Jump to content


Photo

Hijacked by http://solongas.com/hp.htm?id=9


  • This topic is locked This topic is locked
4 replies to this topic

#1 Erasculio

Erasculio

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 04:12 PM

First, I have read the FAQ, and I have already run update versions of Hijack, Spybot Search & Destroy, Ad-Aware and CWShredder, plus I have SpywareBlaster and SpywareGuard, and Norton Internet Security. I have seen a thread with the same problem as my own, but taking the steps indicated in that other thread (this one) didn't work for me.

About the problem itself:

Whenever I open Internet Explorer, my default home-page has been changed to solongas.com/hp.htm?id=9. Sometimes, my default search address is changed to the same link, and sometimes new Favourites are added to my list (such as xxx crazy sex and stuff like that).

My HijackThis log is:

Logfile of HijackThis v1.97.7
Scan saved at 18:11:46, on 14/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\SYMANTEC SHARED\CCEVTMGR.EXE
C:\ARQUIVOS DE PROGRAMAS\NORTON PERSONAL FIREWALL\NISUM.EXE
C:\ARQUIVOS DE PROGRAMAS\NORTON PERSONAL FIREWALL\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGMAIN.EXE
C:\ARQUIVOS DE PROGRAMAS\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOSL\SPYWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.terra.com.br/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\c4srwh7i.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CARQUIVOS%20DE%20PROGRAMAS%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\c4srwh7i.slt\prefs.js)
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\09YDDI4JLAV88G.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Arquivos de Programas\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iamapp] c:\Arquivos de programas\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] c:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [nisserv] c:\Arquivos de programas\Norton Personal Firewall\NISSERV.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] c:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Nisum] c:\Arquivos de programas\Norton Personal Firewall\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\ARQUIV~1\NORTON~2\CCPXYSVC.EXE
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Startup: ASE Scheduler.lnk = C:\Arquivos de programas\Aluria Software\ASE\ASE Scheduler.exe
O4 - User Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - User Startup: ASE Scheduler.lnk = C:\Arquivos de programas\Aluria Software\ASE\ASE Scheduler.exe
O8 - Extra context menu item: Download using FlashGet - C:\ARQUIVOS DE PROGRAMAS\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\ARQUIVOS DE PROGRAMAS\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Dell Home (HKCU)
O15 - Trusted Zone: http://www.nocturnis.net
O15 - Trusted Zone: www.amazon.com
O15 - Trusted Zone: http://www.antiochforever.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = terra.com.br

Thank you for your assistance.

Erasculio

#2 Erasculio

Erasculio

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 02:28 PM

After 24 hours, the first BUMP.

Erasculio

#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 15 June 2004 - 03:54 PM

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, find, zip and send this file:

C:\WINDOWS\SYSTEM\09YDDI4JLAV88G.DLL

to this e-mail address including a link to this thread in the body of the email.

I can then give you the fix for this.
Posted Image

#4 Erasculio

Erasculio

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 07:22 PM

Actually, thank you for your assistance, but I think I have solved the problem myself. I just looked through the old threads with the same problem (most of which were answered by you, in fact), ran HijackThis, and deleted everything I thought was weird.

At least now I don't see the solotas thing anymore.

My current HijackThis Log is:

Logfile of HijackThis v1.97.7
Scan saved at 21:21:01, on 15/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\SYMANTEC SHARED\CCEVTMGR.EXE
C:\ARQUIVOS DE PROGRAMAS\NORTON PERSONAL FIREWALL\NISUM.EXE
C:\ARQUIVOS DE PROGRAMAS\NORTON PERSONAL FIREWALL\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\DIRECTCD\DIRECTCD.EXE
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGMAIN.EXE
C:\ARQUIVOS DE PROGRAMAS\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGBHP.EXE
C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\PLAYCENTER\CTPLAY.EXE
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOSL\SPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br
F1 - win.ini: run=hpfsched
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Arquivos de Programas\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iamapp] c:\Arquivos de programas\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] c:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [nisserv] c:\Arquivos de programas\Norton Personal Firewall\NISSERV.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] c:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Nisum] c:\Arquivos de programas\Norton Personal Firewall\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\ARQUIV~1\NORTON~2\CCPXYSVC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Startup: ASE Scheduler.lnk = C:\Arquivos de programas\Aluria Software\ASE\ASE Scheduler.exe
O4 - User Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - User Startup: ASE Scheduler.lnk = C:\Arquivos de programas\Aluria Software\ASE\ASE Scheduler.exe
O8 - Extra context menu item: Download using FlashGet - C:\ARQUIVOS DE PROGRAMAS\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\ARQUIVOS DE PROGRAMAS\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Dell Home (HKCU)
O15 - Trusted Zone: http://www.nocturnis.net
O15 - Trusted Zone: www.amazon.com
O15 - Trusted Zone: http://www.antiochforever.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = terra.com.br

I'm not sure, but I think it's clear (or at least I hope it is).

Again, thank you for your help, and thaks for all the effort you put in this place. It's really helping a lot of people.

Erasculio

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 16 June 2004 - 01:49 AM

Yes, you got it all - well done :)

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button