Jump to content


Photo

here4search.com


  • Please log in to reply
5 replies to this topic

#1 martyndwn

martyndwn

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 12:06 PM

My home page keeps changing to here4search.com. The address in the internet option home page is http://solongas.com/hp.htm?id=80


I have downloded the following programs

spyware begone
no adware
hijack this
spybot search & destroy

I am operating on windows 2000 and ie 6


Can anyone help? :wtf:

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 14 June 2004 - 05:44 PM

Hello,

Please verify that you have the latest version of Spybot Search & Destroy, v1.3. If you do not have v1.3, please click here to download Spybot Search & Destroy v1.3 - Install, update, scan and fix all RED items it finds. Reboot when done.

Download and configure Ad-aware for a customized scan.....

Click here to download Ad-aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry," "Scan my IE Favorites for banned sites," and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed. Right click the pane and click "Select all objects" - This will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?"

Next, perform an online virus scan at Trend Micro and an online Trojan scan at Sygate. (See links in my signature below). Allow each program to remove whatever it may find. Reboot after each scan.

Now, use the link in my signature below to proceed to the Windows Update site. Scan your system for needed updates, then download and install ALL critical updates. Reboot when finished.

Make sure that you have the latest version of HijackThis, 1.97.7 and that you have placed it into an individual folder of its own. Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log into this topic. DO NOT Delete or modify anything yet, as most of it is needed for your system's operation!

#3 martyndwn

martyndwn

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 01:41 PM

Logfile of HijackThis v1.97.7
Scan saved at 21:39:00, on 15/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\TSIRCSRV.EXE
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\TSI32\tsircusr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHENG.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=80
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINNT\system32\zggaspl38rrvb.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O13 - DefaultPrefix:
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8001.2639467593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D447B44-9366-444F-936E-EF557DDA78F6}: NameServer = 10.63.28.8,10.63.28.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{E31EE72C-ED5C-44D9-9EAD-479B8B390F41}: NameServer = 128.86.1.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = emea.itt.net,flygt.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{6D447B44-9366-444F-936E-EF557DDA78F6}: NameServer = 10.63.28.8,10.63.28.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = emea.itt.net,flygt.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{6D447B44-9366-444F-936E-EF557DDA78F6}: NameServer = 10.63.28.8,10.63.28.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = emea.itt.net,flygt.com

This is the log file. Thanks

#4 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 15 June 2004 - 06:36 PM

martyndwn,

You have a CWS infection. Go here and download CWShredder v1.59 by Merijn Bellekom.

Boot into safe mode by restarting your computer and immediately begin tapping the <F8> key. Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Unzip the the CWShredder file, then click on the shredder icon to open the program. Click on the FIX button at the bottom of the right side of the panel. It will show a screen reminding you to CLOSE ALL WINDOWS AND BROWSERS. Be sure only the Shredder window is open, then click "OK." It will analyze your system and tell you what it has found. Let it FIX everything it finds. Reboot (again in safe mode). Then, to be safe, run it AGAIN and do the same if it finds anything further.

Reboot into normal mode, scan with HijackThis and post a fresh log into this same thread.

#5 martyndwn

martyndwn

    Member

  • New Member
  • Pip
  • 3 posts

Posted 16 June 2004 - 09:17 AM

This is the latest log file


Logfile of HijackThis v1.97.7
Scan saved at 17:14:48, on 16/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\TSIRCSRV.EXE
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\TSI32\tsircusr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHENG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = proxy.flygt.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.flygt.com:8080
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINNT\system32\zggaspl38rrvb.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O13 - DefaultPrefix:
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8001.2639467593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D447B44-9366-444F-936E-EF557DDA78F6}: NameServer = 10.63.28.8,10.63.28.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = emea.itt.net,flygt.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{6D447B44-9366-444F-936E-EF557DDA78F6}: NameServer = 10.63.28.8,10.63.28.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = emea.itt.net,flygt.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{6D447B44-9366-444F-936E-EF557DDA78F6}: NameServer = 10.63.28.8,10.63.28.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = emea.itt.net,flygt.com

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 16 June 2004 - 04:40 PM

Hello,

Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that the items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINNT\system32\zggaspl38rrvb.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


O13 - DefaultPrefix:


Is this 015 item an entry that you intentionally placed into the Trusted Zone, allowing it to have access to your system? If not, please remove it:

O15 - Trusted Zone: *.greg-search.com

Reboot.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Reboot, scan with HijackThis and post a fresh log into this same thread.

Edited by NonSuch, 17 June 2004 - 01:13 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button