TechSpot

IE has been hijacked, hijackthislog included Please help

By Tony Starks
Nov 1, 2005
Topic Status:
Not open for further replies.
  1. My Internet explorer has been hijacked.

    When IE opens for a brief second "res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm" flashes up in the address bar and then it takes me to "http://www.warningmessage.com/". I was also getting items popping up in the taskbar saying I had spyware installed but I think I have sorted that.

    At first I ran AVG and ad-aware but they didn't find anything. I then noticed that two items were running in my task manager "nvctrl.exe" and "mssearchnet.exe", I checked them out and they appear to be Trojans so I rebooted to safemode and deleted said items. (I think these are now gone)

    IE was still hijacked so I followed a few threads from here and downloaded spybot and hijackthis. Back in safemode I scanned again with AVG emptied my cookies, history and deleted my tempory internet files. Then with highjackthis I selected "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/" and let it fix it. I then ran Ad-aware (still didn't find anything) and spybot which found about 60 reg values and I let it fix all of them.

    But still my IE is hijacked, I have included a highjackthis log, hopefully you can help me.

    Thank you.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /U/ UNinstall anything to do with this
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    /P/ O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hp8B96.tmp
    /P/U/ O4 - HKLM\..\Run: [H2OWIBU] D:\Apps\WIBUKEY\H2O\CXWibu.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123025468375
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
    ...................................................................................................
     
  3. Tony Starks

    Tony Starks TS Rookie Topic Starter

    Ok I did everything you said and worked great (also switched to using firefox).
    This morning I looked at my computer which had been on all night and Avg had found "hp8B96.tmp" again in the system32 folder. Also the only place Avg can't scan is the boot sector, is it possiable there is a virus here? How can I fix the boot sector would scan disk do this or do you have any suggestions?
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    check for, and delete any xxx.tmp files in \windows and in \windows\system32

    Unlikely it's a bootsectot virus. Scandisk can't do anything there.
    In the Repair Console you can call up Fixboot and Fixmbr. Read the main How to access.. post in the Windows forum
     
  5. Tony Starks

    Tony Starks TS Rookie Topic Starter

    Hi, Boot sector seems fine sorry about that Avg just seems to have a problem when scanning in safemode.

    Evertime I start windows and scan my System32 folder avg finds a Trojan it calls "Trojan horse Downloader.Generic.HQQ". The file is always a .tmp file i.e "ld4D26.tmp" and "ld50B0.tmp". If I do a scan with AVG it finds the Trojan and heals it, if I then straight away I scan again it finds the same Trojan again and so on.

    I've gone into safemode deleted all .tmp files but still no luck.

    Thanks for the help so far, I guess if I knew the exact Trojan it would be easier to remove.

    Any Ideas?
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  7. Tony Starks

    Tony Starks TS Rookie Topic Starter

    Cheers the panda scan found it, I removed it and all seems fine.

    Thanks mate.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.