MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: hijacked about:blank trusted start page
November 12, 2019, 05:25:29 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 12, 2019, 05:25:29 AM

Login with username, password and session length
 Featured Sites:
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: hijacked about:blank trusted start page  (Read 13012 times)
gjhaze
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« on: September 20, 2004, 01:20:56 AM »

Hi.
IE homepage has been hijacked. When opened, the operation to load my homepage stops and instead goes to a generic search page (http://a-search.biz/?wmid=1010).
Ran Spybot, Aware. CWShredder and HijackThis. Log file is posted below. Any help is greatly appreaciated.


Operating System Version: XP
Problem Application Name & Version: IE

Logfile of HijackThis v1.98.2
Scan saved at 9:12:42 PM, on 9/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\FSRremoS.EXE
C:\WINDOWS\System32\Pelmiced.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: September 20, 2004, 02:02:28 AM »

Can you do an online Virus scan at Housecall's
Set to Autoclean, take note of any files it can't fix
http://housecall.trendmicro.com/

You may also want to try one at Panda's
but try Housecall's first
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Logged

 
gjhaze
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #2 on: September 20, 2004, 03:10:13 AM »

Hi. Thanks for the reply.
Housecall and panda came up empty. O viruses found.

Any ideas?

Thx again.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: September 20, 2004, 03:14:10 AM »

Could you Download GetServices.zip
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Please attach it in your reply, Simply click the "Insert File Attachment" below the reply box
Browse to getservice.txt---Right click on it and Select it
Click the Upload File

Could you also
Download DLLCompare


Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button  

Post back with a Fresh hijackthis log, and the comparedll log
and attach the GetServices.txt

Don't fix anything with hijackthis, make sure you restart your computer before you post back and try the Getservices.bat
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #4 on: September 20, 2004, 03:17:32 AM »

Run CWshreader with your browser window closed.Adaware should have fixed it...
Logged

An Australian Member of

EDDY
gjhaze
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #5 on: September 20, 2004, 03:33:13 AM »

Ok. Here's the logs:



*    DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found Smiley"
________________________________________________

1,257 items found:  1,257 files, 0 directories.
Total of file sizes:  242,642,229 bytes    231.40 M

Administrator Account =  True

--------------------End log---------------------


Logfile of HijackThis v1.98.2
Scan saved at 11:31:10 PM, on 9/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\FSRremoS.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\Pelmiced.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://story.news.yahoo.com/news?tmpl=index&cid=1776
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab



Download Attachment: getservice.txt 47.73 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: September 20, 2004, 04:21:21 AM »

RESTART your Computer in SAFE MODE

===Next: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Plug and Play svc service
Don't confuse it with the legitimate Plug and Play service

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Stay in Safe mode
You will have to try and edit your registry
START>>>RUN>>>type in regedit

Navigate to bolded entries  and try and delete them, you may want to export them first to a folder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc

Exit the registry editor
Next: Run CWShredder and let it FIX all problems

RESTART in Normal Mode
You may want to ensure that your running Ad-Aware SE PERSONAL 1.05
Do a Full system scan
Remove All Critical Objects
RESTART one more time to finish the cleaning

Post back with a Fresh hijackthis log
« Last Edit: September 20, 2004, 04:24:15 AM by benditup » Logged

 
gjhaze
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #7 on: September 20, 2004, 11:32:03 PM »

Hi.
I got an error message when trying to stop plug and play svc. Something to the tune of "Could not stop the Plug and Play Svc on Local Computer. The service did not return on error. This could be an intenal windows error or an internal service error."
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #8 on: September 21, 2004, 12:42:15 AM »

Well, you have a Nasty one
Let's try this
Download and install Registrar Lite.
http://www.resplendence.com/reglite
Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll

Double Click on the ServiceDll on the Right Hand side section
In the Value field---Copy and Paste the text back here
Logged

 
gjhaze
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #9 on: September 21, 2004, 12:48:03 AM »

Ok, here's what the field displayed:

c:\windows\system32\ckhapjmd.dll
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #10 on: September 21, 2004, 01:22:57 AM »

This is from another poster, Download and save to Desktop pnpfix.zip
Extract the contents to desktop, but DON'T run in yet

Open Hijackthis>>>Config>>>Misc Tools>>>Delete File on Reboot
Copy and Paste
c:\windows\system32\ckhapjmd.dll
into the file name field and press the open button

RESTART your computer into Safe Mode

When you restart, ensure that ckhapjmd.dll no longer exists
If it's been removed
Double click on pnpfix.reg, when asked to merge say yes

Open RegLite again
Copy and paste each of the bolded lines into the Address field

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC


At each location delete the highlighted LEGACY_PNPSVC. Do not delete any other entries

If you have trouble deleting an entry
Right-click the key  and select Properties, click Take Ownership then click Permissions and select Full Control against Everyone. Apply and OK your way out, then right-click the key again and try and delete it.

Exit out of Registrar lite and Restart back in Normal mode

Post back with a Fresh hijackthis log, let me know what your were able to accomplish
Logged

 
gjhaze
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #11 on: September 21, 2004, 02:27:40 AM »

"Access Denied" when I tried to delete the legacy_pnpsvc.

(thanks for sticking with me so far, by the way)
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #12 on: September 21, 2004, 02:47:48 AM »

Does the same thing happen when you Navigate to LEGACY_PNPSVC keys

Try not using Registrar lite
But go to START>>>RUN>>>>type in regedt32

Try changing permission to Everyone---Full control
May have to be done in safe mode


EDIT---Can you also let me know if you can find this file
c:\windows\system32\pnpsvc.inf <--this file
« Last Edit: September 21, 2004, 05:32:27 AM by benditup » Logged

 
jrm3
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1


Bookmark and Share

View Profile
« Reply #13 on: September 30, 2004, 01:29:27 AM »

I have FSRremoS.exe running in a Win XP SP2 OS.  A system search for FSRremoS found C:\WINDOWS\system32\FSRremoS.exe AND C:\WINDOWS\Prefetch\FSRREMOS.EXE-01530428.pf

It appears these two files are new to my system.  I would like to follow this thread to the solution.

These were discovered after finding an "unknown" Trojan called FileOps.exe in C:\WINDOWS\system32.
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #14 on: September 30, 2004, 01:34:53 AM »

JRM3..Please start your own thread...

Hijack This

http://www.tomcoyote.org/hjt/

Make sure you unzip hijack this to its own folder such as C:\Program files as this is where the backups will be created.Run Hijack this but do NOT fix anything.Click save log and a log will open in notepad.Copy and paste your log here.
Logged

John Vickers
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page January 20, 2018, 05:24:41 PM