affected badly with "here4search" and "slongans", always coming to my default home page. Any one pls tel me what to delete. I am apsting Logfile of HijackThis. Many Thanks.

Logfile of HijackThis v1.98.0
Scan saved at 8:19:03 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\download\for virus purpose\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findwhatevernow.com/searchband2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\u5kmf9mriuyiif.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {11010101-1001-1111-1000-110263637096} - ms-its:mhtml:file://c:\nosuch.mht!http://dev.eurodnsservices.com/fwni/kill.chm::/d_Main.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn2004/installers/default/SpyWareNukerInstaller.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

--------------------------------------------------------------------------------

Download Hijack this: http://tomcoyote.com/hjt/

Unzip,update and scan. The scan button will turn into a save log button. Save it,copy and paste it back into this thread. Don't fix anything yet because most of it is needed.Make sure you place HJT into a folder of it’s own. You may need to restore an item and you will not be able to from a temp. dir
You can create a folder by going to my computer and and double click on C:
Then right click and create folder. Name it HJT or something similar and unzip HJT into it.Or right click on your desktop and create a folder there. If you put it on your desktop make sure it is in a folder tho'. Otherwise your backups will clutter everything up.Wherever is easiest for you.

*had to edit it way too many logs in this thread*

TRY THIS FIRST BEFORE POSTING YOUR HIJACKTHIS LOG
--

1) Download and Install CWSredder

http://209.133.47.12/~merijn/files/CWShredder.exe

2) If that doesn't work follow Instructions BELOW in TecknoGeek's Post


Quote:
Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

C:\WINDOWS\image.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The C:\WINDOWS\image.dll listing should show up in the window. Then repeat the process, this time adding:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well:

C:\WINDOWS\System32\sysstartup.exe
C:\WINDOWS\System32\ogf032cc2v.dll

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Open TheKillbox again, click File, Open!Submit and you will see a folder bearing the date that you used TheKillbox - zip it up and send to this e-mail address including a link to this thread in the body of the email.

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\ogf032cc2v.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: winlogin.exe

Reboot when done. Rescan with HJT and post a new log.





http://forums.spywareinfo.com/index.php?showtopic=4000

Thanks goes to Daemon from the SWI Forums. Here are some links from his post or you can goto their forums.

Thekillbox
http://download.broadbandmedic.com/

Missingfilessetup
http://www.davehigham.zen.co.uk/dow...ngfilesetup.exe

REGEDIT METHOD TRY THIS IF THE KILL BOX METHOD DOESN"T WORK


Quote:
Originally posted by Guest
Homepage highjacked:

Tools>internet options (See who highjacked you) in the "Here4Search" and "Solongas" example.

Start>Run>RegEdit (Collapse all) Select "My Computer"- EDIT pulldown menu>FIND> solongas > FIND NEXT.

Delete all things with "Solongas" in the registry key. DO NOT DELETE THE HIVE (whoe folder).

Shut down your PC>restart it> open your browser. Should come up with a "blank page" [about : Blank] Type in the page address that you want as the start page. Go to TOOLS> INTERNET OPTIONS> select "USE CURRENT"

Problem solved.


thanks sooper to sir/maam guest and nightowl ^_^


__________________

Did you bother to read the other thread?