# internet explorer HIJACK



## Alive_Hunter (Feb 19, 2005)

my internet explorer as been hijacked.

by defaullt its opening some search site.

i tried cleaining it with many spy software but in vain.

please help..

and where can i download full  offline setup of latest microsoft internet explorer.

waithing for reply...


----------



## swatkat (Feb 19, 2005)

ok, now it's time for some hands on job...download and run HijackThis, and Scan ur system and Save the Log file.....then post the content of Log file here....let's check out the _bad things_ in ur computer....

*www.spychecker.com/program/hijackthis.html

MS only gives tip of the full IE installation, and it downloads the programs required while installing, this is irritating...u can find IE 6 SP1 in *all* of the Electronics For You Magazine's CD, in the Popular Repeats section, try to get it....


----------



## babumuchhala (Feb 19, 2005)

Did u try the Microsoft AntiSpyware bcos it catches even a small dammn change in IE. MS AS is the best fr IE hijack repairs.

Dude better shift to Firefox


----------



## enoonmai (Feb 19, 2005)

Follow swatkat's suggestion and post a HJT log file so we can get a clearer idea. However, spyware removers are also like antivirus programs and need to be updated with the latest detection updates to root out the spyware completely. The best thing to do is to either use BHODemon 2.0 and then chuck the broswer hijack out, or use Spybot S&D with the latest advanced library checks and the detection library and then once you root the spyware out, please make sure you run the system protection (TeaTimer.exe) at all times to prevent any unwanted registry changes.


----------



## Alive_Hunter (Feb 20, 2005)

*HijackThis.log file*

The below mentioned is the log file txt. for *HijackThis*

*--------------------------------------------------------------------------------------*

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\bowc87jnwgkvnthd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Ositis Software\WinProxy 5\WinProxy.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPDebug.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DAP\DAP.exe
D:\utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *letgohome.com/sp.htm?id=11305
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *letgohome.com/sp.htm?id=11305
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *letgohome.com/hp.htm?id=11305
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *letgohome.com/hp.htm?id=11305
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *letgohome.com/hp.htm?id=11305
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = *letgohome.com/sp.htm?id=11305
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\dbq3lgji.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\dbq3lgji.slt\prefs.js)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\bowc87jnwgkvnthd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINNT\dnscleaner.exe
O4 - Startup: WinProxy.lnk = C:\Program Files\Ositis Software\WinProxy 5\WinProxy.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: winlogin.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!*toprefsys.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - *static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B5FEE5-126B-4CB6-9066-9D12CFBD72EF}: NameServer = 203.94.227.70 203.94.243.70
O20 - AppInit_DLLs: z1rdigkznocx5dl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-------------------------------------------------------------------------------------

Please help me ..

I am waiting for reply.........


[/b]


----------



## techno_funky (Feb 20, 2005)

*Re: HijackThis.log file*



			
				Alive_Hunter said:
			
		

> The below mentioned is the log file txt. for *HijackThis*
> 
> *--------------------------------------------------------------------------------------*
> 
> ...




remove the ones marked in red 
i.e tick them and click "fix cheked"
iam suspicious with the one in bold 
lets see what others say


----------



## swatkat (Feb 20, 2005)

*Re: HijackThis.log file*

wow...lots of _baddies_ here....



			
				Alive_Hunter said:
			
		

> The below mentioned is the log file txt. for *HijackThis*
> 
> *--------------------------------------------------------------------------------------*
> 
> ...



in HijackThis, select the entries which are marked in red and click Fix.....
Restart in Safe mode, and then delete these files using Find utility of Windows:-
C:\WINNT\system32\W8C6S4~1.DLL
C:\foo.mht!*toprefsys.com/G7/chm10.chm::/ieloader.exe
ieloader.exe
z1rdigkznocx5dl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl
bowc87jnwgkvnthd.exe

then, restart and clean the junk left behind by using, Cleanup! and CCleaner...
*cleanup.stevengould.org/
*www.ccleaner.com/

after this, post a fresh HijackThis log...


----------



## kl_ravi (Feb 21, 2005)

Also visit the following link and see which security updates you need and install/update the same.....
 
*v4.windowsupdate.microsoft.com/en/default.asp

Recently my PC was also hijacked by spywares. *Swatkat *helped me to solve the problem completely. Now my PC is fine. Do as swatkat says. ...


----------



## enoonmai (Feb 21, 2005)

Hmm, slightly off-topic, but I just noticed the HJT listing for OS isnt there. So, if its Windows XP, it would be better to use v5 of Windows Update.

@Alive_Hunter: Once you follow swatkat's advice and clear out all spyware, please make sure you install Spybot S&D, and leave its TeaTimer system protection turned on at all times to prevent anything like this from ever happening again.


----------



## swatkat (Feb 21, 2005)

@Alive_Hunter, is ur problem fixed?Also, download and run AboutBuster which removes any StartPage hijackers lurking around....
*www.malwarebytes.biz/

@kl_ravi, i am happy to hear that ur porblem solved.....
thanks....


----------



## it_waaznt_me (Feb 23, 2005)

*Re: HijackThis.log file*



			
				Alive_Hunter said:
			
		

> C:\WINNT\system32\bowc87jnwgkvnthd.exe


First kill this process from Task Manager .. (Ctrl Shift Esc , Then select this process in the Process tab, and click on Del .. ) ...

Now Put a checkmark next to these entries when you run HijackThis again and Click on Fix Checked .. 


> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *letgohome.com/sp.htm?id=11305
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *letgohome.com/sp.htm?id=11305
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *letgohome.com/hp.htm?id=11305
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *letgohome.com/hp.htm?id=11305
> ...



Now boot in Safe Mode and Search and Delete these files : 
C:\foo.mht
bowc87jnwgkvnthd.exe
winlogin.exe
W8C6S4~1.DLL

To remove virus from your system, Scan your system with updated antivirus : 

And Scan your system with updated virus definitions: 
Panda ActiveScan
Stinger
Symantec System Check  ...


----------

