RunOnce: [ipmc.exe] C:\WINDOWS\system32\ipmc.exe
O4 - HKLM\..\RunOnce: [winaj32.exe] C:\WINDOWS\winaj32.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76ECC846-7087-4D83-AD55-F8AAB129C78B}: NameServer = 207.5.128.9 207.5.128.10

Thanks again, Printer
 
#4 ·
Hi Printer,

eddie has requested I help out :)

Download About:Buster from Here
Unzip it to your desktop.

Now sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access.

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
O2 - BHO: (no name) - {7FF81754-B075-711C-84D6-0AA53EC4307B} - C:\WINDOWS\system32\atlxm.dll
O4 - HKLM\..\RunOnce: [ipua32.exe] C:\WINDOWS\system32\ipua32.exe
O4 - HKLM\..\RunOnce: [mfctl.exe] C:\WINDOWS\mfctl.exe
O4 - HKLM\..\RunOnce: [iegb.exe] C:\WINDOWS\system32\iegb.exe
O4 - HKLM\..\RunOnce: [ipmc.exe] C:\WINDOWS\system32\ipmc.exe
O4 - HKLM\..\RunOnce: [winaj32.exe] C:\WINDOWS\winaj32.exe

Before restarting run aboutbuster. Again remain offline. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Once the tool is done scanning, copy the log and save it to paste back here in your thread.

Restart your computer,

Now run about:Buster again just to be sure it got everything.

Make a copy of the log it creates again.

Reboot and post the 2 about buster logs and a fresh HijackThis log.
 
#5 ·
Hi Tech Guys

The following are the two Buster scans and a new Hijack this log. Thanks for the guidance.

Printer

First scan

-- Scan 1 --------
About:Buster Version 1.27
Removed! : C:\WINDOWS\bnjdah.dat
Removed! : C:\WINDOWS\dpeego.dat
Removed! : C:\WINDOWS\iebfv.dat
Removed! : C:\WINDOWS\ikrhna.dat
Removed! : C:\WINDOWS\jugfjf.dat
Removed! : C:\WINDOWS\lmiuds.dat
Removed! : C:\WINDOWS\n_bgsyzo.dat
Removed! : C:\WINDOWS\n_bvbcii.dat
Removed! : C:\WINDOWS\n_emuvoh.dat
Removed! : C:\WINDOWS\n_jzaeiy.dat
Removed! : C:\WINDOWS\n_kdwcui.dat
Removed! : C:\WINDOWS\n_qbqdjn.dat
Removed! : C:\WINDOWS\n_rqwmyf.dat
Removed! : C:\WINDOWS\n_szlfai.dat
Removed! : C:\WINDOWS\n_trwiiw.dat
Removed! : C:\WINDOWS\n_xycmue.dat
Removed! : C:\WINDOWS\oidpy.dat
Removed! : C:\WINDOWS\pdvgug.dat
Removed! : C:\WINDOWS\rqkefi.dat
Removed! : C:\WINDOWS\rztwrq.dat
Removed! : C:\WINDOWS\xqhazc.dat
Removed! : C:\WINDOWS\zmfrwm.dat
Removed! : C:\WINDOWS\System32\atlxm.dll
Removed! : C:\WINDOWS\System32\bnjda.dat
Removed! : C:\WINDOWS\System32\iegb.exe
Removed! : C:\WINDOWS\System32\igkjp.dat
Removed! : C:\WINDOWS\System32\kcaam.dat
Removed! : C:\WINDOWS\System32\mfcfq32.exe
Removed! : C:\WINDOWS\System32\zhqop.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Second Scan

-- Scan 1 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!

Fresh HijackThis Log

Logfile of HijackThis v1.97.7
Scan saved at 7:19:47 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ipua32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\winword.exe
C:\Documents and Settings\IMI\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
#6 ·
Printer said:
Hi Tech Guys

The following are the two Buster scans and a new Hijack this log. Thanks for the guidance.

Printer

First scan

-- Scan 1 --------
About:Buster Version 1.27
Removed! : C:\WINDOWS\bnjdah.dat
Removed! : C:\WINDOWS\dpeego.dat
Removed! : C:\WINDOWS\iebfv.dat
Removed! : C:\WINDOWS\ikrhna.dat
Removed! : C:\WINDOWS\jugfjf.dat
Removed! : C:\WINDOWS\lmiuds.dat
Removed! : C:\WINDOWS\n_bgsyzo.dat
Removed! : C:\WINDOWS\n_bvbcii.dat
Removed! : C:\WINDOWS\n_emuvoh.dat
Removed! : C:\WINDOWS\n_jzaeiy.dat
Removed! : C:\WINDOWS\n_kdwcui.dat
Removed! : C:\WINDOWS\n_qbqdjn.dat
Removed! : C:\WINDOWS\n_rqwmyf.dat
Removed! : C:\WINDOWS\n_szlfai.dat
Removed! : C:\WINDOWS\n_trwiiw.dat
Removed! : C:\WINDOWS\n_xycmue.dat
Removed! : C:\WINDOWS\oidpy.dat
Removed! : C:\WINDOWS\pdvgug.dat
Removed! : C:\WINDOWS\rqkefi.dat
Removed! : C:\WINDOWS\rztwrq.dat
Removed! : C:\WINDOWS\xqhazc.dat
Removed! : C:\WINDOWS\zmfrwm.dat
Removed! : C:\WINDOWS\System32\atlxm.dll
Removed! : C:\WINDOWS\System32\bnjda.dat
Removed! : C:\WINDOWS\System32\iegb.exe
Removed! : C:\WINDOWS\System32\igkjp.dat
Removed! : C:\WINDOWS\System32\kcaam.dat
Removed! : C:\WINDOWS\System32\mfcfq32.exe
Removed! : C:\WINDOWS\System32\zhqop.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Second Scan

-- Scan 1 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!

Fresh HijackThis Log

Logfile of HijackThis v1.97.7
Scan saved at 7:19:47 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ipua32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\winword.exe
C:\Documents and Settings\IMI\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top