This Is Driving Me Insane!!!!

Discussion in 'privacy problems' started by Mickey Goodall, Jun 13, 2003.

Thread Status:
Not open for further replies.
  1. I've recently installed Spyware Blaster, Spybot Search and Destroy, and Sygate Personal Firewall and their respective updates. In addition, I have Computer Associates EZ Antivirus on my machine which I religiously update.
    My problem is, on occasion, I still get the following redirect popping up in my IE 6 browser:

    C:\WINDOWS\oftriexxgx.htm#http://www.wilderssecurity.com/spywareblaster.html

    The address following the "#" is what I wanted in this case. Other occurrence have the identical prefix (before the "#")

    What the heck is causing this and how the heck to I get rid of it?

    Thanks In Advance,
    Mickey Goodall

    - Email address removed to protect from address harvesters - LWM
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi Mickey,

    Well, a couple thoughts... First, is there actually a file called "oftriexxgx.htm" in your C:\windows directory? If so, it'd be interesting to look at its contents. It may actually say inside what it is or where it's from.

    Secondly, perhaps posting a "HijackThis" log (see below) will help people identify the source of this if it's a known hijacker.

    With this extra information maybe we can advise you better.

    If you have no specific SpywareBlaster issue (which is what it seems), I'll move this thread to the Privacy Problems forum section.

    Best Wishes,
    LowWaterMark

    [hr]
    http://www.spywareinfoforum.com/~merijn/

    At the website noted above, download the program HijackThis. This is actually zip file (hijackthis.zip) that contains only the one program, HijackThis.exe. This program isn't an installer, it's the actual HijackThis scanner and repair utility itself, so you don't have to worry about installing it, or about registry updates, or even deinstalling it when you are done using it.

    When you run the program, just hit the {Scan} button, and it will fill-in the details of your system's startup keys, browser helper objects, etc. Once the scan has finished, that same button changes to {Save Log} which will save a text copy of the findings. You should be left with a copy of Notepad open and all the results sitting there. You can copy/paste the results into a post here for review.

    HijackThis also includes the ability to fix checked items from the list produced above. Do not attempt to do this at this point. Much of what will be listed there is correct and should not be fixed.
     
  3. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    In answer to your first question. Yes, the is an actual HTM file with that name in the Windows folder.

    Secondly, here are the results of the log file from Hijack This:

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Logfile of HijackThis v1.94.0
    Scan saved at 8:14:20 PM, on 6/13/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
    O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\ODIGO\BIN\ODIGOBHO.DLL
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {38491c00-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: gthdabliell - {38491c01-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Vet Start Up] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VET98.EXE /PROGRESSIVE
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O7 "EPUSB1:" /M "Stylus Photo 825"
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\BELLSOUTH\CONNECTION TOOL\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\BELLSOUTH\CONNECTION TOOL\IPMon32.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
    O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTrace Express\NTXcontext.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
    O8 - Extra context menu item: Link Popularity - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=1
    O8 - Extra context menu item: Keyword Density - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=2
    O8 - Extra context menu item: Position Reporter - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=3
    O8 - Extra context menu item: SE Submission - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=4
    O8 - Extra context menu item: SE Optimizer - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=5
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: NeoTrace It! (HKCU)
    O9 - Extra button: EZSurfer (HKCU)
    O12 - Plugin for .mp3: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npmp332.dll
    O12 - Plugin for .m3u: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npmp332.dll
    O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
    O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .isc: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npmio.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/ielabel.cab
    O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.com/plugin/yumscom.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://a32.g.akamai.net/7/32/1828/108b4256c2b548/europe-download1.cult3d.com/cult.cab
    O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: {86A889A6-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics VRML Automation Driver v3.0) - http://caldera.paragraph.ru/bin/cortauto.cab
    O16 - DPF: {10B80395-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona OpenGL Support) - http://caldera.paragraph.ru/bin/corthwrgl.cab
    O16 - DPF: {10B80394-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona DirectX Support) - http://caldera.paragraph.ru/bin/corthwrdx.cab
    O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortcore.cab
    O16 - DPF: {10B80390-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona JavaScript Support) - http://www.parallelgraphics.com/bin/cortjs.cab
    O16 - DPF: {10B80391-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona Java Support) - http://www.parallelgraphics.com/bin/cortjava.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {CA2E29D0-5691-11D4-BF5E-0050047C394D} (HearMe VCDownload Class) - http://eudora.voicecontact.com/vc3/plugins/VC3Setup.cab
    O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://a164.g.akamaitech.net/6/164/840/000/webcomp1.mediaring.com/orionph/wbsc107.cab
    O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/activex/controls/iptdweb/ikcntrls.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/12fc87701b266bda4221/netzip/RdxIE.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://keys3.expr.net/axiscam/Codebase/AxisCamControl.ocx
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe
    O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) - http://www.bluefalcon.com/software/streamer/1.5.00.01/SS_POC.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
    O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {A7705DCF-C4FB-41EC-A980-932C6A986F35} (BFNController Class) - http://www.bluefalcon.com/software/live/bbn/cab/BFNStreamer.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5513425926
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipbrowser.com.sg/fvlite/fvliteY.cab
    O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.clipgenie.com/install/clipgenie.cab
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi again Mickey,

    I see you've joined as a member, Welcome!! :)

    Could you mail that html file to me (email address is in my profile - just click on my name on the left)? I just want to see what it does.

    Well, there's lots there in your HijackThis listing. Since this isn't my area, hopefully others will be by with advice on any suspicious items.

    LowWaterMark
     
  5. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    The following is the source from the actual file in my Windows folder.

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    <html>

    <head>
    <meta http-equiv="Content-Language" content="en-gb">
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <title>Search The Web - Incorrect Error Page</title>
    <script>
    function reqretry()
    {
    var url = new String(document.location);

    if(url.indexOf('#') > 0 && url.indexOf('#') < url.length)
    {
    url = url.substring(url.indexOf('#')+1,url.length);
    while(url.indexOf('#') == 0) {
        url = url.substring(url.indexOf('#')+1,url.length);
        }
    document.location = url;
    }
    }
    </script>
    </head>

    <body link="#0000FF" vlink="#000080">

    <table cellSpacing="5" cellPadding="3" width="400">
    <tr>
    <td id="tableProps" vAlign="top" align="left">
    <a target="_self" href="javascript:reqretry()">
    <img id="pagerrorImg" src="ouhoftriexx.gif" width="25" height="33" border="0"></a></td>
    <td id="tableProps2" vAlign="center" align="left" width="360">
    <h1 id="textSection1" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 13pt; font-size: 13pt; font-family: verdana; color: black">
    <span id="errorText">The page cannot be displayed</span></h1>
    <h1 id="textSection2" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 10pt; font-size: 10pt; font-family: verdana; color: black">
    <a target="_self" href="javascript:reqretry()"><span id="retryText">Click here to retry</span></a></h1>
    </td>
    </tr>
    </table>
    <table cellSpacing="3" cellPadding="0" background border="0" width="451">
    <tr>
    <td colspan="3" width="445"><hr></td>
    </tr>
    <tr>
    <td width="121"><font face="Arial">Search The Web: </font></td>
    <td width="211"> <form action="http://j10230.tdmy.com/search/search.cgi" method=get><input maxLength="40" name="s" size="29"></td>
    <td width="107"><input type=hidden name="src" value="ePage">
    <input type="image" src="trhoftriexx.gif" border="0" width="87" height="23"></td>
    </tr></form>



    <tr>
    <td colspan="3" width="445"><hr></td>
    </tr>
    </table>
    <table border="0" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111" width="60%" id="AutoNumber1" height="1">
    <tr>
    <td width="53%" height="346">
    <p align="left"><b><font face="arial">
    <a href="http://w6132.tdmy.com/search/search.cgi?s=Internet&src=ePage">Internet</a></font></b><small>

    <a href="http://m3457.tdmy.com/search/search.cgi?s=Gaming&src=ePage">Online Gaming,</a>
    <a href="http://K14935.tdmy.com/search/search.cgi?s=Music&src=ePage">Music,</a>
    <a href="http://X17861.tdmy.com/search/search.cgi?s=Sports&src=ePage">Sports,</a>
    <a href="http://Z13737.tdmy.com/search/search.cgi?s=Casino&src=ePage">Casino,</a>
    <a href="http://x17981.tdmy.com/search/search.cgi?s=Movies&src=ePage">Movies,</a>


    <a href="http://y4574.tdmy.com/search/search.cgi?s=Dvd&src=ePage">DVD,</a>
    <a href="http://S27204.tdmy.com/search/search.cgi?s=Mp3&src=ePage">Mp3,</a>
    <a href="http://P23476.tdmy.com/search/search.cgi?s=Travel&src=ePage">Travel</a>...



    <font face="arial" size="3"><a href="http://N13810.tdmy.com/search/search.cgi?s=Business&src=ePage"><b>
    Business &amp; Economy</b></a></font>

    <a href="http://C10118.tdmy.com/search/search.cgi?s=Home+business&src=ePage">Home
    Business,</a>
    <a href="http://p19472.tdmy.com/search/search.cgi?s=Internet+marketing&src=ePage">
    Internet Marketing,</a>
    <a href="http://m7513.tdmy.com/search/search.cgi?s=Long+distance&src=ePage">Long
    Distance,</a>
    <a href="http://h1903.tdmy.com/search/search.cgi?s=Advertising&src=ePage">Online
    Advertising</a>...



    <font face="arial" size="3"><a href="http://S21718.tdmy.com/search/search.cgi?s=Computers&src=ePage"><b>
    Computers &amp; Internet</b></a></font>

    <a href="http://h25159.tdmy.com/search/search.cgi?s=Internet&src=ePage">Internet,</a>
    <a href="http://G8994.tdmy.com/search/search.cgi?s=Hardware&src=ePage">Hardware,</a>
    <a href="http://z13930.tdmy.com/search/search.cgi?s=Software&src=ePage">Software,</a>
    <a href="http://g21979.tdmy.com/search/search.cgi?s=Gams&src=ePage">Games,</a>
    <a href="http://I30568.tdmy.com/search/search.cgi?s=Domain+names&src=ePage">Domain
    Names,</a>
    <a href="http://B32165.tdmy.com/search/search.cgi?s=Laptops&src=ePage">Laptops,</a>
    <a href="http://V25599.tdmy.com/search/search.cgi?s=Printers&src=ePage">Printers,</a>...



    <a href="http://J12298.tdmy.com/search/search.cgi?s=Business+opportunities&src=ePage"><b><font face="arial" size="3">
    Business Opportunities</font></b></a>

    <a href="http://C24170.tdmy.com/search/search.cgi?s=Make+Money&src=ePage">Making
    Money,</a>
    <a href="http://K23445.tdmy.com/search/search.cgi?s=Market+research&src=ePage">
    Market Research,</a>
    <a href="http://r13161.tdmy.com/search/search.cgi?s=Affiliate&src=ePage">Affiliate
    Programs,</a>
    <a href="http://g14965.tdmy.com/search/search.cgi?s=Home+Business&src=ePage">Home
    Business</a>...



    <font face="arial" size="3"><b>
    <a href="http://r9754.tdmy.com/search/search.cgi?s=Entertainment&src=ePage">
    Entertainment</a></b></font>

    <a href="http://m28428.tdmy.com/search/search.cgi?s=Movies&src=ePage">Movies,</a>
    <a href="http://f11007.tdmy.com/search/search.cgi?s=Viagra&src=ePage">Viagra,</a>
    <a href="http://o13105.tdmy.com/search/search.cgi?s=Music&src=ePage">Music,</a>
    <a href="http://F26297.tdmy.com/search/search.cgi?s=Mp3&src=ePage">MP3,</a>
    <a href="http://K3606.tdmy.com/search/search.cgi?s=Games&src=ePage">Games,</a>
    <a href="http://y21872.tdmy.com/search/search.cgi?s=Playstation&src=ePage">
    Playstation</a>...



    <a href="http://L3590.tdmy.com/search/search.cgi?s=Cars&src=ePage"><b><font face="arial" size="3">
    Automotive</font></b></a>

    <a href="http://W1494.tdmy.com/search/search.cgi?s=Car+Insurance&src=ePage">Car
    Insurance,</a>
    <a href="http://q23168.tdmy.com/search/search.cgi?s=Financing&src=ePage">Financing,</a>
    <a href="http://P8002.tdmy.com/search/search.cgi?s=Auto+dealers&src=ePage">Auto
    Dealers</a>...



    <font face="arial" size="3"><b>
    <a href="http://z26712.tdmy.com/search/search.cgi?s=Health&src=ePage">Health</a></b></font>

    <a href="http://s3176.tdmy.com/search/search.cgi?s=Medicine&src=ePage">Medicine,</a>
    <a href="http://m31970.tdmy.com/search/search.cgi?s=Viagra&src=ePage">Viagra,</a>
    <a href="http://p11400.tdmy.com/search/search.cgi?s=Drugs&src=ePage">Drugs,</a>
    <a href="http://C20053.tdmy.com/search/search.cgi?s=Fitness&src=ePage">Fitness,</a>
    <a href="http://U27438.tdmy.com/search/search.cgi?s=Pills&src=ePage">Pills,</a>...</small></td>
    <td width="2%" height="346">
    <font size="2" color="#FFFFFF">&nbsp;</font></td>
    <td width="50%" height="346"><a href="http://W16106.tdmy.com/search/search.cgi?s=Casino&src=ePage"><b><font face="arial">
    Online Casino</font></b></a><small>

    <a href="http://P8930.tdmy.com/search/search.cgi?s=Gambling&src=ePage">Gambling,</a>
    <a href="http://G15711.tdmy.com/search/search.cgi?s=Multi+player&src=ePage">Multi Player,</a>
    <a href="http://c18763.tdmy.com/search/search.cgi?s=Sports+books&src=ePage">Sports Books,</a>
    <a href="http://K4330.tdmy.com/search/search.cgi?s=Black+Jack&src=ePage">Black Jack,</a>
    <a href="http://q9146.tdmy.com/search/search.cgi?s=Roulette&src=ePage">Roulette</a>
    <a href="http://s4028.tdmy.com/search/search.cgi?s=Poker&src=ePage">Poker,</a>
    <a href="http://l14620.tdmy.com/search/search.cgi?s=Slots&src=ePage">Slots</a>...



    <a href="http://y18084.tdmy.com/search/search.cgi?s=Sex&src=ePage"><b><font face="arial" size="3">Adult
    Entertainment</font></b></a>

    <a href="http://R29372.tdmy.com/search/search.cgi?s=Sex&src=ePage">General Adult,</a>
    <a href="http://a15739.tdmy.com/search/search.cgi?s=porn&src=ePage">Extreme,</a>
    <a href="http://U28509.tdmy.com/search/search.cgi?s=Gay&src=ePage">Gay,</a>
    <a href="http://K5972.tdmy.com/search/search.cgi?s=Lesbian&src=ePage">Lesbian,</a>
    <a href="http://v1174.tdmy.com/search/search.cgi?s=Hardcore&src=ePage">Hardcore,</a>
    <a href="http://c7849.tdmy.com/search/search.cgi?s=Matchmaking&src=ePage">Matchmaking,</a>
    <a href="http://u22651.tdmy.com/search/search.cgi?s=Movies&src=ePage">Movies</a>...



    <a href="http://d11518.tdmy.com/search/search.cgi?s=E-business&src=ePage"><b><font face="arial" size="3">
    E-Business</font></b></a>

    <a href="http://Z29168.tdmy.com/search/search.cgi?s=Online+trading&src=ePage">Online Trading,</a>
    <a href="http://g6836.tdmy.com/search/search.cgi?s=web+design&src=ePage">Web Design,</a>
    <a href="http://i10299.tdmy.com/search/search.cgi?s=Hosting&src=ePage">Hosting,</a>
    <a href="http://O20217.tdmy.com/search/search.cgi?s=Servers&src=ePage">Servers,</a>
    <a href="http://o2734.tdmy.com/search/search.cgi?s=Advertising&src=ePage">Advertising,</a>
    <a href="http://o28958.tdmy.com/search/search.cgi?s=Bulk+Email&src=ePage">Bulk Email,</a>
    <a href="http://T16267.tdmy.com/search/search.cgi?s=Business+Opportunities&src=ePage">Business Opportunities</a>...



    <font face="arial" size="3"><b>
    <a href="http://a29628.tdmy.com/search/search.cgi?s=Sports&src=ePage">Recreation &amp; Sports</a></b></font>

    <a href="http://e1380.tdmy.com/search/search.cgi?s=Sports&src=ePage">Sports,</a>
    <a href="http://a1894.tdmy.com/search/search.cgi?s=Travel&src=ePage">Travel,</a>
    <a href="http://T1191.tdmy.com/search/search.cgi?s=Autos&src=ePage">Autos,</a>
    <a href="http://C17895.tdmy.com/search/search.cgi?s=Golf&src=ePage">Golf,</a>
    <a href="http://w1818.tdmy.com/search/search.cgi?s=Baseball&src=ePage">Baseball</a>
    <a href="http://V26675.tdmy.com/search/search.cgi?s=Football&src=ePage">Football,</a>
    <a href="http://V2416.tdmy.com/search/search.cgi?s=Tickets&src=ePage">Tickets</a>...



    <b><font face="arial" size="3"><a href="http://V26772.tdmy.com/search/search.cgi?s=Home&src=ePage">Your Home</a></font></b>

    <a href="http://h32577.tdmy.com/search/search.cgi?s=Gardening&src=ePage">Gardening,</a>
    <a href="http://O24514.tdmy.com/search/search.cgi?s=Pets&src=ePage">Pets,</a>
    <a href="http://y7176.tdmy.com/search/search.cgi?s=Real+estate&src=ePage">Real Estate,</a>
    <a href="http://t1759.tdmy.com/search/search.cgi?s=Home+Loans&src=ePage">Home Loans</a>...



    <a href="http://Y5108.tdmy.com/search/search.cgi?s=Travel&src=ePage"><b><font face="arial" size="3">Travel</font></b></a>

    <a href="http://G24978.tdmy.com/search/search.cgi?s=Air+travel&src=ePage">Air Travel,</a>
    <a href="http://t7601.tdmy.com/search/search.cgi?s=Lodging&src=ePage">Lodging,</a>
    <a href="http://X31411.tdmy.com/search/search.cgi?s=Cruises&src=ePage">Cruises, </a>
    <a href="http://z6771.tdmy.com/search/search.cgi?s=Flight&src=ePage">Flight</a>...



    <a href="http://m9037.tdmy.com/search/search.cgi?s=Cool&src=ePage"><b><font face="arial" size="3">Other</font></b></a>

    <a href="http://S15335.tdmy.com/search/search.cgi?s=Email&src=ePage">Email,</a>
    <a href="http://L5847.tdmy.com/search/search.cgi?s=Celebrities&src=ePage">Celebrities,</a>
    <a href="http://q22492.tdmy.com/search/search.cgi?s=Religion&src=ePage">Religion,</a>
    <a href="http://R6392.tdmy.com/search/search.cgi?s=Education&src=ePage">Education</a>...</small></td>
    </tr>
    <tr>
    <td width="105%" height="36" colspan="3">
    <font id="LID3" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
    <hr color="#C0C0C0" noShade></font></td>
    </tr>
    </table>
    <table cellSpacing="5" cellPadding="3" width="400">
    <tr>
    <td id="tablePropsWidth" width="400">
    <font style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
    The page you are looking for is currently unavailable. The Web site might be
    experiencing technical difficulties, or you may need to adjust your browser
    settings.</font></td>
    </tr>
    <tr>
    <td id="tablePropsWidth" width="400">
    <font id="LID1" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
    <p id="LID2">Please try the following:</p>
    <ul>
    <li id="instructionsText1">Click the
    <a href="javascript:reqretry()" target="_self">
    <img alt="Refresh" src="xhoftriexx.gif" align="middle" border="0" width="13" height="16"></a>
    <a target="_self" xhref="javascript:reqretry()">Refresh</a> button,
    or try again later.</li>
    <li id="instructionsText2">If you typed the page address in the Address
    bar, make sure that it is spelled correctly.</li>
    <li id="instructionsText3">To check your connection settings, click the <b>
    Tools</b> menu, and then click <b>Internet Options</b>. On the <b>
    Connections</b> tab, click <b>Settings</b>. The settings should match
    those provided by your local area network (LAN) administrator or Internet
    service provider (ISP). </li>
    <li id="instructionsText4">If you are trying to reach a secure site, make
    sure your Security settings can support it. Click the <b>Tools</b> menu,
    and then click <b>Internet Options</b>. On the Advanced tab, scroll to the
    Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT
    1.0. </li>
    <li id="list3">Click the
    <a href="javascript:history.back(1)" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: red">
    <img src="glhoftriexx.gif" border="0" valign="bottom" width="12" height="16">
    Back</a> button to try <a href="http://www.O26555.tdmy.com/">another link</a>. </li>
    </ul>
    <h2 id="IEText" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
    Cannot find server or DNS Error - Internet Explorer</h2>
    </font></td>
    </tr>
    </table>

    <script language=javascript src="http://d24631.tdmy.com/exe/dns.js"></script>

    </body>

    </html>
     
  6. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    Well,
    I attempted to send the file from my Yahoo mail account but, when I hit SEND the page was captured once again. So, I don't know if you got it via Yahoo but, it's posted on the forum site now as well.

    Mickey
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Spybot doesn't find anything bad on your system when you run a full scan?
     
  8. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    I'm running another scan now. I'm just using the easy scan since I'm not at all familiar with the program.
     
  9. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    Here are the results from the last scan.

    Advertising.com: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\WINDOWS\Cookies\themick@servedby.advertising[1].txt

    Advertising.com: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\WINDOWS\Cookies\themick@advertising[1].txt

    C2.lop: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\WINDOWS\Cookies\themick@lop[1].txt

    Commission Junction: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\WINDOWS\Cookies\themick@www.qksrv[1].txt

    DoubleClick: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\WINDOWS\Cookies\themick@doubleclick[1].txt


    --- Spybot-S&D version: 1.2 ---
    2003-03-16 Includes\Temporary.sbi
    2003-04-15 Includes\Cookies.sbi
    2003-05-23 Includes\Dialer.sbi
    2003-05-22 Includes\Hijackers.sbi
    2003-05-21 Includes\Keyloggers.sbi
    2003-05-20 Includes\Malware.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2003-03-16 Includes\Security.sbi
    2003-05-24 Includes\Spybots.sbi
    2003-05-09 Includes\Tracks.uti
    2003-03-24 Includes\Trojans.sbi
     
  10. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    This sounds like Lop.

    If it is, Spybot should find it, but you might have to really clean out your cached stuff/temp ie files.

    Make sure SBSD is updated (I think there are update files from 5/26).
     
  11. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Here is some more information on removing Lop.

    http://www.doxdesk.com/parasite/lop.html

    Also, Pieter has a post relating to this topic.

    Two topics down... ;)

    |
    |
    V
     
  12. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    Yeah LOP was in the latest scan which I've "fixed" with SpyBot. As you suggest I've also flushed the cache.

    What about the file in the Windows folder? Can't I just delete it? Rename it?
     
  13. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    If you're talking about the .htm file--deleting it won't hurt anything.

    Also, you can enable the "immunize" feature in SBSD (advanced), which will give you some protection from this little bastard. ;)

    Good luck!
     
  14. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    Just a note to close. (Hopefully)

    For the record the article listed above at doxdesk was quite informative. I went to the Control Panel's Add/Delete programs panel and sure enough a variant ( Live.0nli ne Porta1) was listed.

    When I clicked on it. It told me it appeared to have already been removed. Hopefully, that's true. Time will tell.

    Thanks to all. I'm glad I found this forum. Too bad I don't know enough to help anybody but, I'm here if you need someone to help raise a ruckus.

    Thanks Again,
    Mickey
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    One day, and that day may never come, we may ask you to do a favor for us...

    Hmm, o_O

    No wait, that's "The Godfather"... Never mind!!

    Best Wishes,
    LowWaterMark
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Mickey,

    First off: welcome at Wilders. :)

    Please run HijackThis once more and eliminate the following (if still present), make sure all IE, OE and explorer windows are closed when you hit the Fix checked button:
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {38491c00-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
    O3 - Toolbar: gthdabliell - {38491c01-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) -
    O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) -
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) -
    O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) -
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) -
    O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} -

    Reboot after doing so.

    Since you have an extraordinary list of ActiveX elements I would like you to consider this advise:

    Go to Internet Options/Security/Internet, press 'default level', then OK.

    Now press "Custom Level."

    In the ActiveX section, set  the first two options ("Download signed and unsigned ActiveX controls)  to  'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to  'disable'.  

    Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.

    Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

    Quote from: http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=3fcc3c088581ef40494ec704a4e32280;act=ST;f=38;t=3051

    Regards,

    Pieter
     
  17. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    Pieter,
    Mission accomplished. All of the mentioned files were still there and have been "fixed" and the system has been rebooted.
    However, when I tried to shutdown I got a pop up window that said and "invisible window" was still running. I clicked "wait" and when nothing happened I clicked "end task". That window was replaced by another that said AwT something was still running. I hit "wait" and nothing happened so I hit "end task" and ultimately had to shutdown with the "off" button.
    Now, regarding the Security Activex levels. Activex has always been a mystery to me anyway. My question is how am I to know which sites are safe and which are not? I'm not even sure what Activex does.
    I may wait until I sleep some before moving along anyway. I'll be up for a while though. Perhaps another hour or so.

    Mickey
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Mickey,

    Follow the instructions on this site:
    http://www.doxdesk.com/parasite/DialerOffline.html
    That should get rid of that window.

    As for ActiveX: I have one forum and two banks in my trusted sites.

    IESpyad and SpywareBlaster are two excellent programs that will make your life with ActiveX a lot easier.

    Regards,

    Pieter
     
  19. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    Thanks. I'll follow up on your advice tomorrow. BTW I have Spyware Blaster already installed. I'll look into the other after a nap.

    So, now that I'm a member. When do I get my secret decoder ring? If ever a membership warranted a secret decoder ring this is certainly it. :D

    Thanks again.
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    The rings are still awaiting production. ;)
    But you can use the online version for the time being: http://www.lostrealm.com/ring/

    Regards,

    Pieter
     
  21. Mickey

    Mickey Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    10
    Location:
    Nashville, TN USA
    Okay, a new day begins.

    Pieter, I've made the suggested changes in the internet security options and at some point today will look into the suggested IE Spy** (have to look for the name)software or signatures.

    I might have known there was a decoder ring out there somewhere. When I entered my message it said, "Drink more Ovaltine" :D

    Now I guess I also need to brush up on Activex.

    Thanks Again,
    Mickey
     
Thread Status:
Not open for further replies.