• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
FatCat

Infected with Search Everything

5 posts in this topic

I've been trying everything for hours with no result. Spybot Search and Destroy didn't work for me so this is really my last resort.

 

Here's my HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 04:51:00, on 03/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\StartupMonitor.exe

C:\WINDOWS\System32\RUNDLL32.EXE

D:\program files\steam\steam.exe

C:\Program Files\belkin\Bluetooth Software\BTTray.exe

C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Lime_Shop\Limeshop1.exe

C:\Program Files\Lime_Shop\Limeshop0.exe

C:\DOCUME~1\Nicholas\LOCALS~1\Temp\Rar$EX00.266\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\zbupr6jihkd40g.dll

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [steam] "d:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [iDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

I've been deleting the R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632 over and over again and it keeps popping up.

 

If I can get any help on this it'd be very much appreciated.

 

Thanks

Share this post


Link to post
Share on other sites

hey.

RIght click the desktop,new-folder, name it hijackthis and put the program inside that folder.

 

We'll get rid of that website that keeps coming up. Please click here to download cwshredder. http://www.spywareinfo.com/~merijn/files/CWShredder.exe Save it to the desktop. Open it up. Make sure you have no browser windows open prior to running it. Uncheck the box about the recycling bin. Then click Fix-->. When it is done, restart your computer.

 

Have hijackthis fix the following:

O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm

O4 - Global Startup: winlogin.exe

 

reboot computer.

 

delete the following:

 

C:\Program Files\Lime_Shop\

C:\WINDOWS\System32\sysstartup.exe

(Do a seach for the following item and delete it: )winlogin.exe..Please don't confuse it with the legit file winlogon.exe .. delete the file that ends with "in" not "on"

 

empty recycling bin and post a new log

Share this post


Link to post
Share on other sites

Thanks for the prompt reply.

 

Followed those instructions exactly, only problem encountered was that I was unable to delete winlogin.exe. Task Manager doesn't show it as a running process, I was only able to delete some backup files of winlogin.exe after doing a search on winlogin.exe.

 

Here's the new log.

 

Logfile of HijackThis v1.97.7

Scan saved at 13:30:38, on 03/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\StartupMonitor.exe

C:\WINDOWS\System32\RUNDLL32.EXE

D:\program files\steam\steam.exe

C:\Program Files\belkin\Bluetooth Software\BTTray.exe

C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Nicholas\Desktop\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\zbupr6jihkd40g.dll

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [steam] "d:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [iDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I've somehow managed to stop "Search Everything" from starting on my browser. Was sifting through the forums and on page 5 came across a similar problem to mine.

 

C:\WINDOWS\system32\hp.uti was the topic.

 

I followed Daemon's instructions somewhat, here they are:

 

Hi guys - hope you don't mind me joining in on this one. You still need to get rid of the hijacker. Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

 

C:\WINDOWS\image.dll

 

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The C:\WINDOWS\image.dll listing should show up in the window. Then repeat the process, this time adding:

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

 

If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well:

 

C:\WINDOWS\System32\sysstartup.exe

C:\WINDOWS\System32\bpt656txo4ddno.dll

C:\Program Files\TV Media\Tvm.exe

 

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

 

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

 

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\bpt656txo4ddno.dll

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O15 - Trusted Zone: *.greg-search.com

 

Reboot when done. Rescan with HJT and post a new log.

 

-

 

I managed to get rid of winlogin.exe with TheKillBox and after running HijackThis I also managed to finally eliminate;

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632

 

My browser stopped popping up "Search Everything", but my homepage still read http://solongas.com/hp.htm?id=632.

 

With no method to my madness, I also used HijackThis to fix;

 

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\zbupr6jihkd40g.dll

 

Right now, everything seems to work perfectly. Here's my current HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 14:15:16, on 03/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\StartupMonitor.exe

C:\WINDOWS\System32\RUNDLL32.EXE

D:\program files\steam\steam.exe

C:\Program Files\belkin\Bluetooth Software\BTTray.exe

C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Nicholas\Desktop\Spyware Eliminators\HijackThis.exe

 

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [steam] "d:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [iDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

I hope this is the end to this (for now). If any of you gurus can still see things that need to be fixed, I appreciate your help and feedback. Hope this information also helps anyone out there that is plagued by these hijackers.

 

Many thanks to pomp86 for his quick reply.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0