Had about:blank, now IE still opens on startup

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by steveycrow, Jul 8, 2005.

  1. steveycrow

    steveycrow Private E-2

    I'm new and ignorant on computer matters so forgive me in advance.

    I have Norton AV and firewall 2003 and have used Adaware when needed and had no problems for 2 years. 1 week ago Norton AV told me I had 2 trojans - I thought nothing more of it.

    Then my IE browser started opening with about:blank as the homepage and a few unwanted links in my favourites. I also kept getting pop ups for various things - ironically a lot of them were for antispyware programs! After running through the steps as suggested in your sticky thread, the about:blank hijacker seems to have been resolved and I have reset my homepage to my choice and deleted the links in the favourites - I have rebooted and all seems normal...except when I reboot, the IE browser still opens automatically on startup albeit it is now set to the homepage which I have as default and I have no more pop ups.

    Any help would be appreciated to stop the IE opening automatically. Thanks
     
    steveycrow, Jul 8, 2005
    #1
  2. steveycrow

    steveycrow Private E-2

    BTW I forgot to mention that I couldn't get Symantec security check to work when following the sticky thread so I proceeded with the other steps, and when I ran McAfee Trend Micro, it found 2 infected files:

    TROJ DYFUCA.I
    HTML MHREDIR.A

    these files were noted to be non-cleanable, so I deleted these files. I hope I did the right thing.

    Thanks
     
    steveycrow, Jul 8, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have completed ALL the steps in the READ ME FIRST sticky, please follow the steps below exactly:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jul 9, 2005
    #3
  4. steveycrow

    steveycrow Private E-2

    Thanks for the quick reply. Yes I followed all steps BUT as I said, the Synantec security check did not work, I followed all steps though.

    I have run HJT and my attachment is below - please note I left system restore unchecked and I have left all hidden files to be shown checked - don't know if this is right or necessary.

    Here's the log. Thanks.
     

    Attached Files:

    steveycrow, Jul 9, 2005
    #4
  5. steveycrow

    steveycrow Private E-2

    I meant system restore was disabled - not unchecked.
     
    steveycrow, Jul 9, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! You must leave system restore disabled until all problems are fixed. Hidden file viewing can always be enabled.

    You are showing signs of an HSA hijacker. Did you run HSremove and About:Buster from the READ ME FIRST?

    We are going to try a fast easy approach since your infection does not appear to be one of the more difficult to remove ones (at least not right now). If this does not work, we will need to use a different method.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lxhpt.dll/sp.html#83556
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lxhpt.dll/sp.html#83556
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {B1C58819-852C-AE8A-955D-53ADC7E155F3} - C:\WINDOWS\system32\winza32.dll (file missing)
    O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
    O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
    O4 - HKLM\..\Run: [netud.exe] C:\WINDOWS\system32\netud.exe
    O4 - HKLM\..\Run: [iplj.exe] C:\WINDOWS\system32\iplj.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\winza32.dll
    C:\WINDOWS\LMU.exe
    C:\WINDOWS\system32\netud.exe
    C:\WINDOWS\system32\iplj.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working. Please DO NOT REBOOT or power down at this point because if you are still infected, the problems could mutate and spread making any suggested fixes a waste of time to post.
     
    chaslang, Jul 9, 2005
    #6
  7. steveycrow

    steveycrow Private E-2

    seems to have worked - i rebooteed in normal mode and IE didn't seem to open automatically. Homepage is OK. No pop ups. Thank you so much, you're bloody angels in disguise!!!

    I post below an updated HJT log.

    Only thing is when following your instructions I could find none of the files in C:WINDOWS like winza, iplj etc. None of them were there and I did enable hidden files to be shown. I deleted the entries in the HJT as suggested and follwoed the rest of the advice.

    Please let me know if my HJT log is now OK.

    Thank you again!!!
     

    Attached Files:

    steveycrow, Jul 9, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    That's because HijackThis deleted them. Since we never know what it will be able to delete, the manual steps are added as a backup.

    You're log is now clean. To help keep it that way, you should complete the steps in the below thread:

    How to Protect yourself from malware!
     
    chaslang, Jul 9, 2005
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds