RSS Forums RSS
Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community

IE Hijack Problem

Join Date: Feb 2004
Location: Oztralya
Posts: 8,117
Reputation: crunchie is a jewel in the rough crunchie is a jewel in the rough crunchie is a jewel in the rough 
Rep Power: 23
Solved Threads: 465
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: IE Hijack Problem

  #8  
Mar 13th, 2005
Hi thehosley.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Bullseye Networks

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Download the Adware.Istbar removal utility from Symantec and following the instructions on the same page.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u msbe.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\pd7.exe
C:\WINDOWS\ljiwvrud.exe
C:\WINDOWS\System32\Guojoc.exe
C:\Program Files\ISTsvc\istsvc.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [printer] C:\WINDOWS\helpsys.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [eGebJ9B] C:\WINDOWS\ljiwvrud.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Gwfuyj.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Guojoc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKLM\..\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\YourSiteBar\ysb.dll"
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe

O16 - DPF: {006AD405-677A-36DC-E146-31C47109EA0C} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {04457EE2-8BC5-1ADE-EB3A-3A776B45706A} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {06E8F3B2-C6C1-2016-97C4-5551592B00DC} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {1150C913-5486-77A5-5F69-045C4920231A} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c7.cab
O16 - DPF: {1E8E60E9-0344-4EBC-1B7B-0BAD278A6859} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {209492DD-3A9B-48A7-3403-3DC927B58611} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3DE0CEBB-B70D-2B5E-76B8-39147ABDDAC6} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {48D919C9-2A8D-0F90-EC33-5DAA0D52FAA1} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {4F07CE1C-E4C0-15AE-418C-712131E5FC5D} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {558AEB02-4D47-495F-610A-0286012D8927} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {5EEFBAD4-E5AF-2CD0-98D8-24792B1E497F} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {66B592B4-A830-39C9-9A45-2FA3490F725F} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {6B773130-ED8D-06A1-7D33-34865C60990A} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {7DFDE27F-E579-5E3D-51FD-02DA09852401} - http://69.50.182.94/1/rdgUS896.exe

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\ISTsvc
C:\Program Files\BullsEye Network
C:\Program Files\YourSiteBar

files...

C:\WINDOWS\System32\pd7.exe
C:\WINDOWS\ljiwvrud.exe
C:\WINDOWS\System32\Guojoc.exe
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\helpsys.exe
C:\WINDOWS\System32\Gwfuyj.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe
C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\zeta.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.

===============

Post back a new log after rebooting and let me know how everything goes.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster

Please do not PM me for help. Instead, post in the public forum where others may benefit.
Reply With Quote  
Forums | Blogs | Tutorials | Code Snippets | Whitepapers | RSS Feeds | Advertising
All times are GMT -4. The time now is 4:48 pm.
Newsletter Archive - Sitemap - Privacy Statement - Acceptable Use Policy - Contact Us
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC