Hijacked page

I got hijacked by this http://xml.overture.com/d/search/p/igetnet/html/domainlander/?Keywords=
I used Spybot, and now when I want the page it took over I get “This page cannot be displayed” I have checked internet options, nothing has been altered there, and I have done a system restore, still no luck. I need the link it took over. I have used “Hijack this” and below is the log.
I don’t mind Gator or DAP being there.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pupxpman.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\LIUtilities\SpeedUpMyPC\SpeedUpMyPC.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\LIUtilities\SpeedUpMyPC\helper.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL
O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\startpage guard\spguard.exe /s /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
O4 - HKLM\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download With SpeedNet - C:\PROGRA~1\SPEEDN~1.1\download.htm
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,71/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7B49A2A6-B45F-46F3-AC60-2578477671EE} - http://www.ultrabar.com/user_data/u/l/ultrabar/ultrabars/latest/ultrabar.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_0 -
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned34.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.3115393519
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,14/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{289B2A87-CF23-4E40-A0F1-E400E0ED5B12}: NameServer = 213.1.119.104 213.1.119.101

Sorry there is so much, can anyone help?

 

Hi Stan 385,

Although I hate doing only half the job, I will specify where everything belongs to, so you can make up your own mind on which spyware you want to keep.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
orphaned entry in registry

O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll
http://217.115.153.73/parasite/Transponder.html

O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
orphaned entry in registry

O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
http://217.115.153.73/parasite/IGetNet.html

O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL
http://217.115.153.73/parasite/IGetNet.html

O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll
http://217.115.153.73/parasite/UCmore.html

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
http://217.115.153.73/parasite/Gator.html (all three)

O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
http://www.doxdesk.com/parasite/OnlineDialer.html

Reboot after selecting what you want to get rid off. Obviously at least the two IGetNet entries.

Care to tell me why you are so fond of Gator that you let them spy on you and waste resources (as you can see you have three startup entries for it).

DAP has improved it's lifestyle and is no longer considered spyware.

Regards,

Pieter

 

Hi Stan,

Welcome to Wilders!

Actually, we have seen far more involved logs! Yours isn't that bad at all.

Could you please close all other programs/windows and select and fix the following;

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll
O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL
O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7B49A2A6-B45F-46F3-AC60-2578477671EE} - http://www.ultrabar.com/user_data/u/l/ultrabar/ultrabars/latest/ultrabar.cab


I don't recognize

O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe

it may be a legit file though I say only two unexplained hits when doing Copernic and Google searches. I would not fix it on this run but we will keep it in mind if you continue to have issues after this. Reboot once you fix the other entries and then delete the following;

C:\WINDOWS\system32\TPS108.dll
C:\WINDOWS\System\BHO001.DLL
C:\WINDOWS\System\BHO.DLL
C:\Program Files\UCmore\UCMIE.dll
C:\Program Files\Common Files\CMEII (the entire folder)
C:\Program Files\Gator.com (the entire folder)
C:\Program Files\Common Files\GMT (the entire folder)

Once these are deleted, please retest your issue and (even if it works okay) rescan with HJT and post a fresh log so we can be sure the other items didn't slip back in.

Thanks,

Dan

 

Ooops,

Sorry Pieter

 

Hi Dan,

No problem. I don't hear Stan complaining about getting two analysis for the price of one.

Maybe he can confirm my diagnosis for pupxpman.exe as belonging to Ashampoo PowerUp XP

Regards,

Pieter

 

Thanks Pieter & Dan for responding so quickly, you’re the tops.

I lake Gator because it saves typing passwords, anything serious I turn it off.

No I’m not complaining to no one, its nice to know there are people out there like you ready to help us noobs.

I will post back when I have got results

Thanks again
Stan

 

Hi Stan,

In that case you may be interested in looking into Roboform. You can import your Gator data to it. http://www.roboform.com/
Check this link http://www.roboform.com/gator.html#convert out before you remove Gator.

Use either Adaware 6 or Spybot S&D to clean out the rest of the mess after that. Make sure to update before you do so.

Regards,

Pieter

 

Hi Pieter

That’s real nice of you.

I am going to change it to Roboform now, thanks for going to the trouble to help me.

Cheers
Stan