homepage keeps changing

#1 April 5th, 2004, 11:23 AM

Dear Wilders.org

My homepage keeps changing to about:blank everytime I reboot and sometimes even when the computer is on. I ran Adware 6.0 and Hijack This v1.97.7. These are the results from Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 5:19:01 PM, on 4/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\PROGRA~1\GENIET~1\TVremote.exe
F:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Downloads\Spyware & Adware Remover\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.uct.ac.za/cache.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.uct.ac.za:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TVdiag] F:\PROGRA~1\GENIET~1\TVdiag.exe /startup
O4 - HKLM\..\Run: [TVremote] F:\PROGRA~1\GENIET~1\TVremote.exe
O4 - HKLM\..\Run: [TVWDMDrv] C:\WINDOWS\system32\drivers\tvwdmdrv.exe
O4 - HKLM\..\Run: [Agent] F:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] F:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [6SecV] C:\WINDOWS\System32\6SecV.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38080.5969907407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFAFE597-573F-447E-9647-CC89298D71C0}: NameServer = 137.158.128.1,137.158.128.4

Pieter_Arntz · #2 April 5th, 2004, 11:41 AM

Hi ashok,

Download and run the Blaster removal tool from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Then in Add/Remove Software uninstall WebHancer.

Next, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto

O4 - HKLM\..\Run: [6SecV] C:\WINDOWS\System32\6SecV.exe <=

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe

Then reboot into safe mode
and delete:
C:\Program Files\websx <= entire folder
C:\WINDOWS\alchem.exe

Then surf to http://www.kaspersky.com/remoteviruschk.html and have these two checked out:
C:\WINDOWS\System32\window.exe (looks like a virus or trojan)
C:\WINDOWS\System32\6SecV.exe (unless you know what it is, but it looks like a random filename)

Regards,

Pieter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search