• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
westonm

Can't Rid Myself of this

7 posts in this topic

I have been battling a hijack for about 4 or 5 days now and am not getting anywhere. I have run SpyBot and Adware Spy multiple time and always end up with the same thing - I fix the problems I find but they just return when I re-open IE. The first time I re-open IE it will go to blank but when I close it and re-open again it is back at the hijacked site. The sit takes on several diferent names, the latest is cxdef.dll/index.html#96676 . The first part, the dll file name will change through several different names but the 96676 is always there. I have followed to the best of my ablilities all of the instruction but am getting nowhere. I don't know if this is related, but about whne this started, I started getting Microsoft Internet Explorer Error Reporting Tool box come up when I open ID. When I click either don't send or send error report, IE closes. If I leave is on the screen I can use the browser but the box just gets in the way. When I close and come back into IE I have been hijacked again.

 

Thanks for any help that you may be able to provide, you guys are providing a very valuable service and i certainly appreciate all that you do.

 

The log file is as follows -

 

Logfile of HijackThis v1.97.7

Scan saved at 1:25:49 PM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\javasl.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

C:\Program Files\McAfee\QuickClean\Plguni.exe

C:\WINDOWS\sysbp.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cxdef.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxdef.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxdef.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cxdef.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cxdef.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cxdef.dll/sp.html#96676

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Default\Application Data\Mozilla\Profiles\default\89fsn7wz.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START

O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKLM\..\RunOnce: [javasl.exe] C:\WINDOWS\system32\javasl.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hello westonm,

 

Please download About:Buster by RubbeR DuckY from

 

http://www.atribune.org/downloads/AboutBuster.zip

 

Then Unzip it to your desktop. Do not run it yet.

Print these directions or paste them into a text document as you will be running with your internet explorer closed.

 

Restarting internet explorer may cause a reinfection.

 

Please Open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll

 

O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe

O4 - HKLM\..\RunOnce: [javasl.exe] C:\WINDOWS\system32\javasl.exe

 

 

Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

 

Now startup About:Buster.

 

Hit ok on the first prompt

Then hit start.

Next hit ok.

 

Wait till the scan completes and copy the report and save it somewhere.

 

Rerun About:Buster to make sure everything was deleted.

 

Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

Share this post


Link to post
Share on other sites

Followed instructions - had one incident where ZoneAlarm indicated a program was trying to access the internet while About:Buster was runing. Everything seemed to complete ok but unfortunately I still have the same problem. The current log from hijack this is as follows.

 

Logfile of HijackThis v1.97.7

Scan saved at 7:02:39 PM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\javasl.exe

C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

C:\Program Files\McAfee\QuickClean\Plguni.exe

C:\WINDOWS\sysbp.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cikvo.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cikvo.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cikvo.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cikvo.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cikvo.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cikvo.dll/sp.html#96676

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Default\Application Data\Mozilla\Profiles\default\89fsn7wz.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START

O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Ok, let's try to do it in Safe Mode.

Tap F8 while restarting to get into Safe Mode, then

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll

 

O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe

 

Then, Close all open Windows, only have HJT open, and click "Fix Checked".

 

 

Now startup About:Buster.

 

Hit ok on the first prompt

Then hit start.

Next hit ok.

 

Wait till the scan completes and copy the report and save it somewhere.

 

Rerun About:Buster to make sure everything was deleted.

 

Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

Share this post


Link to post
Share on other sites

You will never know how much I appreciate this - I think it worked. I have been able to open IE multiple times and haven't gotten the other sites, my home page has remained my home page. I am amazed that I posted yesterday, and today I am on page 17 of the posts - that is an incredible amount of posts from people having the same or similar problems that I had. I am attaching the (hopefully) last hijack this log file - and thanks again.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:34:04 PM, on 6/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

C:\Program Files\McAfee\QuickClean\Plguni.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\hijack this\HijackThis.exe

 

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Default\Application Data\Mozilla\Profiles\default\89fsn7wz.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

You're welcome westonm!

 

You should be fine now.

Here is some free protection you should consider:

Download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies.

 

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

Check for updates occaisionally.

 

And also see, So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

Good luck, and thanks for coming to our forums for help with your security and malware issues.

 

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.

 

Everyone else having a similar issue, please launch a new topic for yourselves.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0