hijacked

Discussion in 'privacy problems' started by rob9, Oct 24, 2003.

Thread Status:
Not open for further replies.
  1. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    Good afternoon,

    I am new to this site and not sure where to post this.

    From reading some of your forum, I think I have picked up what I think you would describe as a hijacker on my browser. I downloaded "Hijackthis" according to instructions in your forum and removed everything which had "hotwebsearch" on it. This seemed to get rid of most of it. However I still have elements of it loading with my browser in the form of advertising associated with it and advertising which describes how to pay for and download software to get rid of it.

    According to advice I saw on Hijackthis , it was suggested I copy the log that is produced by this program and send it to experts who could assist me in getting rid of what I need to. From what I have seen in your forum, I believe this is you?

    I have attached the Hijackthis logfile in hopes that you can assist.

    Any help would be greatly appreciated.

    Rob9
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi rob9,

    Welcome at Wilders. :)

    Before you fix anything would you mind terribly sending me these two files:
    C:\WINDOWS\SYSTEM\PGGLRTTW.DLL
    C:\WINDOWS\SYSTEM\CTADL1.DLL

    You can use the email address in my profile. I´d like to have a closer look.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {2E12B523-3D4C-4FAC-9B04-0376A8F5E879} - C:\WINDOWS\WINDOWSIE.DLL
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
    O2 - BHO: (no name) - {89D39860-C403-11D6-BE9B-0050BA7204DE} - C:\WINDOWS\SYSTEM\MO030414S.DLL
    O2 - BHO: (no name) - {A390DD21-77CD-11D7-BE9B-0050BA7204DE} - C:\WINDOWS\SYSTEM\PGGLRTTW.DLL
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

    O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\SYSTEM\CTADL1.DLL
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

    O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe

    O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.harddial.com/dialers/cmb_220055.cab

    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/014489.exe

    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe

    O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} (ctadlctrl Class) - http://66.51.29.59/ctadl.cab
    O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} (HDPluginCtrl Class) - http://webpdp.gator.com/v3/download/hdplugin1014_hd3ptdmgainads.cab

    Then reboot and delete:
    C:\WINDOWS\SENTRY.exe

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Regards,

    Pieter
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Thank you for the files rob9. :)

    C:\WINDOWS\SYSTEM\PGGLRTTW.DLL =
    http://www.doxdesk.com/parasite/WurldMedia.html

    I may need professional help to analyze the other one.
    I will keep you posted.

    Regards,

    Pieter
     
  4. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    Hi Pieter,

    Thanks for all your very speedy replies. I will await further word from you on that file before I attempt any of the actions you describe above.

    Many thanks again.

    from a somewhat slower,
    rob9
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi rob9,

    You can follow my advice. Skip fixing this one for the time being:
    O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\SYSTEM\CTADL1.DLL

    It seems to have a lot of modem-commands in it, but I am not qualified to determine wether they have good or bad intentions.

    Regards,

    Pieter
     
  6. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    Hi Peiter,

    Wow! That was super! :D I followed your instructions exactly including not removing the 1 item you said I should leave until you get back to me on the second file.

    Not only has complete control of my browser been returned to me with my home page intact but, (and I'm not sure if it's my imagination) the overall performance of my computer seems better and faster. :cool:

    To quote another satisfied customer in this same forum who had similar problems to mine, "You are very smart!" ;)

    I have just 2 remaining questions:
    1] Before I installed and used SpyBot, I deleted
    SpyBlaster because I read in its instructions that it
    will not work with other spy software. Will it work
    with SpyBot and can I use both of them on my
    computer or do I need to?
    2] After you examined one of my files you sent me to
    this site:

    http://www.doxdesk.com/parasite/WurldMedia.html

    Do I need to follow any of its recommendations re. file
    deletion or did your instructions already do that?

    many thanks again ;)
    from a somewhat faster and more efficient,
    rob9
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi rob9,

    1. You must have been misinformed. Spybot S&D actually recommends using SpywareBlaster in it's Immunize section.

    2. We already took care of that using HijackThis.

    One extra: Could you please download BHODemon and use it to disable the CTADL1.DLL BHO.
    One of the knowledgeable people that examined the file thinks it might be related to ezSearch, which is a click-through portal.
    Let me know if you notice anything different after doing so.

    Regards,

    Pieter
     
  8. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    Good morning Pieter,

    I installed and ran BHODemon as you instructed and these are the 4 BHO's which it found on my machine:

    ?0 BROWSERHELPER.DLL {AB77A7BF-8C5B-486A-B547-F9AD2B41A904}

    ?1 ACROIEHELPER.DLL {06849E-C8D7-4D59-B87D-784B7D6BE0B3}

    ?2 CTPP1.DLL {4B021269-DD24-48B2-96B4-DA121E9C0502}

    ?3 CTAP3.DLL {DB0018A2-F7D9-4B71-9651-640143DF23F9}

    I hope I have all that right but as you can see there is no "CTADL1.DLL BHO" or did I mess something up? o_O

    still from the green side of the grass,
    rob9
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    The AcroieHelper is the only legit one you had in the log you first posted.
    Please disable the rest with BHODemon and could you post a new HijackThis log please?

    Regards,

    Pieter
    (Not as smart as you think)
     
  10. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    Thanks again for your quick advice Pieter,

    Using BHODemon I disabled the 3 files you suggested and left ACROIEHELPER unfettered.

    Then I produced the attached log using HYJACKTHIS.

    still a big fan,
    rob9

    (I have absolutely no complaints!)
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Attachment?
    Did you use the preview? That ruins attachments everytime.

    Regards,

    Pieter
     
  12. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    Sorry! I forgot to attach the log but here it is!
     

    Attached Files:

  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Interesting.

    Could you mail me copies of these as well:
    C:\WINDOWS\SYSTEM\CTPP1.DLL
    C:\WINDOWS\SYSTEM\CTAP3.DLL

    Any idea where that Evernet BHO came from?
    I found this:
    http://www.internetacceleration.com/vendor_profiles/EverNet.html
    Don't know if that means anything to you.

    Regards,

    Pieter
     
  14. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    Hi Pieter,

    I tried sending those 2 files by the attachment mechanism below and then I remembered (some describe me as being a little forgetful) what you had advised earlier about sending them to your profile email. So I did and it appeared to work.

    EVERNET is a program which appears in my program list when I press the START button in the lower left hand corner of my screen. My operating system is 98SE. EVERNET has a little > beside it and which leads to EVERNET INFO. When I press that my browswer tries to take me to a site which will not load "This page cannot be ..."

    I thought EVERNET had something to do with "sympatico.ca" which is BELL - the phone company in ON, Canada. They are the people who installed my hi-speed modem and the sevice which goes with it and they take my money each month. I think you would call them "my server". I called them and spoke with a technician who knew nothing about EVERNET and thought it and everything associated with it could be removed from my system with no problems. He was "fairly sure" of that.

    I feel like I have taken a lot of words to say very little.

    sorry to be sooo log-winded,
    rob9
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi rob9,

    That sounds like good advise. The BHO was listed as (file missing) in your logs.
    Check if you can find Evernet in Add/Remove Software and remove it there if that is possible.

    If it is not listed there have HijackThis Fix:
    O2 - BHO: {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} - {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} - \BROWSERHELPER.DLL (disabled by BHODemon)
    and delete the entire C:\PROGRAM FILES\EVERNET folder.

    Regards,

    Pieter
     
  16. rob9

    rob9 Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    11
    EVERNET was not listed in the Add/Remove - Control Panel program, so I followed your instructions with Hi JackThis and then deleted the folder EVERNET from my Program Files.

    The only odd thing left (and it is very small) is that in IE under tools/internet options, I have set www1.sympatico.ca as my homepage. But now IE always loads www.sympatico.ca as my homepage. Weird!!! o_O

    Before my troubles, it went to www1.sympatico.ca as you would expect. However, it is not a big deal and my homepage is only 1 click away.

    In any case, I am more than happy with the way this has all gone. You have been really super.

    from a very satisfied,
    rob9
     
Thread Status:
Not open for further replies.