[kumashi]

Hello... this is my first post to GTG. I could use some help, if someone out there would be so kind....

Every 30 minutes, at 10 past and 40 past the hour, IE tries to open the following page:

dtdp://748|331|1|jgen44.cjt1.net/HTM/704/0/JavaSiteRequest.asp?LV=6000&DC=453&NF=0&IW=720&IH=300&ORD=1108089738670

The page doesn't load... I get a message about an invalid protocol. I have no idea where this came from, but it started happening a few days ago and no spyware removal tools I've run (Ad-Aware, Spybot, ScanSpyware) seem to be able to stop it. I can't even find any references to this strange "dtdp" protocol anywhere! Can anyone help me get rid of this?

Here's my HijackThis log.... Thank you all VERY MUCH in advance! -Jesse

--

Logfile of HijackThis v1.99.0
Scan saved at 4:26:19 AM, on 2/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache\Apache2\bin\Apache.exe
C:\Program Files\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\pcAnywhere\awhost32.exe
C:\Program Files\Apache\Apache2\bin\Apache.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\Serv-U\ServUDaemon.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AboutTime\AboutTime.exe
C:\Program Files\FlashPath\sdstat.exe
C:\Program Files\Apache\Apache2\bin\ApacheMonitor.exe
C:\Program Files\SEVEN\Personal Edition\DesktopClient.exe
C:\Program Files\Wireless Sync\Client\ClientShell.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office XP\Office10\MSOFFICE.EXE
C:\Program Files\SHOUTcast\sc_serv.exe
C:\Program Files\SHOUTcast\sc_serv.exe
C:\WINDOWS\system32\taskmgr.exe
c:\program files\winamp\winamp.exe
C:\Program Files\SEVEN\Personal Edition\Connection.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\PopUpCop\PCCloser.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\doublelook\doublelook.exe
C:\Program Files\Microsoft Office XP\Office10\OUTLOOK.EXE
C:\program files\hijackThis\hijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O1 - Hosts: .1 www.qualypromos.com
O2 - BHO: Local Spool support DLL - {20C9D850-244D-11E1-B3C9-10805E499D95} - C:\WINDOWS\System32\loclspl.dll
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\Palm\FireConverterBrowserHelperObject.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Win-Hand] C:\Program Files\Win-Hand\Win-HandAnySer.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DoubleLook] c:\program files\doublelook\doublelook.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Office XP Shortcut Bar.lnk = C:\Program Files\Microsoft Office XP\Office10\MSOFFICE.EXE
O4 - Startup: QuickRun.LNK = C:\Program Files\QuickRun\QUICKRUN.EXE
O4 - Startup: Run Winamp and Hide DSP.LNK = C:\Program Files\Winamp\callwinamp-startup.bat
O4 - Startup: SHOUTcast DNAS (128k Stereo).lnk = C:\Program Files\SHOUTcast\sc_serv.exe
O4 - Startup: SHOUTcast DNAS (24k Mono).lnk = C:\Program Files\SHOUTcast\sc_serv.exe
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\FlashPath\sdstat.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: POD.lnk = C:\Program Files\Omnipod\omnipod.exe
O4 - Global Startup: SEVEN Personal Edition.lnk = C:\Program Files\SEVEN\Personal Edition\DesktopClient.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.fleet.com
O15 - Trusted Zone: *.tivocommunity.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE28FA1A-E046-42DC-9DE7-605DC53A1B61} (Link3e Class) - https://www.patientg...gw/ptcomp3f.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MGH.HARVARD.EDU
O17 - HKLM\Software\..\Telephony: DomainName = MGH.HARVARD.EDU
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD40C0A-55BF-422B-8B2D-0256D1351AAA}: Domain = mgh.harvard.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD40C0A-55BF-422B-8B2D-0256D1351AAA}: NameServer = 132.183.100.12,132.183.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MGH.HARVARD.EDU
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mgh.harvard.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mgh.harvard.edu
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache\Apache2\bin\Apache.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\McAfee VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Serv-U FTP Server - Cat Soft - C:\PROGRA~1\Serv-U\ServUDaemon.exe
O23 - Service: VNC Server - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

[Advertisements]

If it helps, I just captured another attempt to hijack my browser, and I noticed that the URL is slightly different (at the end, the ORD argument has been incremented):

dtdp://748|331|1|jgen44.cjt1.net/HTM/704/0/JavaSiteRequest.asp?LV=6000&DC=453&NF=0&IW=720&IH=300&ORD=1108201866430?&

The browser response is an "illegal syntax error - this page cannot be displayed."

cjt1.net.... isn't that cydoor related? :mad: But no cydoor removal tools I tried seem to work.

Thanks again, Jesse

[kumashi]

If it helps, I just captured another attempt to hijack my browser, and I noticed that the URL is slightly different (at the end, the ORD argument has been incremented):

dtdp://748|331|1|jgen44.cjt1.net/HTM/704/0/JavaSiteRequest.asp?LV=6000&DC=453&NF=0&IW=720&IH=300&ORD=1108201866430?&

The browser response is an "illegal syntax error - this page cannot be displayed."

cjt1.net.... isn't that cydoor related? :mad: But no cydoor removal tools I tried seem to work.

Thanks again, Jesse

[kumashi]

Okay, now I've tried running Norton Antivirus 2005 and this is STILL happening twice an hour. There are no traces of dtdp anywhere in my registry.

Can anyone please help me?