Jump to content


following instructions

  • Please log in to reply
3 replies to this topic

#1 awygle



  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 01:54 PM

I read through CWS res:// hijacker INVESTIGATION THREAD, Home page hijacked? Popups? Read on.. Tried some of the different solutions such as

- Start the system in safe mode.
- Delete the appropriate DLL (mine was xothr.dll)
- Open HiJack This and get rid of anything that does not belong. How do you differentiate between what belongs and what does not? Google. LIUtilities.com lists most proper running processes and all essential running processes. Chances are that if it is not on the site, it should not be running on your computer (or if it is a really unknown peripheral, it is something you can afford to reinstall, it will not be an essential part of the OS).
- Change your startup page in IE back to normal.
- Run CWS Shredder just in case

Clearing temporary internet files, cookies, etc. is all optional, you never know where spyware might be hiding.

- Restart to normal mode.
- Check for the DLL again, if it reappears delete it.
- Run HiJack This again - there should be minimal changes from the spyware this time (I had only two registry entries changed).
- Open up IE and give it a go. After you open it up, check HiJack this for trails of the spyware if it's still around.

and have used all the forms of protection one can think of. I'm still running into problems. I have Browser Hijack Blaster telling me when my homepage or a BHO is being added (which is about every 30sec-1min). I can't get rid of it. I will post my HJT log if it helps, but it seems to be quite identical to the others that are up (of course random DLL followed by a random # string).

Edited by awygle, 26 June 2004 - 02:34 PM.

#2 awygle



  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 02:09 PM

Sorry, I didn't see one of the stickies. but I have the right ad-aware (build 6.181 Ref File #01R324 22.06.2004 loaded) here's my HJT log

Logfile of HijackThis v1.97.7
Scan saved at 11:59:10 AM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\3M\Post it\PsnLite.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cilay.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cilay.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cilay.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cilay.dll/sp.html#12802
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E10E215-8015-F27A-7FF8-C0C3C681C7D8} - C:\WINDOWS\system32\nethf.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [d3ui.exe] C:\WINDOWS\d3ui.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\Post it\PsnLite.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar 1\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.h...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD324464-74B1-461F-98B8-EA5BDE7873C6}: NameServer =

i can wait, i've been working at this for three days now, and nothing seems to work. Thank you guys so much for all the work you do.

I also think that this should all be compiled into one easy to read book, it could be called Spywarenomicon.


#3 blinkbmx



  • Full Member
  • Pip
  • 4 posts

Posted 26 June 2004 - 02:16 PM

I have been up and down every road also but finally fixed my computer simply by doing a system restore to the day before i got the bug. It was so simple and fast, takes about a minute and then everything is gone. Just go to accessories, system tools, system restore. I don't know why everyone seems to overlook this option, but it saved my ass.

#4 awygle



  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 02:36 PM

I tried doing a System restore and the point it would let me restore to was today at 12:30 PST. So no go on that, but truely, thanks for the advice.


Also, I know it's supposed to help me, but i think i want to disable my Browser Hijack Blaster due to the fact that it pops up more often then the dumb virus does.


Edited by awygle, 26 June 2004 - 03:11 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!