IE hijacked... Help ! - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: IE hijacked... Help ! (/showthread.php?tid=44514)
IE hijacked... Help ! by WaqasTariq on 05-11-2005 at 05:11 AM
Hi everyone,
My IE got hijacked now whenever I open my IE its start page comes as shown in the picture attached. I have tried eliminating it through MS Spyware, Ad-aware, and Spybot but nothing happened... please help me... WHAT TO DO???
RE: IE hijacked... Help ! by Joa on 05-11-2005 at 05:17 AM
go to this site: http://asia.cnet.com/enterprise/apps/0,39035809,39199958,00.htm
i hope it helps 
Edit: there is also some good info on this site (it has a very straight forward, "Step-by-step: Reclaiming a hijacked Internet Explorer" tutorial)
RE: IE hijacked... Help ! by buzz on 05-11-2005 at 06:49 PM
quote:have u tried deleting ur cookies, files(online and offline) and ur history?
Originally posted by Joa
I have tried eliminating it through MS Spyware, Ad-aware, and Spybot but nothing happened
RE: IE hijacked... Help ! by Zephyr on 05-11-2005 at 07:24 PM
A really useful program for this is Hijack This
When you run it, a list of of files and keys will appear. There will probably be one like this:
HKCU\Software\Micorosft\Internet Explorer\Main,Start Page = <the site that your internet now starts at when hijacked>
Check this key and click fix checked.
Do not delete anything unless you are completely sure it is something bad
I also recommend trying CWShredder which runs a scan and is really good.
RE: IE hijacked... Help ! by user13774 on 05-11-2005 at 07:26 PM
Use HijackThis:
http://www.richardthelionhearted.com/~merijn/files/hijackthis.zip
Let it scan and search google for all entries you don't trust. Then use repair to remove the entry/let it be changed to default value.
RE: IE hijacked... Help ! by user13774 on 05-11-2005 at 07:32 PM
quote:
Originally posted by monster.rat
A really useful program for this is Hijack This
When you run it, a list of of files and keys will appear. There will probably be one like this:
HKCU\Software\Micorosft\Internet Explorer\Main,Start Page = <the site that your internet now starts at when hijacked>
Check this key and click fix checked.
Do not delete anything unless you are completely sure it is something bad
I also recommend trying CWShredder which runs a scan and is really good.
That's not enough! He has a browser hijacker that keeps changing it's homepage at startup, but it shows about:blank in the addres bar. I've had the same hijacker.
RE: IE hijacked... Help ! by Zephyr on 05-11-2005 at 07:35 PM
quote:
Originally posted by Markus
quote:
Originally posted by monster.rat
A really useful program for this is Hijack This
When you run it, a list of of files and keys will appear. There will probably be one like this:
HKCU\Software\Micorosft\Internet Explorer\Main,Start Page = <the site that your internet now starts at when hijacked>
Check this key and click fix checked.
Do not delete anything unless you are completely sure it is something bad
I also recommend trying CWShredder which runs a scan and is really good.
That's not enough! He has a browser hijacker that keeps changing it's homepage at startup, but it shows about:blank in the addres bar. I've had the same hijacker.
Which is why I also recommended CWShredder which can fix the about:blank.
I didn't want to say to much about deleting files with Hijack This as it could mess up the a lot of things if you delete a useful file or key.
RE: IE hijacked... Help ! by user13774 on 05-12-2005 at 08:49 AM
CWShredder only removes CoolWebSearch variants....
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-12-2005 at 10:33 AM
quote:
Originally posted by buzz
quote:have u tried deleting ur cookies, files(online and offline) and ur history?
Originally posted by Joa
I have tried eliminating it through MS Spyware, Ad-aware, and Spybot but nothing happened
Hi Buzz,
Yeah I tried that didnt helped
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-12-2005 at 10:35 AM
quote:
Originally posted by monster.rat
A really useful program for this is Hijack This
When you run it, a list of of files and keys will appear. There will probably be one like this:
HKCU\Software\Micorosft\Internet Explorer\Main,Start Page = <the site that your internet now starts at when hijacked>
Check this key and click fix checked.
Do not delete anything unless you are completely sure it is something bad
I also recommend trying CWShredder which runs a scan and is really good.
Hi,
Tried both softwares but none of em was able to get rid of the spyware... though HighJack This found the entry for the spyware and said it deleted it but nothing happened.
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-12-2005 at 10:38 AM
quote:
Originally posted by Markus
That's not enough! He has a browser hijacker that keeps changing it's homepage at startup, but it shows about:blank in the addres bar. I've had the same hijacker.
Yeah, Finally someone getting me... so any idea what should I be doing?
RE: IE hijacked... Help ! by mwe99 on 05-12-2005 at 11:23 AM
I had to same one a few months back. I think i uninstalled IE then reinstalled it. Seemed to fix it but i also kept spybot running under the net protect thingie.
RE: IE hijacked... Help ! by uberdosis on 05-12-2005 at 11:28 AM
RE: RE: IE hijacked... Help ! by Caboose on 05-12-2005 at 04:58 PM
quote:Firefox is not a solution to spyware. It's just as vulnerable as other browsers, it just takes time for people to find the exploits.
Originally posted by uberdosis
Solution here
As for something more relevant... well, I'm not totally sure what to do
. Maybe you could install CodeStuff's Starter and see what programs are running at startup, then disabling the ones you don't know.
RE: IE hijacked... Help ! by Concord Dawn on 05-12-2005 at 05:03 PM
quote:
Originally posted by Caboose
Firefox is not a solution to spyware. It's just as vulnerable as other browsers, it just takes time for people to find the exploits.
As for something more relevant... well, I'm not totally sure what to do
It is too a solution
, just of a different breed. And don't suggest installing 3rd party apps that do exactly the same thing as msconfig. My recommendation to you is to try the Lop.com uninstaller to see if that helps anything. Other than that, I'd recommend downloading Firefox because it is less vulnerable to the convientional means of being hijacked.
RE: IE hijacked... Help ! by matty on 05-12-2005 at 05:19 PM
Close all Internet Explorer windows then goto your Control Panel (Start > (Settings) > Control Panel
Double Click Internet Options
Click Advanced
Uncheck Enabled third-party browser extensions (requires restart).
Click Ok.
Next click Start > Run > type the following (or copy)
code:
ren c:\windows\system32\drivers\etc\hosts hosts2
Next try and use wither Adware or Spybot S&D
RE: IE hijacked... Help ! by buzz on 05-12-2005 at 11:53 PM
http://www.d-a-l.com/help/archive/index.php/t-574.html
this guy and a few others found a way
RE: IE hijacked... Help ! by wj on 05-12-2005 at 11:56 PM
Give Microsoft Anti-Spyware a try, It might fix it.
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-13-2005 at 08:05 AM
quote:Any how do I uninstall IE
Originally posted by mwe99
I had to same one a few months back. I think i uninstalled IE then reinstalled it. Seemed to fix it but i also kept spybot running under the net protect thingie.
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-13-2005 at 08:06 AM
quote:Told you, tried it... no avail
Originally posted by wj
Give Microsoft Anti-Spyware a try, It might fix it.
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-13-2005 at 08:08 AM
quote:Thanks Buzz... I will try it as soon as I reach home today
Originally posted by buzz
http://www.d-a-l.com/help/archive/index.php/t-574.html
this guy and a few others found a way
RE: IE hijacked... Help ! by squall_leonhart69r on 05-13-2005 at 11:30 AM
you need to also clear your host file in the c:\windows\system32 folder as this can store browser hijack info and prevent the system from completely getting rid of it
then use Ad-aware se to lock the host file
RE: IE hijacked... Help ! by Concord Dawn on 05-13-2005 at 12:37 PM
quote:
Originally posted by squall_leonhart69r
you need to also clear your host file in the c:\windows\system32 folder as this can store browser hijack info and prevent the system from completely getting rid of it
then use Ad-aware se to lock the host file
Good advice. Spybot also has a function that enters addresses for a whole bunch of malware installing sites and tells your computer to look at 127.0.0.1 for them. This includes lop.com, so it's a bit of a pain if you're looking for the uninstaller for a friend, but other than that it's really very convienient. I would really recommend switching to FireFox, Opera, or any other alternate browser because, as I said, they less vulnerable to conventional hijacking methods.
RE: RE: RE: IE hijacked... Help ! by Chris4 on 05-13-2005 at 04:27 PM
quote:
Originally posted by waqastariq
quote:
Originally posted by Markus
That's not enough! He has a browser hijacker that keeps changing it's homepage at startup, but it shows about:blank in the addres bar. I've had the same hijacker.
Yeah, Finally someone getting me... so any idea what should I be doing?
If this is the case, follow these instructions.
1. Start > Run > Type msconfig
2. A box will come up. Click on the startup tab.
3. The ticked files are the ones that run when you first startup your computer.
4. Untick any files that you do not recconise.
5. restart your computer.
Hope that helps
RE: IE hijacked... Help ! by user13774 on 05-14-2005 at 01:45 PM
quote:
Originally posted by chris4
4. Untick any files that you do not recconise.
Recognize you mean
. Just google for all the processes (like atiptaxx.exe [Ati software], navaps32.exe [Norton] and other processes in your Startup list @ MSConfig to see if they are malicious).
By the way waqastariq,
If you don't know what entries to check in HijackThis, please do a scan with HijackThis and attach the log file here. I'll tell you which entries to select and remove/reset
RE: RE: RE: RE: IE hijacked... Help ! by WaqasTariq on 05-14-2005 at 10:08 PM
quote:Hey these are only two entries there one is MSN Messenger (I use Plus in office
Originally posted by chris4
If this is the case, follow these instructions.
1. Start > Run > Type msconfig
2. A box will come up. Click on the startup tab.
3. The ticked files are the ones that run when you first startup your computer.
4. Untick any files that you do not recconise.
5. restart your computer.
Hope that helps
) and the other is se... just see the attach file to se the full name... I unticked it and restarted but for some strange reson it ticked it self again by itself What to do????
RE: IE hijacked... Help ! by ShawnZ on 05-14-2005 at 10:41 PM
I have never seen se.dll, but I can tell you it is NOT trustworthy. Uncheck both of them and apply the settings. Anything in your Temp or LocalSettings folder usually isnt trustworthy, and any DLLs or anything beginning with Rundll also has a small chance of being untrustworthy.
I will search for more information about se.dll later, for now, remove it. Also, can you attach a screenshot of the Services tab? (make sure you select 'Hide all microsoft services' before taking the screenshot)
Also, end any tasks called 'RunDll32' in your task manager before unticking it, or it will just reenable itself. I suggest you right click System and click End Process Tree to end all processes before doing this aswell, then using the Task Manager to start msconfig.
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-15-2005 at 09:24 AM
quote:There are NO other 'Services' when I hide all microsoft ones... There was a 'rundll32' when I opened the task manager ended it... here is a screen shot of my WTM
Originally posted by ShawnzAlso, can you attach a screenshot of the Services tab? (make sure you select 'Hide all microsoft services' before taking the screenshot)
quote:I told you before, I UNTICKED it but after EVERY restart it checks its self back again...
Originally posted by Shawnz
I have never seen se.dll, but I can tell you it is NOT trustworthy. Uncheck both of them and apply the settings. Anything in your Temp or LocalSettings folder usually isnt trustworthy, and any DLLs or anything beginning with Rundll also has a small chance of being untrustworthy.
RE: IE hijacked... Help ! by haydos on 05-15-2005 at 09:58 AM
Well im not sure I can help you here but heres the information on se.dll promised to you earlier. Also, try a general Search of your computer for se.dll, you could be lucky
File Name: se.dll
Description:
Se.dll is a IE Browser Helper Object of adware SCBar/SearchExe variant. It adds a toolbar to Internet Explorer and generates popup ads while online.
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-15-2005 at 10:07 AM
quote:Ok, but how to get rid of it???
Originally posted by inc_haydn
Well im not sure I can help you here but heres the information on se.dll promised to you earlier. Also, try a general Search of your computer for se.dll, you could be lucky
File Name: se.dll
Description:
Se.dll is a IE Browser Helper Object of adware SCBar/SearchExe variant. It adds a toolbar to Internet Explorer and generates popup ads while online.
RE: IE hijacked... Help ! by user13774 on 05-15-2005 at 12:34 PM
quote:
Originally posted by Markus
please do a scan with HijackThis and attach the log file here. I'll tell you which entries to select and remove/reset
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-15-2005 at 05:41 PM
quote:Hi,
Originally posted by Markus
quote:
Originally posted by Markus
please do a scan with HijackThis and attach the log file here. I'll tell you which entries to select and remove/reset
Here is the log file...
Logfile of HijackThis v1.99.1
Scan saved at 10:40:11 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\prime Computer\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {977E10FC-95FE-4399-A349-C505A1DC502B} - C:\WINDOWS\system32\bogj.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC5AE20-371B-4701-AEF4-F5B218B30D38}: NameServer = 202.163.96.3 202.163.96.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DC5AE20-371B-4701-AEF4-F5B218B30D38}: NameServer = 202.163.96.3 202.163.96.4
O18 - Filter: text/html - {7D305B7D-30C4-4C85-9BC0-1F29990A9E6F} - C:\WINDOWS\system32\bogj.dll
O18 - Filter: text/plain - {7D305B7D-30C4-4C85-9BC0-1F29990A9E6F} - C:\WINDOWS\system32\bogj.dll
RE: IE hijacked... Help ! by user13774 on 05-15-2005 at 06:24 PM
Ok... as you can see the se.dll file is in multiple entries.
Also I can't find any info regarding bogj.dll, but I'm not sure if it's a virus. I recommend you also check the bogj entries. You can always restore a backup or do a system restore.
Select the following entries and choose 'fix checked':
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {977E10FC-95FE-4399-A349-C505A1DC502B} - C:\WINDOWS\system32\bogj.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {7D305B7D-30C4-4C85-9BC0-1F29990A9E6F} - C:\WINDOWS\system32\bogj.dll
O18 - Filter: text/plain - {7D305B7D-30C4-4C85-9BC0-1F29990A9E6F} - C:\WINDOWS\system32\bogj.dll
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-15-2005 at 06:56 PM
quote:Thanks Markus, for giving me your time, but till not its not out!
Originally posted by Markus
Ok... as you can see the se.dll file is in multiple entries.
Also I can't find any info regarding bogj.dll, but I'm not sure if it's a virus. I recommend you also check the bogj entries. You can always restore a backup or do a system restore.
Select the following entries and choose 'fix checked':
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {977E10FC-95FE-4399-A349-C505A1DC502B} - C:\WINDOWS\system32\bogj.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {7D305B7D-30C4-4C85-9BC0-1F29990A9E6F} - C:\WINDOWS\system32\bogj.dll
O18 - Filter: text/plain - {7D305B7D-30C4-4C85-9BC0-1F29990A9E6F} - C:\WINDOWS\system32\bogj.dll
I did just what you told me to ticked them all and pressed fix (IE was closed) restarted the comp and... its STILL my start page
and those entries are back in Hijackthis
RE: IE hijacked... Help ! by user13774 on 05-16-2005 at 08:32 AM
You could try to manually remove the two dll files in the log.
"C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll"
"C:\WINDOWS\system32\bogj.dll"
You might need to boot in save mode to remove them. Also use the Windows search to search your hdd for more copies of se.dll/bogj.dll
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-16-2005 at 03:10 PM
quote:Hi Markus,
Originally posted by Markus
You could try to manually remove the two dll files in the log.
"C:\DOCUME~1\PRIMEC~1\LOCALS~1\Temp\se.dll"
"C:\WINDOWS\system32\bogj.dll"
You might need to boot in save mode to remove them. Also use the Windows search to search your hdd for more copies of se.dll/bogj.dll
I did EXACTLY what you said... and it WORKED
huray!!!Thanks a lot Markus
RE: IE hijacked... Help ! by user13774 on 05-16-2005 at 04:30 PM
No problem .
To make sure you don't get any errors (for missing files) or something like that, run HijackThis and again 'fix' all the entries containing se.dll / bogj.dll. 
RE: RE: IE hijacked... Help ! by WaqasTariq on 05-16-2005 at 04:35 PM
quote:Just did that to... Thanks and take care
Originally posted by Markus
No problem
To make sure you don't get any errors (for missing files) or something like that, run HijackThis and again 'fix' all the entries containing se.dll / bogj.dll.
RE: RE: RE: IE hijacked... Help ! by alewington on 05-18-2005 at 06:44 AM
quote:
Originally posted by Caboose
quote:Firefox is not a solution to spyware. It's just as vulnerable as other browsers, it just takes time for people to find the exploits.
Originally posted by uberdosis
Solution here
As for something more relevant... well, I'm not totally sure what to do
Just go to: start > run > msconfig