• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Homepage Hijack

kcnychief

█▄█ ▀█▄ █
Political User
#1
I had another computer come to me today, not related to the one I posted about that can't stay clean. I got everything off it, except for one small glitch.

The homepage always goes to this:



Within IE, it is set to about:blank. When IE Opens, it references downloading from about:blank.

Here is a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:56 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp7CE0.tmp
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108668788203
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I have narrowed down, and bolded the offending occurence. Thing is, though, that whenever I remove it, which requires a visit to safe mode, another one spawns. This leads me to believe there is an offending file somewhere else just shooting out decoys. I am running AVG on this machine, with Windows Defender. Both have scanned and found nothing. That particular file, hp7ce0.tmp, turns up nothing on Google. The first file name I noticed within this behavior, was hp9bc3.tmp, which points to Spy Falcon. I went through all removal processes of that, but still can't cure it.

Anyone have suggestions?

EDIT: Seems to be linked to Spy Quake - but all the uninstall paths/files/reg entries are already gone.
 
Last edited:

kcnychief

█▄█ ▀█▄ █
Political User
#3
Unfortunately that did not do the trick. I tried both the short and long directions.

I have a few more leads though, may be able to get it. All I need to find is the source *grumble*
 

j79zlr

Glaanies script monkey
Political User
#4
the hp***.tmp is a SMITFRAUD hijack.

Go into safemode and remove

C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\hp7CE0.tmp

Reboot and post a new log.

The SMITFRAUD might have morphed, lemme check another site for updated directions.
 

kcnychief

█▄█ ▀█▄ █
Political User
#6
j79zlr said:
the hp***.tmp is a SMITFRAUD hijack.

Go into safemode and remove

C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\hp7CE0.tmp

Reboot and post a new log.

The SMITFRAUD might have morphed, lemme check another site for updated directions.
The hp****.tmp files are different each time, but I will try deleting the dcomcfg.exe file. I won't have a chance to try it again for a few hours, real work is getting in the way :D
 

kcnychief

█▄█ ▀█▄ █
Political User
#8
My Momma always says, whoering is as whoering does :D

I have been doing it for awhile, but the last 6 months or so have REALLY picked up. Generally, mostly because it takes an ARSE load of time, if it's not something that can be cleaned to a satisfactory level within an hour or two I just re-install. This is mostly done to save me the headache, and ultimately save the client money. I haven't really been thorough with one in awhile, and while frustrating, this particular infection has my interest ;)
 

Members online

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,014
Latest member
sanoravies