• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0

following instructions

4 posts in this topic

I read through CWS res:// hijacker INVESTIGATION THREAD, Home page hijacked? Popups? Read on.. Tried some of the different solutions such as

- Start the system in safe mode.

- Delete the appropriate DLL (mine was xothr.dll)

- Open HiJack This and get rid of anything that does not belong. How do you differentiate between what belongs and what does not? Google. LIUtilities.com lists most proper running processes and all essential running processes. Chances are that if it is not on the site, it should not be running on your computer (or if it is a really unknown peripheral, it is something you can afford to reinstall, it will not be an essential part of the OS).

- Change your startup page in IE back to normal.

- Run CWS Shredder just in case


Clearing temporary internet files, cookies, etc. is all optional, you never know where spyware might be hiding.


- Restart to normal mode.

- Check for the DLL again, if it reappears delete it.

- Run HiJack This again - there should be minimal changes from the spyware this time (I had only two registry entries changed).

- Open up IE and give it a go. After you open it up, check HiJack this for trails of the spyware if it's still around.

and have used all the forms of protection one can think of. I'm still running into problems. I have Browser Hijack Blaster telling me when my homepage or a BHO is being added (which is about every 30sec-1min). I can't get rid of it. I will post my HJT log if it helps, but it seems to be quite identical to the others that are up (of course random DLL followed by a random # string). Edited by awygle

Share this post

Link to post
Share on other sites

Sorry, I didn't see one of the stickies. but I have the right ad-aware (build 6.181 Ref File #01R324 22.06.2004 loaded) here's my HJT log

Logfile of HijackThis v1.97.7

Scan saved at 11:59:10 AM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
















C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe


C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe


C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\3M\Post it\PsnLite.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE


C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\America Online 9.0b\waol.exe

C:\Program Files\America Online 9.0b\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE


C:\Program Files\Browser Hijack Blaster\bhblaster.exe

C:\Program Files\HijackThis.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cilay.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cilay.dll/sp.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cilay.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cilay.dll/sp.html#12802

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E10E215-8015-F27A-7FF8-C0C3C681C7D8} - C:\WINDOWS\system32\nethf.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe


O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [d3ui.exe] C:\WINDOWS\d3ui.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: Microsoft Office Outlook 2003.lnk = ?

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\Post it\PsnLite.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar 1\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD324464-74B1-461F-98B8-EA5BDE7873C6}: NameServer =

i can wait, i've been working at this for three days now, and nothing seems to work. Thank you guys so much for all the work you do.


I also think that this should all be compiled into one easy to read book, it could be called Spywarenomicon.



Share this post

Link to post
Share on other sites

I have been up and down every road also but finally fixed my computer simply by doing a system restore to the day before i got the bug. It was so simple and fast, takes about a minute and then everything is gone. Just go to accessories, system tools, system restore. I don't know why everyone seems to overlook this option, but it saved my ass.

Share this post

Link to post
Share on other sites

I tried doing a System restore and the point it would let me restore to was today at 12:30 PST. So no go on that, but truely, thanks for the advice.




Also, I know it's supposed to help me, but i think i want to disable my Browser Hijack Blaster due to the fact that it pops up more often then the dumb virus does.



Edited by awygle

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0