My MS IE v6.0 browser has been hijacked

[browserquestions@yahoo.com]

When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for "ATM
PIN"

These fields don't appear when I use Mozilla Firefox v3.0

I've reported the problem to the respective banks.

Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack

Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?

[Kayman]

On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquestions@yahoo.com wrote:

> When I visit www.bankofamerica.com, there is an additional field
> "Enter ATM card number:"
> When I visit www.wellsfargo.com, there is an additional field for "ATM
> PIN"
>
> These fields don't appear when I use Mozilla Firefox v3.0
>
> I've reported the problem to the respective banks.
>
> Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> Can someone here help me identify who/what hijacked my IE 6 browser,
> and how I can find out which illegal IP address these 2 fields are
> being transmitted to?

1.Clear the (IE) temporary Internet files and the history cache.
Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
quotation marks) into the box, then click the 'OK' button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...'button then place a checkmark into the box beside 'Also delete files
and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
marks into the box, then click the 'OK' button. Select your drive
(presumably WinXP (C and click OK.

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/supe...freevspro.html

After the software is updated, it is suggested scanning the system in Safe
Mode.

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...ols/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.theeldergeek.com/forum/in...6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

5.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Good luck

[Dustin Cook]

Kayman <kaymanDeleteThis@operamail.com> wrote in
news:gg35b6$nbi$1@news.motzarella.org:

> On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquestions@yahoo.com
> wrote:
>
>> When I visit www.bankofamerica.com, there is an additional field
>> "Enter ATM card number:"
>> When I visit www.wellsfargo.com, there is an additional field for
>> "ATM PIN"
>>
>> These fields don't appear when I use Mozilla Firefox v3.0
>>
>> I've reported the problem to the respective banks.
>>
>> Ad-Aware (free) , Spybot and Windows Defender don't detect this
>> hijack
>>
>> Can someone here help me identify who/what hijacked my IE 6 browser,
>> and how I can find out which illegal IP address these 2 fields are
>> being transmitted to?
> 3.Download/execute:
> Malwarebytes© Corporation - Anti-Malware
> http://www.malwarebytes.org/mbam/program/mbam-setup.exe
> After the software is updated, it is suggested scanning the system in
> Safe Mode.

Malwarebytes actually performs better in Normal Mode.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[Kayman]

On Sat, 22 Nov 2008 04:45:35 GMT, Dustin Cook wrote:

> Malwarebytes actually performs better in Normal Mode.

Thanks, I'll keep that in mind!

[PA Bear [MS MVP]]

Kayman wrote:
>> Malwarebytes actually performs better in Normal Mode.
>
> Thanks, I'll keep that in mind!

You have one? <wink>

[Kayman]

On Sat, 22 Nov 2008 11:23:53 -0500, PA Bear [MS MVP] wrote:

> Kayman wrote:
>>> Malwarebytes actually performs better in Normal Mode.
>>
>> Thanks, I'll keep that in mind!
>
> You have one? <wink>

Definitely.

[browserquestions@yahoo.com]

On Nov 21, 8:45 pm, Dustin Cook <bughunter.dus...@gmail.com> wrote:
> Kayman <kaymanDeleteT...@operamail.com> wrote innews:gg35b6$nbi$1@news.motzarella.org:
>
>
>
> > On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquesti...@yahoo.com
> > wrote:
>
> >> When I visitwww.bankofamerica.com, there is an additional field
> >> "Enter ATM card number:"
> >> When I visitwww.wellsfargo.com, there is an additional field for
> >> "ATM PIN"
>
> >> These fields don't appear when I use Mozilla Firefox v3.0
>
> >> I've reported the problem to the respective banks.
>
> >> Ad-Aware (free) , Spybot and Windows Defender don't detect this
> >> hijack
>
> >> Can someone here help me identify who/what hijacked my IE 6 browser,
> >> and how I can find out which illegal IP address these 2 fields are
> >> being transmitted to?
> > 3.Download/execute:
> > Malwarebytes© Corporation - Anti-Malware
> >http://www.malwarebytes.org/mbam/program/mbam-setup.exe
> > After the software is updated, it is suggested scanning the system in
> > Safe Mode.
>
> Malwarebytes actually performs better in Normal Mode.

I thought it was preferable to do these thing (e.g. anti virus scans)
in Safe Mode to prevent stealth virii from going into stealth mode.
The only thing safer than the Safe Mode is to boot up from a WIN PE or
BART PE CD ?

[David H. Lipman]

From: <browserquestions@yahoo.com>

| I thought it was preferable to do these thing (e.g. anti virus scans)
| in Safe Mode to prevent stealth virii from going into stealth mode.
| The only thing safer than the Safe Mode is to boot up from a WIN PE or
| BART PE CD ?

There are no computer viri or virii. They are computer viruses.

MBAM does not target viruses. It targets non-viral malware.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin Cook]

browserquestions@yahoo.com wrote in
news:7d0e030e-d408-4af1-a0fe-66a30264c990@q26g2000prq.googlegroups.com:

> On Nov 21, 8:45 pm, Dustin Cook <bughunter.dus...@gmail.com> wrote:
>> Kayman <kaymanDeleteT...@operamail.com> wrote
>> innews:gg35b6$nbi$1@news.mo
> tzarella.org:
>>
>>
>>
>> > On Wed, 19 Nov 2008 20:18:51 -0800 (PST),
>> > browserquesti...@yahoo.com wrote:
>>
>> >> When I visitwww.bankofamerica.com, there is an additional field
>> >> "Enter ATM card number:"
>> >> When I visitwww.wellsfargo.com, there is an additional field for
>> >> "ATM PIN"
>>
>> >> These fields don't appear when I use Mozilla Firefox v3.0
>>
>> >> I've reported the problem to the respective banks.
>>
>> >> Ad-Aware (free) , Spybot and Windows Defender don't detect this
>> >> hijack
>>
>> >> Can someone here help me identify who/what hijacked my IE 6
>> >> browser, and how I can find out which illegal IP address these 2
>> >> fields are being transmitted to?
>> > 3.Download/execute:
>> > Malwarebytes© Corporation - Anti-Malware
>> >http://www.malwarebytes.org/mbam/program/mbam-setup.exe
>> > After the software is updated, it is suggested scanning the system
>> > in Safe Mode.
>>
>> Malwarebytes actually performs better in Normal Mode.
>
> I thought it was preferable to do these thing (e.g. anti virus scans)
> in Safe Mode to prevent stealth virii from going into stealth mode.
> The only thing safer than the Safe Mode is to boot up from a WIN PE or
> BART PE CD ?

In most cases, very sound advice. In the case of Malwarebytes, no. It's
actually designed to run best in normal Mode. The reason being, in safe
mode, some registry keys and programs fail to be initialized/run.
Malwarebytes hueristic engine actually looks for some of these things, so
when it's run in safemode, they won't be present and it can't deal with
them.




--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[browserquestions@yahoo.com]

On Nov 19, 11:58*pm, Kayman <kaymanDeleteT...@operamail.com> wrote:
> On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquesti...@yahoo.com wrote:
> > When I visitwww.bankofamerica.com, there is an additional field
> > "Enter ATM card number:"
> > When I visitwww.wellsfargo.com, there is an additional field for "ATM
> > PIN"
>
> > These fields don't appear when I use Mozilla Firefox v3.0
>
> > I've reported the problem to the respective banks.
>
> > Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> > Can someone here help me identify who/what hijacked my IE 6 browser,
> > and how I can find out which illegal IP address these 2 fields are
> > being transmitted to?
>
> 1.Clear the (IE) temporary Internet files and the history cache.
> Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
> quotation marks) into the box, then click the 'OK' button.
> In Internet Properties panel 'General' tab, under 'Browsing history', click
> 'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
> all...'button then place a checkmark into the box beside 'Also delete files
> and settings stored by add-ons', Click 'Yes' and exit the Internet
> Properties panel by clicking the 'OK' button.
>
> 2.Clean HDD
> Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
> marks into the box, then click the 'OK' button. Select your drive
> (presumably WinXP (C and click OK.
>
> 3.Download/execute:
> Malwarebytes© Corporation - Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
> --and--
> SuperAntispyware - Freehttp://www.superantispyware.com/superantispywarefreevspro.html
>
> After the software is updated, it is suggested scanning the system in Safe
> Mode.
>
> 4.Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en...ols/hijackthis
>
> Please, do not post HJT logs to this newsgroup.
> Fora where you can get expert advice for HiJack This! (HJT) logs.
>
> http://www.thespykiller.co.uk/index....d3289dd877ab75...
>
> NOTE:
> Registration is required in any of the above mentioned fora before posting
> a HJT log and read the 'stickies' (instructions/guidelines) for the
> respective HJT forum.
>
> 5.Routinely practice Safe-Hex.http://www.claymania.com/safe-hex.html
>
> Good luck

Thanks!

Malwarebytes found 6 backdoor bots and some infected files:
svchost.exe, twext.exe
that the other spyware tools missed.
My IE 6 browser is back to normal now.