Good afternoon, I am new to this site and not sure where to post this. From reading some of your forum, I think I have picked up what I think you would describe as a hijacker on my browser. I downloaded "Hijackthis" according to instructions in your forum and removed everything which had "hotwebsearch" on it. This seemed to get rid of most of it. However I still have elements of it loading with my browser in the form of advertising associated with it and advertising which describes how to pay for and download software to get rid of it. According to advice I saw on Hijackthis , it was suggested I copy the log that is produced by this program and send it to experts who could assist me in getting rid of what I need to. From what I have seen in your forum, I believe this is you? I have attached the Hijackthis logfile in hopes that you can assist. Any help would be greatly appreciated. Rob9
Hi rob9, Welcome at Wilders. Before you fix anything would you mind terribly sending me these two files: C:\WINDOWS\SYSTEM\PGGLRTTW.DLL C:\WINDOWS\SYSTEM\CTADL1.DLL You can use the email address in my profile. I´d like to have a closer look. Check the following items in HijackThis. Close all windows except HijackThis and click Fix checked: O2 - BHO: (no name) - {2E12B523-3D4C-4FAC-9B04-0376A8F5E879} - C:\WINDOWS\WINDOWSIE.DLL O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL O2 - BHO: (no name) - {89D39860-C403-11D6-BE9B-0050BA7204DE} - C:\WINDOWS\SYSTEM\MO030414S.DLL O2 - BHO: (no name) - {A390DD21-77CD-11D7-BE9B-0050BA7204DE} - C:\WINDOWS\SYSTEM\PGGLRTTW.DLL O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\SYSTEM\CTADL1.DLL O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.harddial.com/dialers/cmb_220055.cab O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/014489.exe O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} (ctadlctrl Class) - http://66.51.29.59/ctadl.cab O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} (HDPluginCtrl Class) - http://webpdp.gator.com/v3/download/hdplugin1014_hd3ptdmgainads.cab Then reboot and delete: C:\WINDOWS\SENTRY.exe Then download Spybot - Search & Destroy After installing, first press Online, and search for, put a check mark at, and install all updates. Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red. Or, download Ad-Aware at lavasoft.usa.com After installing AAW, and before running the program, update by using the Globe icon. Shut down and restart Ad-Aware. Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives. It will find a number of "bad" files and registry keys. Click 'Next' again. Rightclick in that pane and choose "select all" and click 'next'. It will ask you whether you'd like to remove all checked items. Click OK. Finally, close Ad-Aware, and reboot. Regards, Pieter
Thank you for the files rob9. C:\WINDOWS\SYSTEM\PGGLRTTW.DLL = http://www.doxdesk.com/parasite/WurldMedia.html I may need professional help to analyze the other one. I will keep you posted. Regards, Pieter
Hi Pieter, Thanks for all your very speedy replies. I will await further word from you on that file before I attempt any of the actions you describe above. Many thanks again. from a somewhat slower, rob9
Hi rob9, You can follow my advice. Skip fixing this one for the time being: O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\SYSTEM\CTADL1.DLL It seems to have a lot of modem-commands in it, but I am not qualified to determine wether they have good or bad intentions. Regards, Pieter
Hi Peiter, Wow! That was super! I followed your instructions exactly including not removing the 1 item you said I should leave until you get back to me on the second file. Not only has complete control of my browser been returned to me with my home page intact but, (and I'm not sure if it's my imagination) the overall performance of my computer seems better and faster. To quote another satisfied customer in this same forum who had similar problems to mine, "You are very smart!" I have just 2 remaining questions: 1] Before I installed and used SpyBot, I deleted SpyBlaster because I read in its instructions that it will not work with other spy software. Will it work with SpyBot and can I use both of them on my computer or do I need to? 2] After you examined one of my files you sent me to this site: http://www.doxdesk.com/parasite/WurldMedia.html Do I need to follow any of its recommendations re. file deletion or did your instructions already do that? many thanks again from a somewhat faster and more efficient, rob9
Hi rob9, 1. You must have been misinformed. Spybot S&D actually recommends using SpywareBlaster in it's Immunize section. 2. We already took care of that using HijackThis. One extra: Could you please download BHODemon and use it to disable the CTADL1.DLL BHO. One of the knowledgeable people that examined the file thinks it might be related to ezSearch, which is a click-through portal. Let me know if you notice anything different after doing so. Regards, Pieter
Good morning Pieter, I installed and ran BHODemon as you instructed and these are the 4 BHO's which it found on my machine: ?0 BROWSERHELPER.DLL {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} ?1 ACROIEHELPER.DLL {06849E-C8D7-4D59-B87D-784B7D6BE0B3} ?2 CTPP1.DLL {4B021269-DD24-48B2-96B4-DA121E9C0502} ?3 CTAP3.DLL {DB0018A2-F7D9-4B71-9651-640143DF23F9} I hope I have all that right but as you can see there is no "CTADL1.DLL BHO" or did I mess something up? still from the green side of the grass, rob9
The AcroieHelper is the only legit one you had in the log you first posted. Please disable the rest with BHODemon and could you post a new HijackThis log please? Regards, Pieter (Not as smart as you think)
Thanks again for your quick advice Pieter, Using BHODemon I disabled the 3 files you suggested and left ACROIEHELPER unfettered. Then I produced the attached log using HYJACKTHIS. still a big fan, rob9 (I have absolutely no complaints!)
Interesting. Could you mail me copies of these as well: C:\WINDOWS\SYSTEM\CTPP1.DLL C:\WINDOWS\SYSTEM\CTAP3.DLL Any idea where that Evernet BHO came from? I found this: http://www.internetacceleration.com/vendor_profiles/EverNet.html Don't know if that means anything to you. Regards, Pieter
Hi Pieter, I tried sending those 2 files by the attachment mechanism below and then I remembered (some describe me as being a little forgetful) what you had advised earlier about sending them to your profile email. So I did and it appeared to work. EVERNET is a program which appears in my program list when I press the START button in the lower left hand corner of my screen. My operating system is 98SE. EVERNET has a little > beside it and which leads to EVERNET INFO. When I press that my browswer tries to take me to a site which will not load "This page cannot be ..." I thought EVERNET had something to do with "sympatico.ca" which is BELL - the phone company in ON, Canada. They are the people who installed my hi-speed modem and the sevice which goes with it and they take my money each month. I think you would call them "my server". I called them and spoke with a technician who knew nothing about EVERNET and thought it and everything associated with it could be removed from my system with no problems. He was "fairly sure" of that. I feel like I have taken a lot of words to say very little. sorry to be sooo log-winded, rob9
Hi rob9, That sounds like good advise. The BHO was listed as (file missing) in your logs. Check if you can find Evernet in Add/Remove Software and remove it there if that is possible. If it is not listed there have HijackThis Fix: O2 - BHO: {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} - {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} - \BROWSERHELPER.DLL (disabled by BHODemon) and delete the entire C:\PROGRAM FILES\EVERNET folder. Regards, Pieter
EVERNET was not listed in the Add/Remove - Control Panel program, so I followed your instructions with Hi JackThis and then deleted the folder EVERNET from my Program Files. The only odd thing left (and it is very small) is that in IE under tools/internet options, I have set www1.sympatico.ca as my homepage. But now IE always loads www.sympatico.ca as my homepage. Weird!!! Before my troubles, it went to www1.sympatico.ca as you would expect. However, it is not a big deal and my homepage is only 1 click away. In any case, I am more than happy with the way this has all gone. You have been really super. from a very satisfied, rob9