"Find The Website You Need" Hijacker!

[OnThePike]

Greetings all,

I'd like to report what appears to be a new hijacker. Enclosed is a letter I sent to Patrick Kolla of Spybot S&D:




Greetings!

I have no idea how this application hijacked my homepage, since I have been using your service, as
well as Spyware Blaster and have my Internet Settings
set against such activity from Spybot, however
somewhere along the line, my homepage was hijacked and favorite files were added.

It reset my homepage, and added a plethora of cookies
all while Pop-Up Stopper Professional and Companion
were beeping in a frenzy!

Please investigate findthewebsiteyouneed apparently
located at hxxp://www.findthewebsiteyouneed.com (have
your full protective garments adorned)!!

Thank you for the great service!

Jeff

Disabled link

[Pieter_Arntz]

Hi OnthePike,

Could you post your HijackThis log
Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

[OnThePike]

Gee, I'm sorry. I already deleted/removed/repaired any and all visible traces of the parasite. I suppose I could have missed something.. but I'm not sure exactly where to look.

At any rate, here are the results you requested:

----------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.95.0
Scan saved at 10:42:00 AM, on 7/15/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
C:\Documents and Settings\JRL\Start Menu\Programs\Power Menu\Power Menu.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JRL\Start Menu\Programs\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.optonline.net"); (C:\Documents and Settings\JRL\Application Data\Mozilla\Profiles\default\sln3lfq9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%207%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JRL\Application Data\Mozilla\Profiles\default\sln3lfq9.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WSFTP\wsbho2k0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [StartupCleaner] C:\Program Files\CM Data Software\CM DiskCleaner\StartupCleaner.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: Restore Point.lnk = C:\unzipped\SysRestorePoint[1]\SysRestorePoint.exe
O4 - Startup: Hyper Snap.lnk = C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
O4 - Startup: Power Menu.lnk = C:\Documents and Settings\JRL\Start Menu\Programs\Power Menu\Power Menu.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: IE Booster Copy Meister - res://C:\Program Files\IE Booster 2\ieb.dll/copy-wiz.ieb
O8 - Extra context menu item: IE Booster Interactive HTML Detective - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb
O8 - Extra context menu item: IE Booster Open Frame In New Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Open Frame In This Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Web Page Analyzer - res://C:\Program Files\IE Booster 2\ieb.dll/element.ieb
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Page Analysis (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer (HKCU)
O9 - Extra button: HTML Detective (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37803.4305324074
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab

----------------------------------------------------------------------------------------------------------------------------------------------------

I hope this information was helpful?

Jeff

[Pieter_Arntz]

Hi OnThePike,

Looks like you did a good job at cleaning up.
This is one I'd discard:
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
and this one if you didn't install it willingly:
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
If you don't use IE Booster anymore, these can go as well:
O8 - Extra context menu item: IE Booster Copy Meister - res://C:\Program Files\IE Booster 2\ieb.dll/copy-wiz.ieb
O8 - Extra context menu item: IE Booster Interactive HTML Detective - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb
O8 - Extra context menu item: IE Booster Open Frame In New Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Open Frame In This Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Web Page Analyzer - res://C:\Program Files\IE Booster 2\ieb.dll/element.ieb
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective (HKCU)


Regards,

Pieter

[OnThePike]

Hi Pieter Arntz,

I'm still toying with IE Booster, so I'll let those RE's stick around for a while. As far as the Weather Bug is concerned, I use that daily -- would removing that entry inhibit the performance of the program?

I did tweak around with a "previous" version in a vain attempt to replace the advertising with my own images -- hence the need for "replacement" ;-)

In any event, this "FindTheWebsiteYouNeed" parasite took me completely by suprise (especially with SpyBot and Spyware Blaster in use)!! I wasted no time in tracking down and deleting the residue. I then contacted Patrick Kolla and left a message on this forum.

So.. I just downloaded Spyware Guard to supplement!

Thanks again for the great products!

Jeff

[Pieter_Arntz]

Hi OnThePike,

This one comes recommended as an alternative for WeatherBug:
http://www.serence.com/site.php

Regards,

Pieter