I got hijacked by this http://xml.overture.com/d/search/p/igetnet/html/domainlander/?Keywords= I used Spybot, and now when I want the page it took over I get “This page cannot be displayed” I have checked internet options, nothing has been altered there, and I have done a system restore, still no luck. I need the link it took over. I have used “Hijack this” and below is the log. I don’t mind Gator or DAP being there. Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\McAfee.com\VSO\mcshield.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\ahead\InCD\InCD.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\pupxpman.exe C:\Program Files\iISystem Wiper\SystemWiper.exe C:\Program Files\Common Files\CMEII\CMESys.exe C:\Program Files\POP Peeper\POPPeeper.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\LIUtilities\SpeedUpMyPC\SpeedUpMyPC.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe C:\Program Files\Gator.com\Gator\Gator.exe C:\Program Files\Common Files\GMT\GMT.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\Program Files\SpamPal\spampal.exe C:\Program Files\WordWeb\wweb32.exe C:\Program Files\LIUtilities\SpeedUpMyPC\helper.exe C:\unzipped\hijackthis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file) O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\startpage guard\spguard.exe /s /r O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe O4 - HKLM\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Download With SpeedNet - C:\PROGRA~1\SPEEDN~1.1\download.htm O9 - Extra button: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/ O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,71/mcinsctl.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {7B49A2A6-B45F-46F3-AC60-2578477671EE} - http://www.ultrabar.com/user_data/u/l/ultrabar/ultrabars/latest/ultrabar.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_0 - O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned34.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.3115393519 O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,14/mcgdmgr.cab O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{289B2A87-CF23-4E40-A0F1-E400E0ED5B12}: NameServer = 213.1.119.104 213.1.119.101 Sorry there is so much, can anyone help?
Hi Stan 385, Although I hate doing only half the job, I will specify where everything belongs to, so you can make up your own mind on which spyware you want to keep. Check the following items in HijackThis. Close all windows except HijackThis and click Fix checked: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = orphaned entry in registry O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll http://217.115.153.73/parasite/Transponder.html O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file) orphaned entry in registry O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL http://217.115.153.73/parasite/IGetNet.html O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL http://217.115.153.73/parasite/IGetNet.html O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll http://217.115.153.73/parasite/UCmore.html O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe http://217.115.153.73/parasite/Gator.html (all three) O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab http://www.doxdesk.com/parasite/OnlineDialer.html Reboot after selecting what you want to get rid off. Obviously at least the two IGetNet entries. Care to tell me why you are so fond of Gator that you let them spy on you and waste resources (as you can see you have three startup entries for it). DAP has improved it's lifestyle and is no longer considered spyware. Regards, Pieter
Hi Stan, Welcome to Wilders! Actually, we have seen far more involved logs! Yours isn't that bad at all. Could you please close all other programs/windows and select and fix the following; R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\system32\TPS108.dll O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file) O2 - BHO: (no name) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\System\BHO.DLL O2 - BHO: UCmore toolbar - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\Program Files\UCmore\UCMIE.dll O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {7B49A2A6-B45F-46F3-AC60-2578477671EE} - http://www.ultrabar.com/user_data/u/l/ultrabar/ultrabars/latest/ultrabar.cab I don't recognize O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe it may be a legit file though I say only two unexplained hits when doing Copernic and Google searches. I would not fix it on this run but we will keep it in mind if you continue to have issues after this. Reboot once you fix the other entries and then delete the following; C:\WINDOWS\system32\TPS108.dll C:\WINDOWS\System\BHO001.DLL C:\WINDOWS\System\BHO.DLL C:\Program Files\UCmore\UCMIE.dll C:\Program Files\Common Files\CMEII (the entire folder) C:\Program Files\Gator.com (the entire folder) C:\Program Files\Common Files\GMT (the entire folder) Once these are deleted, please retest your issue and (even if it works okay) rescan with HJT and post a fresh log so we can be sure the other items didn't slip back in. Thanks, Dan
Hi Dan, No problem. I don't hear Stan complaining about getting two analysis for the price of one. Maybe he can confirm my diagnosis for pupxpman.exe as belonging to Ashampoo PowerUp XP Regards, Pieter
Thanks Pieter & Dan for responding so quickly, you’re the tops. I lake Gator because it saves typing passwords, anything serious I turn it off. No I’m not complaining to no one, its nice to know there are people out there like you ready to help us noobs. I will post back when I have got results Thanks again Stan
Hi Stan, In that case you may be interested in looking into Roboform. You can import your Gator data to it. http://www.roboform.com/ Check this link http://www.roboform.com/gator.html#convert out before you remove Gator. Use either Adaware 6 or Spybot S&D to clean out the rest of the mess after that. Make sure to update before you do so. Regards, Pieter
Hi Pieter That’s real nice of you. I am going to change it to Roboform now, thanks for going to the trouble to help me. Cheers Stan