Homepage Hijack

kcnychief

??? ??? ?
Political Access
Joined
8 Apr 2005
Messages
16,950
I had another computer come to me today, not related to the one I posted about that can't stay clean. I got everything off it, except for one small glitch.

The homepage always goes to this:



Within IE, it is set to about:blank. When IE Opens, it references downloading from about:blank.

Here is a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:56 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp7CE0.tmp
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108668788203
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

I have narrowed down, and bolded the offending occurence. Thing is, though, that whenever I remove it, which requires a visit to safe mode, another one spawns. This leads me to believe there is an offending file somewhere else just shooting out decoys. I am running AVG on this machine, with Windows Defender. Both have scanned and found nothing. That particular file, hp7ce0.tmp, turns up nothing on Google. The first file name I noticed within this behavior, was hp9bc3.tmp, which points to Spy Falcon. I went through all removal processes of that, but still can't cure it.

Anyone have suggestions?

EDIT: Seems to be linked to Spy Quake - but all the uninstall paths/files/reg entries are already gone.
 
Last edited:
Unfortunately that did not do the trick. I tried both the short and long directions.

I have a few more leads though, may be able to get it. All I need to find is the source *grumble*
 
the hp***.tmp is a SMITFRAUD hijack.

Go into safemode and remove

C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\hp7CE0.tmp

Reboot and post a new log.

The SMITFRAUD might have morphed, lemme check another site for updated directions.
 
I would also advise updating to the latest Java to Version 5.0 Update 6 :)
 
j79zlr said:
the hp***.tmp is a SMITFRAUD hijack.

Go into safemode and remove

C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\hp7CE0.tmp

Reboot and post a new log.

The SMITFRAUD might have morphed, lemme check another site for updated directions.
The hp****.tmp files are different each time, but I will try deleting the dcomcfg.exe file. I won't have a chance to try it again for a few hours, real work is getting in the way :D
 
Now you are starting to act like me. Whoreing out your skills on the side.
 
My Momma always says, whoering is as whoering does :D

I have been doing it for awhile, but the last 6 months or so have REALLY picked up. Generally, mostly because it takes an ARSE load of time, if it's not something that can be cleaned to a satisfactory level within an hour or two I just re-install. This is mostly done to save me the headache, and ultimately save the client money. I haven't really been thorough with one in awhile, and while frustrating, this particular infection has my interest ;)
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back