Tech Support Guy banner
Cancel

Homepage hijacking - QuickPage

Jump to Latest Follow
Status
Not open for further replies.
1 - 8 of 8 Posts
T

· Registered
Joined
·
586 Posts
Discussion Starter · #1 ·
A person has asked for help with a homepage hijacking that Adaware, Spybot, CWShredder and all the usual big guns don't seem to be able to eliminate. Scanning with an anti-virus program and several online scanners also turn up nothing.

Even after running the above his homepage, www.24start.com, keeps returning. He says it is from the C drive at C:\Program Files\QuickPage\Portal\portal.html and seems to happen offline or online. Is fine for a day but then returns, no matter how many times it is deleted it will reappear later at some time.

Google brings up precious little on this problem so I am hoping that an expert here may see something in his HijackThis log that I have missed. The only two entries that I could advise him to remove were two Startpage entries for "QuickPage/Portal", one of which is no longer listed in this, his second, HijackThis log.

We would be very grateful for some assistance with this one.

Logfile of HijackThis v1.97.7
Scan saved at 17:27:45, on 27/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe< BR>C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDO WS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system3 2\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PRO GRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\ hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\cp.e xe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exeC:\Documents and Settings\Stephen\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.sony-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\cp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.c ab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d -a3de-373c3e5552fc/msSecAdv.cab?1067196946109
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivir us.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB ?37919.4645833333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash .cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31ECCE7B-422F-4DB6-85E8-8CB991F8103D}: NameServer = 195.121.1.34 195.121.1.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{31ECCE7B-422F-4DB6-85E8-8CB991F8103D}: NameServer = 195.121.1.34 195.121.1.66
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#2 ·
Run HJT again and put a check against these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\cp.exe
Not sure what this one is ^^ if you know and it's ok leave it.

Close all browser windows and applications before clicking "fix checked".
 
raybro

· Registered
Joined
·
5,845 Posts
#3 ·
This item in your running processes looks pretty strange to me:

C:\WINDOWS\System32\cp.e xe

Note the space between the "e" and "x". Don't know what it means, as I've never seen anything like it before in running processes. If a file name has a typo in it, will it still launch and function?

It's reasonable to assume it should read cp.exe. Using cp.exe, pacs portal finds nada. Google comes up with a lot of stuff mostly related to Linux. So I simply don't know what to make of it. Perhaps some other XP users could run a search and come up with a recommendation.
 
Save Share
T

· Registered
Joined
·
586 Posts
Discussion Starter · #4 ·
Many thanks for the help offered with this one. The feedback report is so far, so good, so here's hoping!

Raybro: I was wondering about that entry as well but it hasn't been removed yet so may not be a problem. Will keep it in mind though, in case it flares up again.

Thanks again, people. :)
 
Flrman1

· Registered
Joined
·
46,465 Posts
#5 ·
I would suspect that these two are working together:

O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\cp.exe

C:\WINDOWS\System32\cp.e xe

I suspect that those two files are one and the same and I'd be willing to wager that it is a baddie. This [Quicktlme] to me is an obvious attempt to make it appear to be QuickTime related. This is a tactic of many forms of malware.

Please do this:

Go here

Scroll to the bottom of the page and look for the Submit file section.

Click on Browse

Navigate to the C:\WINDOWS\System32 folder and upload the .... cp.exe.... file and let us know what you find.

This file may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
 
Save Share
T

· Registered
Joined
·
586 Posts
Discussion Starter · #6 ·
Thanks for that information, flrman1, I passed it on and apparently that file is no longer on his hard drive, nor does it show up again with a re-run of HijackThis so it must be well and truly gone now, thank goodness.

The reports are that the problem has not reoccurred so we have one very happy customer. :cool:

Many thanks once again. :)
 
H

· Registered
Joined
·
1 Posts
#8 ·
Hi, I contacted 24start by email (they are in Holland by the way) and received an instant explanation as to how to remove their program...This is the text they sent me and it worked (I had to find the 32 character number and email it to them)

To uninstall the program, please do as follow:

Go to "Start"

" Settings"

" Control Panel"

"Software / Add-Remove Programs"

Than you see the button Change-Remove" and you can delete the program " "Switch (dialer)"”

If, unfortunately , the program doesn’t disappear, you can do as follows:

Please go to "Start"

" Run"

" regedit"

Now is opening a window wich looks like a windows- explorer. On the following location you can find the serial number.

Please take care : the number has to be 32 caracters long

"HKEY_LOCAL_MACHINE"

"Software"
< BR>
"Switch (dialer)"

And than the content of the key "ID".

Can you send this serial number to [email protected],

Than we will send you the un-install link.

Hope this helps...
 
1 - 8 of 8 Posts
Status
Not open for further replies.
About this Discussion
7 Replies
5 Participants
Last post:
hope2help
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top