HighJack and lots of Pop-ups

Discussion in 'adware, spyware & hijack cleaning' started by bandonisp, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    I am at the computer. Hope someone is there HELP!!
    smiles ;)
    http://www.hotwebsearch.com/
    The above has highjack the home page!!

    Logfile of HijackThis v1.97.7
    Scan saved at 10:33:23 AM, on 3/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\hugh & betty.DJ0NQN21\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com/ie_search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwebsearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/ie_search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/ie_search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
    O2 - BHO: (no name) - {4B021269-DD24-48B2-96B4-DA121E9C0502} - C:\WINDOWS\System32\ctpp3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\System32\ctadl1.dll
    O2 - BHO: (no name) - {DB0018A2-F7D9-4B71-9651-640143DF23F9} - C:\WINDOWS\System32\ctap4.dll
    O2 - BHO: ohb - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - C:\WINDOWS\System32\winenc32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: GlobalWebSearch.com Bar - {423BD222-52BE-471A-BE01-75FCCEB3D48F} - C:\WINDOWS\System32\winenc32.dll
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi bandon again,

    If you already have CWShredder then go to Step 1 , else download it from the link I gave.
    step 1: Close all other windows
    step 2: Unzip the program(If you already have that then
    OK) and Run it
    step 3: Run FIX
    step 4: Close the program and reboot
    step 5: Make a folder in My Documents and name it
    "HijackThis" or any such suitable name.
    step 6: Bring the HijackThis from Temp folder to the
    folder created.This is because in temp folder you
    wont be able to access the backups made by the
    HijackThis.
    step 7: Run HijackThis from the folder created.
    step 8: Post a fresh log to be reviewed by experts and
    further help.

    Take care and keep posting
     
  3. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    I run the Shredder and here is my fresh log.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:56:47 AM, on 3/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\HighJack\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com/ie_search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yld.homestead.com/995amonth.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/ie_search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/ie_search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
    O2 - BHO: (no name) - {4B021269-DD24-48B2-96B4-DA121E9C0502} - C:\WINDOWS\System32\ctpp3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\System32\ctadl1.dll
    O2 - BHO: (no name) - {DB0018A2-F7D9-4B71-9651-640143DF23F9} - C:\WINDOWS\System32\ctap4.dll
    O2 - BHO: ohb - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - C:\WINDOWS\System32\winenc32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: GlobalWebSearch.com Bar - {423BD222-52BE-471A-BE01-75FCCEB3D48F} - C:\WINDOWS\System32\winenc32.dll
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi bandon,
    shredder should have removed that. Anyway have this only fixed in hijackThis and wait for some more help if there is from Experts,

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/ie_search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/ie_search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\System32\ctadl1.dll
    O2 - BHO: ohb - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - C:\WINDOWS\System32\winenc32.dll
    O3 - Toolbar: GlobalWebSearch.com Bar - {423BD222-52BE-471A-BE01-75FCCEB3D48F} - C:\WINDOWS\System32\winenc32.dll

    reboot and post a fresh log.
    Will you please send these two, ctpp3.dll and ctap4.dll to the email addy provided under Pieter's avatar as I could not find any information for them and maybe they are NOT good, but Pieter would be perfect to tell this
     
  5. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    We have are Home page back and have rebooted a couple of times. Many Many thanks!!!!!!!!!!!!!! This is a fresh log.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:33:34 PM, on 3/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\HighJack\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://3rs.homestead.com/onramp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.bandonisp.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
    O2 - BHO: (no name) - {4B021269-DD24-48B2-96B4-DA121E9C0502} - C:\WINDOWS\System32\ctpp3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {DB0018A2-F7D9-4B71-9651-640143DF23F9} - C:\WINDOWS\System32\ctap4.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{63EB77F6-AD2F-4F93-80C0-A5EBD88CBDF0}: NameServer = 209.244.0.3 209.244.0.4

    Is it possible to delet this one.
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi bandonisp,

    You can't fix Messenger permanently with HijackThis, but a program like XP-Antispy from http://www.xp-antispy.org/ will give you that option.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {4B021269-DD24-48B2-96B4-DA121E9C0502} - C:\WINDOWS\System32\ctpp3.dll

    O2 - BHO: (no name) - {DB0018A2-F7D9-4B71-9651-640143DF23F9} - C:\WINDOWS\System32\ctap4.dll

    Then reboot.

    Regards,

    Pieter
     
  7. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    Have done all the fixes except the last two.
    Got rid of the toolbar and we have the home page back!!
    Thanks again. Won't be able two fix the last two for a couple
    of days. Is that going to be a problem. Thanks
    Yes I did shut of the messenger with a tool I downloaded of
    the Internet. Thank again for all the HELP!!!!!!
     
Thread Status:
Not open for further replies.