1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[solved]Internet Explorer Hijacked Website

Discussion in 'Virus & Other Malware Removal' started by Printer, Jul 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Printer

    Printer Thread Starter

    Joined:
    May 16, 2004
    Messages:
    9
    Hi

    Have the following as my default web page and can not get rid of it. res://xabcj.dll/index.html#12802. Have tried somethings but nothing has worked. Any sugesstions would be appreciated.
    Thanks
    Printer
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    37,197
    Hiya

    Moved you to Security, where you should get a good response. In the meantime, go to www.spychecker.com/program/hijackthis.html , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    Regards

    eddie
     
  3. Printer

    Printer Thread Starter

    Joined:
    May 16, 2004
    Messages:
    9
    Eddie

    Thanks. Have done as you asked, the results are pasted below:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:37:50 PM, on 7/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\ipua32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\system32\mfcfq32.exe
    C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
    C:\Documents and Settings\IMI\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xabcj.dll/sp.html#12802
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xabcj.dll/index.html#12802
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xabcj.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xabcj.dll/sp.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xabcj.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xabcj.dll/sp.html#12802
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {7FF81754-B075-711C-84D6-0AA53EC4307B} - C:\WINDOWS\system32\atlxm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [mfcfq32.exe] C:\WINDOWS\system32\mfcfq32.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKLM\..\RunOnce: [ipua32.exe] C:\WINDOWS\system32\ipua32.exe
    O4 - HKLM\..\RunOnce: [mfctl.exe] C:\WINDOWS\mfctl.exe
    O4 - HKLM\..\RunOnce: [iegb.exe] C:\WINDOWS\system32\iegb.exe
    O4 - HKLM\..\RunOnce: [ipmc.exe] C:\WINDOWS\system32\ipmc.exe
    O4 - HKLM\..\RunOnce: [winaj32.exe] C:\WINDOWS\winaj32.exe
    O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{76ECC846-7087-4D83-AD55-F8AAB129C78B}: NameServer = 207.5.128.9 207.5.128.10

    Thanks again, Printer
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Printer,

    eddie has requested I help out :)

    Download About:Buster from Here
    Unzip it to your desktop.

    Now sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
    O2 - BHO: (no name) - {7FF81754-B075-711C-84D6-0AA53EC4307B} - C:\WINDOWS\system32\atlxm.dll
    O4 - HKLM\..\RunOnce: [ipua32.exe] C:\WINDOWS\system32\ipua32.exe
    O4 - HKLM\..\RunOnce: [mfctl.exe] C:\WINDOWS\mfctl.exe
    O4 - HKLM\..\RunOnce: [iegb.exe] C:\WINDOWS\system32\iegb.exe
    O4 - HKLM\..\RunOnce: [ipmc.exe] C:\WINDOWS\system32\ipmc.exe
    O4 - HKLM\..\RunOnce: [winaj32.exe] C:\WINDOWS\winaj32.exe

    Before restarting run aboutbuster. Again remain offline. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Once the tool is done scanning, copy the log and save it to paste back here in your thread.

    Restart your computer,

    Now run about:Buster again just to be sure it got everything.

    Make a copy of the log it creates again.

    Reboot and post the 2 about buster logs and a fresh HijackThis log.
     
  5. Printer

    Printer Thread Starter

    Joined:
    May 16, 2004
    Messages:
    9
    Hi Tech Guys

    The following are the two Buster scans and a new Hijack this log. Thanks for the guidance.

    Printer

    First scan

    -- Scan 1 --------
    About:Buster Version 1.27
    Removed! : C:\WINDOWS\bnjdah.dat
    Removed! : C:\WINDOWS\dpeego.dat
    Removed! : C:\WINDOWS\iebfv.dat
    Removed! : C:\WINDOWS\ikrhna.dat
    Removed! : C:\WINDOWS\jugfjf.dat
    Removed! : C:\WINDOWS\lmiuds.dat
    Removed! : C:\WINDOWS\n_bgsyzo.dat
    Removed! : C:\WINDOWS\n_bvbcii.dat
    Removed! : C:\WINDOWS\n_emuvoh.dat
    Removed! : C:\WINDOWS\n_jzaeiy.dat
    Removed! : C:\WINDOWS\n_kdwcui.dat
    Removed! : C:\WINDOWS\n_qbqdjn.dat
    Removed! : C:\WINDOWS\n_rqwmyf.dat
    Removed! : C:\WINDOWS\n_szlfai.dat
    Removed! : C:\WINDOWS\n_trwiiw.dat
    Removed! : C:\WINDOWS\n_xycmue.dat
    Removed! : C:\WINDOWS\oidpy.dat
    Removed! : C:\WINDOWS\pdvgug.dat
    Removed! : C:\WINDOWS\rqkefi.dat
    Removed! : C:\WINDOWS\rztwrq.dat
    Removed! : C:\WINDOWS\xqhazc.dat
    Removed! : C:\WINDOWS\zmfrwm.dat
    Removed! : C:\WINDOWS\System32\atlxm.dll
    Removed! : C:\WINDOWS\System32\bnjda.dat
    Removed! : C:\WINDOWS\System32\iegb.exe
    Removed! : C:\WINDOWS\System32\igkjp.dat
    Removed! : C:\WINDOWS\System32\kcaam.dat
    Removed! : C:\WINDOWS\System32\mfcfq32.exe
    Removed! : C:\WINDOWS\System32\zhqop.dat
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!


    Second Scan

    -- Scan 1 --------
    About:Buster Version 1.27
    Attempted Clean Of Temp folder.
    Pages Reset... Done!


    Fresh HijackThis Log

    Logfile of HijackThis v1.97.7
    Scan saved at 7:19:47 AM, on 7/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\ipua32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\winword.exe
    C:\Documents and Settings\IMI\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Printer

    Printer Thread Starter

    Joined:
    May 16, 2004
    Messages:
    9
     
  7. Printer

    Printer Thread Starter

    Joined:
    May 16, 2004
    Messages:
    9
    Tech Support Guy Forums

    It worked!! Thanks again.

    Printer
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    (y)

    Go to Internet Options>Programs
    Click the "Reset Web Settings" Button to reset your home and search pages.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/249901

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice