Jump to content


Photo

Infected with Search Everything


  • Please log in to reply
4 replies to this topic

#1 FatCat

FatCat

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 02 June 2004 - 02:18 PM

I've been trying everything for hours with no result. Spybot Search and Destroy didn't work for me so this is really my last resort.

Here's my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 04:51:00, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\program files\steam\steam.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lime_Shop\Limeshop1.exe
C:\Program Files\Lime_Shop\Limeshop0.exe
C:\DOCUME~1\Nicholas\LOCALS~1\Temp\Rar$EX00.266\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\zbupr6jihkd40g.dll
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I've been deleting the R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632 over and over again and it keeps popping up.

If I can get any help on this it'd be very much appreciated.

Thanks

#2 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 02 June 2004 - 02:38 PM

hey.
RIght click the desktop,new-folder, name it hijackthis and put the program inside that folder.

We'll get rid of that website that keeps coming up. Please click here to download cwshredder. http://www.spywarein.../CWShredder.exe Save it to the desktop. Open it up. Make sure you have no browser windows open prior to running it. Uncheck the box about the recycling bin. Then click Fix-->. When it is done, restart your computer.

Have hijackthis fix the following:
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O4 - Global Startup: winlogin.exe

reboot computer.

delete the following:

C:\Program Files\Lime_Shop\
C:\WINDOWS\System32\sysstartup.exe
(Do a seach for the following item and delete it: )winlogin.exe..Please don't confuse it with the legit file winlogon.exe .. delete the file that ends with "in" not "on"

empty recycling bin and post a new log




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#3 FatCat

FatCat

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 02 June 2004 - 10:35 PM

Thanks for the prompt reply.

Followed those instructions exactly, only problem encountered was that I was unable to delete winlogin.exe. Task Manager doesn't show it as a running process, I was only able to delete some backup files of winlogin.exe after doing a search on winlogin.exe.

Here's the new log.

Logfile of HijackThis v1.97.7
Scan saved at 13:30:38, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\program files\steam\steam.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nicholas\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\zbupr6jihkd40g.dll
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 FatCat

FatCat

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 02 June 2004 - 11:18 PM

I've somehow managed to stop "Search Everything" from starting on my browser. Was sifting through the forums and on page 5 came across a similar problem to mine.

C:\WINDOWS\system32\hp.uti was the topic.

I followed Daemon's instructions somewhat, here they are:

Hi guys - hope you don't mind me joining in on this one. You still need to get rid of the hijacker. Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

C:\WINDOWS\image.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The C:\WINDOWS\image.dll listing should show up in the window. Then repeat the process, this time adding:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well:

C:\WINDOWS\System32\sysstartup.exe
C:\WINDOWS\System32\bpt656txo4ddno.dll
C:\Program Files\TV Media\Tvm.exe

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\bpt656txo4ddno.dll
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O15 - Trusted Zone: *.greg-search.com

Reboot when done. Rescan with HJT and post a new log.

-

I managed to get rid of winlogin.exe with TheKillBox and after running HijackThis I also managed to finally eliminate;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632

My browser stopped popping up "Search Everything", but my homepage still read http://solongas.com/hp.htm?id=632.

With no method to my madness, I also used HijackThis to fix;

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\zbupr6jihkd40g.dll

Right now, everything seems to work perfectly. Here's my current HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 14:15:16, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\program files\steam\steam.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nicholas\Desktop\Spyware Eliminators\HijackThis.exe

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I hope this is the end to this (for now). If any of you gurus can still see things that need to be fixed, I appreciate your help and feedback. Hope this information also helps anyone out there that is plagued by these hijackers.

Many thanks to pomp86 for his quick reply.

#5 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 03 June 2004 - 11:05 AM

Your log is clean now! Glad I could be of a help to you!




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button