Homepage Hijack

Discussion in 'Windows Desktop Systems' started by kcnychief, May 13, 2006.

  1. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I had another computer come to me today, not related to the one I posted about that can't stay clean. I got everything off it, except for one small glitch.

    The homepage always goes to this:

    [​IMG]

    Within IE, it is set to about:blank. When IE Opens, it references downloading from about:blank.

    Here is a HJT log:

    I have narrowed down, and bolded the offending occurence. Thing is, though, that whenever I remove it, which requires a visit to safe mode, another one spawns. This leads me to believe there is an offending file somewhere else just shooting out decoys. I am running AVG on this machine, with Windows Defender. Both have scanned and found nothing. That particular file, hp7ce0.tmp, turns up nothing on Google. The first file name I noticed within this behavior, was hp9bc3.tmp, which points to Spy Falcon. I went through all removal processes of that, but still can't cure it.

    Anyone have suggestions?

    EDIT: Seems to be linked to Spy Quake - but all the uninstall paths/files/reg entries are already gone.
     
    Last edited: May 13, 2006
  2. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
  3. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Unfortunately that did not do the trick. I tried both the short and long directions.

    I have a few more leads though, may be able to get it. All I need to find is the source *grumble*
     
  4. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    the hp***.tmp is a SMITFRAUD hijack.

    Go into safemode and remove

    C:\WINDOWS\system32\dcomcfg.exe
    C:\WINDOWS\system32\hp7CE0.tmp

    Reboot and post a new log.

    The SMITFRAUD might have morphed, lemme check another site for updated directions.
     
  5. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    I would also advise updating to the latest Java to Version 5.0 Update 6 :)
     
  6. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    The hp****.tmp files are different each time, but I will try deleting the dcomcfg.exe file. I won't have a chance to try it again for a few hours, real work is getting in the way :D
     
  7. Steevo

    Steevo Spammer representing. Political User Folding Team

    Messages:
    2,566
    Now you are starting to act like me. Whoreing out your skills on the side.
     
  8. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    My Momma always says, whoering is as whoering does :D

    I have been doing it for awhile, but the last 6 months or so have REALLY picked up. Generally, mostly because it takes an ARSE load of time, if it's not something that can be cleaned to a satisfactory level within an hour or two I just re-install. This is mostly done to save me the headache, and ultimately save the client money. I haven't really been thorough with one in awhile, and while frustrating, this particular infection has my interest ;)