1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

hijacked homepage is warningmessage.com and securityerror.com

By wtbman ยท 5 replies
Oct 26, 2005
  1. Hello, I'm completely new to all this.......2 days ago caught something...

    Running 02 windows xp home addition
    HJT log is attached

    I have a dial-up connection and when I'm connected and open IE it opens warningmessage.com trying to sell AS programs and warnings indicating a w32.sinnaka.a@mm worm. If I'm not connected it tries to open securityerror.com. While trying to open wm.com this is in the address box:
    res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm

    I was able to locate and delete several nasties with Aluria, MS Spyware, Spyware Detector, Spybot, Ad-Aware & AVG Free. Before I down loaded all the AS programs there were pop-ups (mainly casino ads).

    I have deepscanned with all programs both in "regular" and safe mode. The pop-ups and warnings have quit but the "home" page still opens warningmessage.com eventhough I reset the homepage to google.com

    I followed directions here but no success:
    http://forum.grisoft.cz/freeforum/read.php?4,27725,backpage=,sv=

    This post describes the same problem:
    http://forum.grisoft.cz/freeforum/read.php?4,52400,backpage=,sv=

    I would really appretiate any help. Please let me know if more info is needed.
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Don't you think it's time to stop using that crappy IE? (other than for Windoze updates)
    Go to www.getfirefox.com !!!

    Follow the instructions from here:
    Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

    Run CWShredder
    Uninstall/delete anything to do with Netzero while you are at it.
    Next, click on Start/Run and type in (followed by press Enter):
    REGSVR32 /U C:\WINDOWS\system32\BlockActivex.dll

    Fix this lot:
    ...................................
    C:\Program Files\NetZero\exec.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hpB248.tmp
    O2 - BHO: BHOPopupSmasher Class - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - C:\WINDOWS\system32\BlockActivex.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    Fix ALL your O16 - DPF: entries
    Unless these IP-numbers are from your ISP, fix this O17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79447675-C505-4F06-9237-740DD3251A9B}: NameServer = 64.136.20.121 64.136.28.121
    ...................................
     
  3. wtbman

    wtbman TS Rookie Topic Starter

    Thanks a lot! I have control of homepage now!

    But, I have run ad-aware 3 times and it keeps finding malware.psguard, type: regkey, object: hkey_local_machine:software\psguard.com\

    Ad-aware is up to date.

    I delete everytime but it keeps coming back.

    Spybot cannot sense it.

    Also when going through the "how to remove..." steps when in safe mode there were 3 svchost.exe processes running... is this normal?

    Thanks again.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Don't touch the svchost stuff.

    And check the other psguard posts in this forum.
     
  5. wtbman

    wtbman TS Rookie Topic Starter

    Thanks, I'd buy you a round if I could...... The Ewido worked a little better than the ad-aware. Ewido still cannot completely erase the psguard. It keeps reporting "Error during cleaning" after every registry scan.

    I've scanned in safe mode with restore off several times with same results. I found the folder in the registry under hkey_local_machine/software/psguard.com but it will not let me delete it. There is no value set. The computer is running good so is it ok to leave this or do I need to find a way to delete?
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    It does not do any harm there, but rightclicking it should offer the option Delete.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...