My MS IE v6.0 browser has been hijacked

When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for "ATM
PIN"

These fields don't appear when I use Mozilla Firefox v3.0

I've reported the problem to the respective banks.

Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack

Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?

On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquestions@yahoo.com wrote:

> When I visit www.bankofamerica.com, there is an additional field
> "Enter ATM card number:"
> When I visit www.wellsfargo.com, there is an additional field for "ATM
> PIN"
>
> These fields don't appear when I use Mozilla Firefox v3.0
>
> I've reported the problem to the respective banks.
>
> Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> Can someone here help me identify who/what hijacked my IE 6 browser,
> and how I can find out which illegal IP address these 2 fields are
> being transmitted to?

1.Clear the (IE) temporary Internet files and the history cache.
Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
quotation marks) into the box, then click the 'OK' button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...'button then place a checkmark into the box beside 'Also delete files
and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
marks into the box, then click the 'OK' button. Select your drive
(presumably WinXP (C:) and click OK.

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/supe...freevspro.html

After the software is updated, it is suggested scanning the system in Safe
Mode.

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...ols/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.theeldergeek.com/forum/in...6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

5.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Good luck :)

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjunction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

browserquestions@yahoo.com wrote:
> When I visit www.bankofamerica.com, there is an additional field
> "Enter ATM card number:"
> When I visit www.wellsfargo.com, there is an additional field for "ATM
> PIN"
>
> These fields don't appear when I use Mozilla Firefox v3.0
>
> I've reported the problem to the respective banks.
>
> Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> Can someone here help me identify who/what hijacked my IE 6 browser,
> and how I can find out which illegal IP address these 2 fields are
> being transmitted to?

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm



--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




<browserquestions@yahoo.com> wrote in message
news:9cba4d36-b2aa-4e01-bc86-362965fa4c35@k1g2000prb.googlegroups.com...
> When I visit www.bankofamerica.com, there is an additional field
> "Enter ATM card number:"
> When I visit www.wellsfargo.com, there is an additional field for "ATM
> PIN"
>
> These fields don't appear when I use Mozilla Firefox v3.0
>
> I've reported the problem to the respective banks.
>
> Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> Can someone here help me identify who/what hijacked my IE 6 browser,
> and how I can find out which illegal IP address these 2 fields are
> being transmitted to?

Ignore this MVP imposter!

For some background on this well-known thief, see David Lippman's posts in
this thread:
http://groups.google.com/group/micro...6904085932c872

Specifically
http://groups.google.com/group/micro...3247814fb4d61e
and
http://groups.google.com/group/micro...9fce884897662f
--
~Robear Dyer
MS MVP-IE, Mail, Security, Windows Desktop Experience
https://mvp.support.microsoft.com/de...ofile/robear.d

The Real Truth MVP wrote:
> Use my Remove-it software, it will remove that malware from your system.
> Choose yes for all options when prompted. Download it here
> XXX.pcbutthole.com/downloads/tools/tools.htm

browserquestions@yahoo.com wrote:
> When I visit www.bankofamerica.com, there is an additional field
> "Enter ATM card number:"
> When I visit www.wellsfargo.com, there is an additional field for "ATM
> PIN"
>
> These fields don't appear when I use Mozilla Firefox v3.0
>
> I've reported the problem to the respective banks.
>
> Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> Can someone here help me identify who/what hijacked my IE 6 browser,
> and how I can find out which illegal IP address these 2 fields are
> being transmitted to?


If you use IE6 you deserve to have your legs cut off, not only hijacked.

Gaz

Kayman <kaymanDeleteThis@operamail.com> wrote in
news:gg35b6$nbi$1@news.motzarella.org:

> On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquestions@yahoo.com
> wrote:
>
>> When I visit www.bankofamerica.com, there is an additional field
>> "Enter ATM card number:"
>> When I visit www.wellsfargo.com, there is an additional field for
>> "ATM PIN"
>>
>> These fields don't appear when I use Mozilla Firefox v3.0
>>
>> I've reported the problem to the respective banks.
>>
>> Ad-Aware (free) , Spybot and Windows Defender don't detect this
>> hijack
>>
>> Can someone here help me identify who/what hijacked my IE 6 browser,
>> and how I can find out which illegal IP address these 2 fields are
>> being transmitted to?
> 3.Download/execute:
> Malwarebytes© Corporation - Anti-Malware
> http://www.malwarebytes.org/mbam/program/mbam-setup.exe
> After the software is updated, it is suggested scanning the system in
> Safe Mode.

Malwarebytes actually performs better in Normal Mode. :)


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

On Sat, 22 Nov 2008 04:45:35 GMT, Dustin Cook wrote:

> Malwarebytes actually performs better in Normal Mode. :)

Thanks, I'll keep that in mind!

Kayman wrote:
>> Malwarebytes actually performs better in Normal Mode. :)
>
> Thanks, I'll keep that in mind!

You have one? <wink>

On Sat, 22 Nov 2008 11:23:53 -0500, PA Bear [MS MVP] wrote:

> Kayman wrote:
>>> Malwarebytes actually performs better in Normal Mode. :)
>>
>> Thanks, I'll keep that in mind!
>
> You have one? <wink>

Definitely.

Kayman wrote:
> On Sat, 22 Nov 2008 11:23:53 -0500, PA Bear [MS MVP] wrote:
>
>> Kayman wrote:
>>>> Malwarebytes actually performs better in Normal Mode. :)
>>>
>>> Thanks, I'll keep that in mind!
>>
>> You have one? <wink>
>
> Definitely.

If you want to be believed, you must immediately post a link to pictures
of what's inside your skull.

<ducks and runs>

--
Rhonda Lea Kirk Fries

"You know you can indict a ham sandwich if you want to."
William J. Martini, Judge, United States District Court

On Sun, 23 Nov 2008 02:05:03 -0600, Rhonda Lea Kirk Fries wrote:

> Kayman wrote:
>> On Sat, 22 Nov 2008 11:23:53 -0500, PA Bear [MS MVP] wrote:
>>
>>> Kayman wrote:
>>>>> Malwarebytes actually performs better in Normal Mode. :)
>>>>
>>>> Thanks, I'll keep that in mind!
>>>
>>> You have one? <wink>
>>
>> Definitely.
>
> If you want to be believed, you must immediately post a link to pictures
> of what's inside your skull.

Boasting is not my thing (refer to my signature :-))

On Nov 19, 11:58*pm, Kayman <kaymanDeleteT...@operamail.com> wrote:
> On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquesti...@yahoo.com wrote:
> > When I visitwww.bankofamerica.com, there is an additional field
> > "Enter ATM card number:"
> > When I visitwww.wellsfargo.com, there is an additional field for "ATM
> > PIN"
>
> > These fields don't appear when I use Mozilla Firefox v3.0
>
> > I've reported the problem to the respective banks.
>
> > Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> > Can someone here help me identify who/what hijacked my IE 6 browser,
> > and how I can find out which illegal IP address these 2 fields are
> > being transmitted to?
>
> 1.Clear the (IE) temporary Internet files and the history cache.
> Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
> quotation marks) into the box, then click the 'OK' button.
> In Internet Properties panel 'General' tab, under 'Browsing history', click
> 'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
> all...'button then place a checkmark into the box beside 'Also delete files
> and settings stored by add-ons', Click 'Yes' and exit the Internet
> Properties panel by clicking the 'OK' button.
>
> 2.Clean HDD
> Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
> marks into the box, then click the 'OK' button. Select your drive
> (presumably WinXP (C:) and click OK.
>
> 3.Download/execute:
> Malwarebytes© Corporation - Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
> --and--
> SuperAntispyware - Freehttp://www.superantispyware.com/superantispywarefreevspro.html
>
> After the software is updated, it is suggested scanning the system in Safe
> Mode.
>
> 4.Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en...ols/hijackthis
>
> Please, do not post HJT logs to this newsgroup.
> Fora where you can get expert advice for HiJack This! (HJT) logs.
>
> http://www.thespykiller.co.uk/index....d3289dd877ab75...
>
> NOTE:
> Registration is required in any of the above mentioned fora before posting
> a HJT log and read the 'stickies' (instructions/guidelines) for the
> respective HJT forum.
>
> 5.Routinely practice Safe-Hex.http://www.claymania.com/safe-hex.html
>
> Good luck :)

Thanks!

Malwarebytes found 6 backdoor bots and some infected files:
svchost.exe, twext.exe
that the other spyware tools missed.
My IE 6 browser is back to normal now.

From: <browserquestions@yahoo.com>



| Thanks!

| Malwarebytes found 6 backdoor bots and some infected files:
| svchost.exe, twext.exe
| that the other spyware tools missed.
| My IE 6 browser is back to normal now.

You had a Zbot infection.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

browserquestions@yahoo.com wrote:
<snip>
> Malwarebytes found 6 backdoor bots and some infected files:
> svchost.exe, twext.exe
> that the other spyware tools missed.
> My IE 6 browser is back to normal now.

But is the computer free of any/all hijackware?