IE has been hijacked, hijackthislog included Please help

Status
Not open for further replies.
T

Tony Starks

My Internet explorer has been hijacked.

When IE opens for a brief second "res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm" flashes up in the address bar and then it takes me to "http://www.warningmessage.com/". I was also getting items popping up in the taskbar saying I had spyware installed but I think I have sorted that.

At first I ran AVG and ad-aware but they didn't find anything. I then noticed that two items were running in my task manager "nvctrl.exe" and "mssearchnet.exe", I checked them out and they appear to be Trojans so I rebooted to safemode and deleted said items. (I think these are now gone)

IE was still hijacked so I followed a few threads from here and downloaded spybot and hijackthis. Back in safemode I scanned again with AVG emptied my cookies, history and deleted my tempory internet files. Then with highjackthis I selected "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/" and let it fix it. I then ran Ad-aware (still didn't find anything) and spybot which found about 60 reg values and I let it fix all of them.

But still my IE is hijacked, I have included a highjackthis log, hopefully you can help me.

Thank you.
 
First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/U/ UNinstall anything to do with this
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
/P/ O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hp8B96.tmp
/P/U/ O4 - HKLM\..\Run: [H2OWIBU] D:\Apps\WIBUKEY\H2O\CXWibu.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123025468375
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
...................................................................................................
 
Ok I did everything you said and worked great (also switched to using firefox).
This morning I looked at my computer which had been on all night and Avg had found "hp8B96.tmp" again in the system32 folder. Also the only place Avg can't scan is the boot sector, is it possiable there is a virus here? How can I fix the boot sector would scan disk do this or do you have any suggestions?
 
check for, and delete any xxx.tmp files in \windows and in \windows\system32

Unlikely it's a bootsectot virus. Scandisk can't do anything there.
In the Repair Console you can call up Fixboot and Fixmbr. Read the main How to access.. post in the Windows forum
 
Hi, Boot sector seems fine sorry about that Avg just seems to have a problem when scanning in safemode.

Evertime I start windows and scan my System32 folder avg finds a Trojan it calls "Trojan horse Downloader.Generic.HQQ". The file is always a .tmp file i.e "ld4D26.tmp" and "ld50B0.tmp". If I do a scan with AVG it finds the Trojan and heals it, if I then straight away I scan again it finds the same Trojan again and so on.

I've gone into safemode deleted all .tmp files but still no luck.

Thanks for the help so far, I guess if I knew the exact Trojan it would be easier to remove.

Any Ideas?
 
Status
Not open for further replies.

Similar threads

ravisunny2
Solved Need help with possible infection
Replies
11
Views
3K
Broni
Broni
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni
E
GPU Driver or Hardware Issue?
Replies
8
Views
3K
Kshipper
Kshipper

Latest posts

Back