Browser Hijack Lmcn.dll.bho

[tubebuoy]

Got hijacked again!

I use Adaware, spybot, pest patrol and HiJackThis. None of these could remove this bastard! I eventualy traced it to a BHO ? named LMCN.dll in my systen 32 folder. Had to reboot in safe mode and use the startup "search" option to find and delete the F'r!

Hope this helps. And wtf is a "BHO" ?

}---:?

[~*McoreD*~]

Damn that sucks tubebuoy.

Browser Helper Objects (BHOs)

A lot of spyware and BHO's are written quickly and poorly. This can cause anything from incompatibility issues to corrupting important system functions making them not only a threat to your security but to your systems stability. The programmers of spyware applications obviously do not care about you or your system other than as a source of marketing information so they do not error check most of their products.

Some companies go out of their way to hide the presence of the spyware BHOs that they install. They go so far as to find ways around the most popular detection tools by changing their product regularly just enough to avoid detection until the next version of the detection software comes out.

To see what BHOs you have installed on your machine right now, You can install BHODemon from Definitive Solutions. BHODemon will tell you about any BHO installed and allows you to disable it and re-enable it if you wish.

http://www.spywareinfo.com/articles/bho/

[KingCobra]

Sorry to hear this. Good thing you have the knowledge to fix it. I'd hate to think what BestBuy or CompUSA would charge. Any idea how/where you got this pest?

[rikytik]

That program shows 7 bho's on this machine, but they are all related to programs I use: Adobe, SnagIt, Flashget, and Pest Petrol. Perhaps these are the icons that show up in IE, like shortcuts. They seem harmless and have been there for months on my 4 pc's.

I had some bizare problems lately that are browser related. My isp linked up with Yahoo and advised us clients to use their special "healing" and other helpful software for IE that added a bunch of marketing stuff for Yahoo as well as a pop up stopper and other things. Some of this conflicted with my Asus Probe monitor and Norton Personal Firewall, to such an extent I could not recover from serious problems at boot time. I ended up restoring an image I'd made before all this stuff and now everything is cool. No more of that rogers.yahoo crap on my machine.

[tubebuoy]

Quote:

Originally posted by KingCobra@Jul 24 2004, 01:20 AM
Any idea how/where you got this pest?

One handed surfing

}---

[war59312]

Easy way to fix.

BHO Demon 2.0

[tubebuoy]

Well, BHO Demon seems to 'block' these l'il basturds from running but doesn't remove them. As soon as you reboot they do their nasty business. This would be a GREAT app if it let you delete the buggers!

As it is, you still have to boot into safe mode and use the OS's 'search' prog to hunt them down and delete them.

}---

[DoG]

There is a utility called "HijackThis", here's the nfo and the web site

Code:

* HijackThis v1.97 *
Written by Merijn - merijn@spywareinfo.com
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/index.html

See below version history for short info on hijack sections.

* Version history *
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* O19 (user stylesheet) now only checks for known bad filenames
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95. 
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think). 
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function. 
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving. 
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list. 
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions. 
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.

The different sections of hijacking possibilities have been separated into these groups: 
 R - Registry, StartPage/SearchPage changes
    R0 - Changed registry value
    R1 - Created registry value
    R2 - Created registry key
    R3 - Created extra registry value where only one should be
 F - IniFiles, autoloading entries
    F0 - Changed inifile value
    F1 - Created inifile value
 N - Netscape/Mozilla StartPage/SearchPage changes
    N1 - Change in prefs.js of Netscape 4.x
    N2 - Change in prefs.js of Netscape 6
    N3 - Change in prefs.js of Netscape 7
    N4 - Change in prefs.js of Mozilla
 O - Other, several sections which represent:
    O1 - Hijack of auto.search.msn.com with Hosts file
    O2 - Enumeration of existing MSIE BHO's
    O3 - Enumeration of existing MSIE toolbars
    O4 - Enumeration of suspicious autoloading Registry entries
    O5 - Blocking of loading Internet Options in Control Panel
    O6 - Disabling of 'Internet Options' Main tab with Policies
    O7 - Disabling of Regedit with Policies
    O8 - Extra MSIE context menu items
    O9 - Extra 'Tools' menuitems and buttons
    O10 - Breaking of Internet access by New.Net or WebHancer
    O11 - Extra options in MSIE 'Advanced' settings tab
    O12 - MSIE plugins for file extensions or MIME types
    O13 - Hijack of default URL prefixes
    O14 - Changing of IERESET.INF
    O15 - Trusted Zone Autoadd
    O16 - Download Program Files item
    O17 - Domain hijack
    O18 - Enumeration of existing protocols
    O19 - User stylesheet hijack

You can get more detailed information about an item by selecting it from the list of found items or highlighting the relevant line above, and clicking 'Info on selected item'.

EDIT: Damn, thats a BIG post :P

[KingCobra]

This thread would now be best in Internet Security section so as MOD of Chit Chat, I'll move it.

P.S. DoG, he already said he tried HijackThis it could not help him.

[war59312]

All of them commbined should take care of the problem. You would think, maybe not.