"Find The Website You Need" Hijacker!

Discussion in 'privacy problems' started by OnThePike, Jul 15, 2003.

Thread Status:
Not open for further replies.
  1. OnThePike

    OnThePike Registered Member

    Joined:
    Jul 15, 2003
    Posts:
    4
    Location:
    New York City
    Greetings all,

    I'd like to report what appears to be a new hijacker. Enclosed is a letter I sent to Patrick Kolla of Spybot S&D:




    Greetings!

    I have no idea how this application hijacked my homepage, since I have been using your service, as
    well as Spyware Blaster and have my Internet Settings
    set against such activity from Spybot, however
    somewhere along the line, my homepage was hijacked and favorite files were added.

    It reset my homepage, and added a plethora of cookies
    all while Pop-Up Stopper Professional and Companion
    were beeping in a frenzy!

    Please investigate findthewebsiteyouneed apparently
    located at hxxp://www.findthewebsiteyouneed.com (have
    your full protective garments adorned)!!

    Thank you for the great service!

    Jeff

    Disabled link
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi OnthePike,

    Could you post your HijackThis log
    Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. OnThePike

    OnThePike Registered Member

    Joined:
    Jul 15, 2003
    Posts:
    4
    Location:
    New York City
    Gee, I'm sorry. I already deleted/removed/repaired any and all visible traces of the parasite. I suppose I could have missed something.. but I'm not sure exactly where to look.

    At any rate, here are the results you requested:

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    Logfile of HijackThis v1.95.0
    Scan saved at 10:42:00 AM, on 7/15/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
    C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
    C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
    C:\Documents and Settings\JRL\Start Menu\Programs\Power Menu\Power Menu.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\JRL\Start Menu\Programs\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.optonline.net"); (C:\Documents and Settings\JRL\Application Data\Mozilla\Profiles\default\sln3lfq9.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%207%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JRL\Application Data\Mozilla\Profiles\default\sln3lfq9.slt\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
    O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WSFTP\wsbho2k0.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [StartupCleaner] C:\Program Files\CM Data Software\CM DiskCleaner\StartupCleaner.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
    O4 - Startup: Restore Point.lnk = C:\unzipped\SysRestorePoint[1]\SysRestorePoint.exe
    O4 - Startup: Hyper Snap.lnk = C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
    O4 - Startup: Power Menu.lnk = C:\Documents and Settings\JRL\Start Menu\Programs\Power Menu\Power Menu.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: IE Booster Copy Meister - res://C:\Program Files\IE Booster 2\ieb.dll/copy-wiz.ieb
    O8 - Extra context menu item: IE Booster Interactive HTML Detective - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb
    O8 - Extra context menu item: IE Booster Open Frame In New Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
    O8 - Extra context menu item: IE Booster Open Frame In This Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
    O8 - Extra context menu item: IE Booster Web Page Analyzer - res://C:\Program Files\IE Booster 2\ieb.dll/element.ieb
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Page Analysis (HKCU)
    O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer (HKCU)
    O9 - Extra button: HTML Detective (HKCU)
    O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective (HKCU)
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37803.4305324074
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    I hope this information was helpful?

    Jeff
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi OnThePike,

    Looks like you did a good job at cleaning up.
    This is one I'd discard:
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
    and this one if you didn't install it willingly:
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
    If you don't use IE Booster anymore, these can go as well:
    O8 - Extra context menu item: IE Booster Copy Meister - res://C:\Program Files\IE Booster 2\ieb.dll/copy-wiz.ieb
    O8 - Extra context menu item: IE Booster Interactive HTML Detective - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb
    O8 - Extra context menu item: IE Booster Open Frame In New Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
    O8 - Extra context menu item: IE Booster Open Frame In This Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
    O8 - Extra context menu item: IE Booster Web Page Analyzer - res://C:\Program Files\IE Booster 2\ieb.dll/element.ieb
    O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer (HKCU)
    O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective (HKCU)


    Regards,

    Pieter
     
  5. OnThePike

    OnThePike Registered Member

    Joined:
    Jul 15, 2003
    Posts:
    4
    Location:
    New York City
    Hi Pieter Arntz,

    I'm still toying with IE Booster, so I'll let those RE's stick around for a while. As far as the Weather Bug is concerned, I use that daily -- would removing that entry inhibit the performance of the program?

    I did tweak around with a "previous" version in a vain attempt to replace the advertising with my own images -- hence the need for "replacement" ;-)

    In any event, this "FindTheWebsiteYouNeed" parasite took me completely by suprise (especially with SpyBot and Spyware Blaster in use)!! I wasted no time in tracking down and deleting the residue. I then contacted Patrick Kolla and left a message on this forum.

    So.. I just downloaded Spyware Guard to supplement!

    Thanks again for the great products!

    Jeff
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi OnThePike,

    This one comes recommended as an alternative for WeatherBug:
    http://www.serence.com/site.php

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.