homepage keeps changing

Discussion in 'adware, spyware & hijack cleaning' started by ashok, Apr 5, 2004.

Thread Status:
Not open for further replies.
  1. ashok

    ashok Guest

    Dear Wilders.org

    My homepage keeps changing to about:blank everytime I reboot and sometimes even when the computer is on. I ran Adware 6.0 and Hijack This v1.97.7. These are the results from Hijack This:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:19:01 PM, on 4/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    F:\PROGRA~1\GENIET~1\TVremote.exe
    F:\Program Files\CyberLink\PowerVCRII\Agent.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    F:\Downloads\Spyware & Adware Remover\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.uct.ac.za/cache.pac
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.uct.ac.za:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [TVdiag] F:\PROGRA~1\GENIET~1\TVdiag.exe /startup
    O4 - HKLM\..\Run: [TVremote] F:\PROGRA~1\GENIET~1\TVremote.exe
    O4 - HKLM\..\Run: [TVWDMDrv] C:\WINDOWS\system32\drivers\tvwdmdrv.exe
    O4 - HKLM\..\Run: [Agent] F:\Program Files\CyberLink\PowerVCRII\Agent.exe
    O4 - HKLM\..\Run: [Remote_Agent] F:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [6SecV] C:\WINDOWS\System32\6SecV.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38080.5969907407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BFAFE597-573F-447E-9647-CC89298D71C0}: NameServer = 137.158.128.1,137.158.128.4
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi ashok,

    Download and run the Blaster removal tool from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Then in Add/Remove Software uninstall WebHancer.

    Next, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto

    O4 - HKLM\..\Run: [6SecV] C:\WINDOWS\System32\6SecV.exe <= o_O

    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

    O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe

    Then reboot into safe mode
    and delete:
    C:\Program Files\websx <= entire folder
    C:\WINDOWS\alchem.exe

    Then surf to http://www.kaspersky.com/remoteviruschk.html and have these two checked out:
    C:\WINDOWS\System32\window.exe (looks like a virus or trojan)
    C:\WINDOWS\System32\6SecV.exe (unless you know what it is, but it looks like a random filename)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.