Jump to content


Photo

Solongas has taken my comp over!!


  • This topic is locked This topic is locked
6 replies to this topic

#1 biglee42

biglee42

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 12:31 PM

Hi all,

Any help with the HJT log below would be really apprciated. I've tried CWShredder and Spybot, but to no success. It's starting to drive me nuts!!!

Logfile of HijackThis v1.97.7
Scan saved at 6:14:43 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MICROS~1\LOCALS~1\Temp\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sureseeker.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\1xtc4vg4vm9d.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .AIFF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E77DE0AC-2EB8-42FB-8CD7-97CBF2E2B9F0}: NameServer = 213.1.119.97 213.1.119.98

Thanks for any help you can offer.

Lee

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 12 June 2004 - 04:41 PM

Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59. Reboot when done.

Create a new folder called C:\HijackThis, move the HijackThis.exe file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sureseeker.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\1xtc4vg4vm9d.dll
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.greg-search.com

Reboot when done, find and delete the following:

C:\WINDOWS\image.dll

Rescan with HJT and post a new log here for a final check over.
Posted Image

#3 biglee42

biglee42

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 07:47 PM

Ok, thanks for the help.

I've done all that you advised, except I can't find the C:windows\image.dll folder. I searched manually through the windows folder and used the seacrh function as well. But no luck.

Here's the latest scan from HJT:

Logfile of HijackThis v1.97.7
Scan saved at 1:42:19 AM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .AIFF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E77DE0AC-2EB8-42FB-8CD7-97CBF2E2B9F0}: NameServer = 213.1.119.97 213.1.119.98


My start page is back to my normal, and seems to be staying there. Is there anything else I need to do?

#4 biglee42

biglee42

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 07:52 PM

Ok, I did another search, and refined it and found the following:

rplimage.dll C:\WIN98\PRECOPY2.CAB

image.dll C:\Program Files\Ahead\Nero

Are either of these the one I should delete?

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 13 June 2004 - 03:24 AM

No, they are OK. Your log is clean now - how is it running?
Posted Image

#6 biglee42

biglee42

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 June 2004 - 05:23 AM

It's running great now, maybe even a bit faster than it has for a while!!

Seriously though, thanks for all the help. I really am grateful, and am forever in your debt!

Thank you,

Lee

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 13 June 2004 - 05:27 AM

You're welcome - glad to help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button