Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Help, I've been hijacked by a weird protocol!

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 3 posts
Hello... this is my first post to GTG. I could use some help, if someone out there would be so kind....

Every 30 minutes, at 10 past and 40 past the hour, IE tries to open the following page:


The page doesn't load... I get a message about an invalid protocol. I have no idea where this came from, but it started happening a few days ago and no spyware removal tools I've run (Ad-Aware, Spybot, ScanSpyware) seem to be able to stop it. I can't even find any references to this strange "dtdp" protocol anywhere! Can anyone help me get rid of this?

Here's my HijackThis log.... Thank you all VERY MUCH in advance! :tazz: -Jesse


Logfile of HijackThis v1.99.0
Scan saved at 4:26:19 AM, on 2/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Apache\Apache2\bin\Apache.exe
C:\Program Files\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\pcAnywhere\awhost32.exe
C:\Program Files\Apache\Apache2\bin\Apache.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee VirusScan\Vshwin32.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AboutTime\AboutTime.exe
C:\Program Files\FlashPath\sdstat.exe
C:\Program Files\Apache\Apache2\bin\ApacheMonitor.exe
C:\Program Files\SEVEN\Personal Edition\DesktopClient.exe
C:\Program Files\Wireless Sync\Client\ClientShell.exe
C:\Program Files\Microsoft Office XP\Office10\MSOFFICE.EXE
C:\Program Files\SHOUTcast\sc_serv.exe
C:\Program Files\SHOUTcast\sc_serv.exe
c:\program files\winamp\winamp.exe
C:\Program Files\SEVEN\Personal Edition\Connection.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\doublelook\doublelook.exe
C:\Program Files\Microsoft Office XP\Office10\OUTLOOK.EXE
C:\program files\hijackThis\hijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: desktop.kazaa.com
O1 - Hosts: alpha.kazaa.com
O1 - Hosts: shop.kazaa.com
O1 - Hosts: .1 www.qualypromos.com
O2 - BHO: Local Spool support DLL - {20C9D850-244D-11E1-B3C9-10805E499D95} - C:\WINDOWS\System32\loclspl.dll
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\Palm\FireConverterBrowserHelperObject.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Win-Hand] C:\Program Files\Win-Hand\Win-HandAnySer.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DoubleLook] c:\program files\doublelook\doublelook.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Office XP Shortcut Bar.lnk = C:\Program Files\Microsoft Office XP\Office10\MSOFFICE.EXE
O4 - Startup: QuickRun.LNK = C:\Program Files\QuickRun\QUICKRUN.EXE
O4 - Startup: Run Winamp and Hide DSP.LNK = C:\Program Files\Winamp\callwinamp-startup.bat
O4 - Startup: SHOUTcast DNAS (128k Stereo).lnk = C:\Program Files\SHOUTcast\sc_serv.exe
O4 - Startup: SHOUTcast DNAS (24k Mono).lnk = C:\Program Files\SHOUTcast\sc_serv.exe
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\FlashPath\sdstat.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: POD.lnk = C:\Program Files\Omnipod\omnipod.exe
O4 - Global Startup: SEVEN Personal Edition.lnk = C:\Program Files\SEVEN\Personal Edition\DesktopClient.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.fleet.com
O15 - Trusted Zone: *.tivocommunity.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE28FA1A-E046-42DC-9DE7-605DC53A1B61} (Link3e Class) - https://www.patientg...gw/ptcomp3f.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MGH.HARVARD.EDU
O17 - HKLM\Software\..\Telephony: DomainName = MGH.HARVARD.EDU
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD40C0A-55BF-422B-8B2D-0256D1351AAA}: Domain = mgh.harvard.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD40C0A-55BF-422B-8B2D-0256D1351AAA}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MGH.HARVARD.EDU
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mgh.harvard.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mgh.harvard.edu
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache\Apache2\bin\Apache.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\McAfee VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Serv-U FTP Server - Cat Soft - C:\PROGRA~1\Serv-U\ServUDaemon.exe
O23 - Service: VNC Server - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
  • 0




    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
If it helps, I just captured another attempt to hijack my browser, and I noticed that the URL is slightly different (at the end, the ORD argument has been incremented):


The browser response is an "illegal syntax error - this page cannot be displayed."

cjt1.net.... isn't that cydoor related? :mad: But no cydoor removal tools I tried seem to work. :tazz:

Thanks again, Jesse
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Okay, now I've tried running Norton Antivirus 2005 and this is STILL happening twice an hour. There are no traces of dtdp anywhere in my registry.

Can anyone please help me?
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP