Hijacked page

Discussion in 'privacy problems' started by Stan 385, Aug 17, 2003.

Thread Status:
Not open for further replies.
  1. Stan 385

    Stan 385 Registered Member

    Joined:
    Aug 17, 2003
    Posts:
    3
    I got hijacked by this http://xml.overture.com/d/search/p/igetnet/html/domainlander/?Keywords=
    I used Spybot, and now when I want the page it took over I get “This page cannot be displayed” I have checked internet options, nothing has been altered there, and I have done a system restore, still no luck. I need the link it took over. I have used “Hijack this” and below is the log.
    I don’t mind Gator or DAP being there.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\McAfee.com\VSO\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\pupxpman.exe
    C:\Program Files\iISystem Wiper\SystemWiper.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\POP Peeper\POPPeeper.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\LIUtilities\SpeedUpMyPC\SpeedUpMyPC.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\Gator.com\Gator\Gator.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\SpamPal\spampal.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\LIUtilities\SpeedUpMyPC\helper.exe
    C:\unzipped\hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
    O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL
    O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\startpage guard\spguard.exe /s /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
    O4 - HKLM\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download With SpeedNet - C:\PROGRA~1\SPEEDN~1.1\download.htm
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
    O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
    O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,71/mcinsctl.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {7B49A2A6-B45F-46F3-AC60-2578477671EE} - http://www.ultrabar.com/user_data/u/l/ultrabar/ultrabars/latest/ultrabar.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_0:cool: -
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned34.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.3115393519
    O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,14/mcgdmgr.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{289B2A87-CF23-4E40-A0F1-E400E0ED5B12}: NameServer = 213.1.119.104 213.1.119.101

    Sorry there is so much, :oops: can anyone help?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Stan 385,

    Although I hate doing only half the job, I will specify where everything belongs to, so you can make up your own mind on which spyware you want to keep. :'(

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    orphaned entry in registry

    O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll
    http://217.115.153.73/parasite/Transponder.html

    O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
    orphaned entry in registry

    O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    http://217.115.153.73/parasite/IGetNet.html

    O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL
    http://217.115.153.73/parasite/IGetNet.html

    O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll
    http://217.115.153.73/parasite/UCmore.html

    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    http://217.115.153.73/parasite/Gator.html (all three)

    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
    http://www.doxdesk.com/parasite/OnlineDialer.html

    Reboot after selecting what you want to get rid off. Obviously at least the two IGetNet entries.

    Care to tell me why you are so fond of Gator that you let them spy on you and waste resources (as you can see you have three startup entries for it).

    DAP has improved it's lifestyle and is no longer considered spyware.

    Regards,

    Pieter
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Stan,

    Welcome to Wilders!

    Actually, we have seen far more involved logs! Yours isn't that bad at all.

    Could you please close all other programs/windows and select and fix the following;

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll
    O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file)
    O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL
    O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {7B49A2A6-B45F-46F3-AC60-2578477671EE} - http://www.ultrabar.com/user_data/u/l/ultrabar/ultrabars/latest/ultrabar.cab


    I don't recognize

    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe

    it may be a legit file though I say only two unexplained hits when doing Copernic and Google searches. I would not fix it on this run but we will keep it in mind if you continue to have issues after this. Reboot once you fix the other entries and then delete the following;

    C:\WINDOWS\system32\TPS108.dll
    C:\WINDOWS\System\BHO001.DLL
    C:\WINDOWS\System\BHO.DLL
    C:\Program Files\UCmore\UCMIE.dll
    C:\Program Files\Common Files\CMEII (the entire folder)
    C:\Program Files\Gator.com (the entire folder)
    C:\Program Files\Common Files\GMT (the entire folder)

    Once these are deleted, please retest your issue and (even if it works okay) rescan with HJT and post a fresh log so we can be sure the other items didn't slip back in.

    Thanks,

    Dan
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Ooops,

    Sorry Pieter :D
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Dan,

    No problem. I don't hear Stan complaining about getting two analysis for the price of one. :D

    Maybe he can confirm my diagnosis for pupxpman.exe as belonging to Ashampoo PowerUp XP

    Regards,

    Pieter
     
  6. Stan 385

    Stan 385 Registered Member

    Joined:
    Aug 17, 2003
    Posts:
    3
    Thanks Pieter & Dan for responding so quickly, you’re the tops. ;)

    I lake Gator because it saves typing passwords, anything serious I turn it off. :D

    No I’m not complaining to no one, its nice to know there are people out there like you ready to help us noobs.

    I will post back when I have got results

    Thanks again
    Stan
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  8. Stan 385

    Stan 385 Registered Member

    Joined:
    Aug 17, 2003
    Posts:
    3
    Hi Pieter :)

    That’s real nice of you. :D

    I am going to change it to Roboform now, thanks for going to the trouble to help me.

    Cheers
    Stan
     
Loading...
Thread Status:
Not open for further replies.