homepage keeps changing

Discussion in 'adware, spyware & hijack cleaning' started by ashok, Apr 5, 2004.

Thread Status:
Not open for further replies.
  1. ashok

    ashok Guest

    Dear Wilders.org

    My homepage keeps changing to about:blank everytime I reboot and sometimes even when the computer is on. I ran Adware 6.0 and Hijack This v1.97.7. These are the results from Hijack This:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:19:01 PM, on 4/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    F:\PROGRA~1\GENIET~1\TVremote.exe
    F:\Program Files\CyberLink\PowerVCRII\Agent.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    F:\Downloads\Spyware & Adware Remover\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.uct.ac.za/cache.pac
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.uct.ac.za:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [TVdiag] F:\PROGRA~1\GENIET~1\TVdiag.exe /startup
    O4 - HKLM\..\Run: [TVremote] F:\PROGRA~1\GENIET~1\TVremote.exe
    O4 - HKLM\..\Run: [TVWDMDrv] C:\WINDOWS\system32\drivers\tvwdmdrv.exe
    O4 - HKLM\..\Run: [Agent] F:\Program Files\CyberLink\PowerVCRII\Agent.exe
    O4 - HKLM\..\Run: [Remote_Agent] F:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [6SecV] C:\WINDOWS\System32\6SecV.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38080.5969907407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BFAFE597-573F-447E-9647-CC89298D71C0}: NameServer = 137.158.128.1,137.158.128.4
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi ashok,

    Download and run the Blaster removal tool from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Then in Add/Remove Software uninstall WebHancer.

    Next, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto

    O4 - HKLM\..\Run: [6SecV] C:\WINDOWS\System32\6SecV.exe <= o_O

    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

    O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe

    Then reboot into safe mode
    and delete:
    C:\Program Files\websx <= entire folder
    C:\WINDOWS\alchem.exe

    Then surf to http://www.kaspersky.com/remoteviruschk.html and have these two checked out:
    C:\WINDOWS\System32\window.exe (looks like a virus or trojan)
    C:\WINDOWS\System32\6SecV.exe (unless you know what it is, but it looks like a random filename)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.