• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
liorajane

i believe i've been hijacked.

9 posts in this topic

hi! i'm pretty sure my internet explorer has been hijacked. the page my internet usually opens to is dellnet.msn.com. but now it opens to a page with this address: res://mshp.dll/index.html#37049. i change the address back to normal, but as soon as i reboot my computer it returns to the same page.

 

i have spybot s&d and run it each time i start up the computer. i fix the checked problems, but the same three always reappear after i reboot: DSO Exploit, CoolWWWSearch.008k and CoolWWWSearch.mshp.

 

i ran hijackthis, and this is the log i received:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:18:30 PM, on 6/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msld\mssearch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8013.7233680556

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

any help? :)

Edited by liorajane

Share this post


Link to post
Share on other sites

ack. a couple of things have changed. spybot is still detecting DSO Exploit, CoolWWWSearch.008k and CoolWWWSearch.mshp on every scan after the computer reboots. but now the hijacked homepage my internet opens to is not always the same. it sometimes opens to ZY Search (http://69.31.87.248:81/cgi-bin/index.cgi?c=0). is it just a variant of the hijacked hompage i had before? because it still goes away when i "fix" the three aforementioned problems with spybot, until i reboot.

 

i'm also getting three or four porn websites added to my favorites, which return when i delete them and reboot.

 

i ran hijackthis again and these are the only new additions to the last log:

 

C:\My Programs\Spybot\SpybotSD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Michele\Application Data\syscf\syscf.dll

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Michele\Application Data\syscf\mfcta.dll

 

i can also post the entire log over again if you'd like!

 

also, bumping. wow. ;D lots of people certainly do post here.

Edited by liorajane

Share this post


Link to post
Share on other sites

bumping again, as it's been twelve days. just a note; i used hijackthis to delete all these:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049

 

but they still return when i reboot. also, if i delete these before i run spybot, one of the two coolwebsearch entries no longer appears in the spybot scan. the other coolwebsearch entry and DSO Exploit still appear.

 

also, when i am browsing the internet certain words are underlined as hyperlinks. these words include books, computer, ice, etc. when i mouseover these links, i learn they are linked to "goto:..." and whatever the underlined word is. any help?

Edited by liorajane

Share this post


Link to post
Share on other sites

bumping, since it's been a month now. and more updates. do i need to post my hijackthis log again?

 

i have run hijackthis, spybot search & destroy, ad-aware and cwsshredder and my hijacked homepage keeps coming back, amongst all the other problems.

 

i'm not sure if this is anything like the about:blank problem? should i use the about:buster?

 

well, i used the analyze your own hijack this log and deleted all the home page and search page settings i usually delete after each reboot. i also deleted one of the two BHO entries in my log. this entry has not returned after i reboot.

 

i still delete all the home page and search page settings in hijackthis and dso exploit in spybot every time i reboot—the coolwebsearch entries in spybot no longer appear and i believe it had something to do with deleting that BHO entry. however, the fix does not even last until my next reboot. the hijacked homepage, dso exploit and all my deleted home and search page settings return fairly soon after i have deleted them. a popup warning me that my computer is infected with spyware appears every time i open internet explorer to the hijacked homepage.

 

the porn site links no longer appear in my favorites when i reboot. perhaps that was linked to the deleted BHO.

 

i also still have the goto linking problem. that thing that links random words like ice, books and computer.

 

and something else, now. sometimes, i cannot use the new search engine on www.msn.com without internet explorer freezing. does that smell like more malware?

 

can anyone help me yet? please? :wtf:

Edited by liorajane

Share this post


Link to post
Share on other sites

I believe the policy is that your Hijackthis log will be viewed when you get a response from the team and they request you to post your log. If I read correctly, your log has to be requested and not just posted at will. Unless another member or visitor helps you. Hope you get your problem solved.

Share this post


Link to post
Share on other sites
I believe the policy is that your Hijackthis log will be viewed when you get a response from the team and they request you to post your log. If I read correctly, your log has to be requested and not just posted at will. Unless another member or visitor helps you. Hope you get your problem solved.

it says to post your log first, if possible in the "i've been hijacked thread".

 

To save time and get a faster response:

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log in a new thread for analysis.

Share this post


Link to post
Share on other sites

well, i've muddled this thread by bumping so much, have tried so many unsuccessful fixes and encountered plenty of new problems, so i think i'd be better off just posting a new thread with my hijackthis log, a list of what's wrong and a list of what i've done. and i won't bump this time. ;D

 

very sorry for the confusion, but i think a new thread will help. please ignore this one!

Edited by liorajane

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0