Jump to content


Photo

i believe i've been hijacked.


  • Please log in to reply
8 replies to this topic

#1 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 June 2004 - 05:30 PM

hi! i'm pretty sure my internet explorer has been hijacked. the page my internet usually opens to is dellnet.msn.com. but now it opens to a page with this address: res://mshp.dll/index.html#37049. i change the address back to normal, but as soon as i reboot my computer it returns to the same page.

i have spybot s&d and run it each time i start up the computer. i fix the checked problems, but the same three always reappear after i reboot: DSO Exploit, CoolWWWSearch.008k and CoolWWWSearch.mshp.

i ran hijackthis, and this is the log i received:

Logfile of HijackThis v1.97.7
Scan saved at 4:18:30 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msld\mssearch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8013.7233680556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


any help? :)

Edited by liorajane, 09 June 2004 - 06:20 PM.


#2 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 June 2004 - 06:45 PM

sorry! just bumping. :)

Edited by liorajane, 13 June 2004 - 10:32 AM.


#3 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 11 June 2004 - 09:40 PM

ack. a couple of things have changed. spybot is still detecting DSO Exploit, CoolWWWSearch.008k and CoolWWWSearch.mshp on every scan after the computer reboots. but now the hijacked homepage my internet opens to is not always the same. it sometimes opens to ZY Search (http://69.31.87.248:...n/index.cgi?c=0). is it just a variant of the hijacked hompage i had before? because it still goes away when i "fix" the three aforementioned problems with spybot, until i reboot.

i'm also getting three or four porn websites added to my favorites, which return when i delete them and reboot.

i ran hijackthis again and these are the only new additions to the last log:

C:\My Programs\Spybot\SpybotSD.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Michele\Application Data\syscf\syscf.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Michele\Application Data\syscf\mfcta.dll

i can also post the entire log over again if you'd like!

also, bumping. wow. ;D lots of people certainly do post here.

Edited by liorajane, 12 June 2004 - 12:23 PM.


#4 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 15 June 2004 - 05:17 PM

bumping again, on the sixth day. wow! this place is busy!

Edited by liorajane, 15 June 2004 - 05:18 PM.


#5 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 23 June 2004 - 06:43 PM

bumping again, as it's been twelve days. just a note; i used hijackthis to delete all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049


but they still return when i reboot. also, if i delete these before i run spybot, one of the two coolwebsearch entries no longer appears in the spybot scan. the other coolwebsearch entry and DSO Exploit still appear.

also, when i am browsing the internet certain words are underlined as hyperlinks. these words include books, computer, ice, etc. when i mouseover these links, i learn they are linked to "goto:..." and whatever the underlined word is. any help?

Edited by liorajane, 23 June 2004 - 06:53 PM.


#6 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 July 2004 - 07:49 PM

bumping, since it's been a month now. and more updates. do i need to post my hijackthis log again?

i have run hijackthis, spybot search & destroy, ad-aware and cwsshredder and my hijacked homepage keeps coming back, amongst all the other problems.

i'm not sure if this is anything like the about:blank problem? should i use the about:buster?

well, i used the analyze your own hijack this log and deleted all the home page and search page settings i usually delete after each reboot. i also deleted one of the two BHO entries in my log. this entry has not returned after i reboot.

i still delete all the home page and search page settings in hijackthis and dso exploit in spybot every time i reboot—the coolwebsearch entries in spybot no longer appear and i believe it had something to do with deleting that BHO entry. however, the fix does not even last until my next reboot. the hijacked homepage, dso exploit and all my deleted home and search page settings return fairly soon after i have deleted them. a popup warning me that my computer is infected with spyware appears every time i open internet explorer to the hijacked homepage.

the porn site links no longer appear in my favorites when i reboot. perhaps that was linked to the deleted BHO.

i also still have the goto linking problem. that thing that links random words like ice, books and computer.

and something else, now. sometimes, i cannot use the new search engine on www.msn.com without internet explorer freezing. does that smell like more malware?

can anyone help me yet? please? :wtf:

Edited by liorajane, 10 July 2004 - 08:34 PM.


#7 colum

colum

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 July 2004 - 09:09 PM

I believe the policy is that your Hijackthis log will be viewed when you get a response from the team and they request you to post your log. If I read correctly, your log has to be requested and not just posted at will. Unless another member or visitor helps you. Hope you get your problem solved.

#8 CryptoniX

CryptoniX

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 10 July 2004 - 09:18 PM

I believe the policy is that your Hijackthis log will be viewed when you get a response from the team and they request you to post your log. If I read correctly, your log has to be requested and not just posted at will. Unless another member or visitor helps you. Hope you get your problem solved.

it says to post your log first, if possible in the "i've been hijacked thread".

To save time and get a faster response:
Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log in a new thread for analysis.

#9 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 July 2004 - 01:31 PM

well, i've muddled this thread by bumping so much, have tried so many unsuccessful fixes and encountered plenty of new problems, so i think i'd be better off just posting a new thread with my hijackthis log, a list of what's wrong and a list of what i've done. and i won't bump this time. ;D

very sorry for the confusion, but i think a new thread will help. please ignore this one!

Edited by liorajane, 13 July 2004 - 12:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button