hijacked homepage is and

By wtbman
Oct 26, 2005
  1. Hello, I'm completely new to all this.......2 days ago caught something...

    Running 02 windows xp home addition
    HJT log is attached

    I have a dial-up connection and when I'm connected and open IE it opens trying to sell AS programs and warnings indicating a w32.sinnaka.a@mm worm. If I'm not connected it tries to open While trying to open this is in the address box:

    I was able to locate and delete several nasties with Aluria, MS Spyware, Spyware Detector, Spybot, Ad-Aware & AVG Free. Before I down loaded all the AS programs there were pop-ups (mainly casino ads).

    I have deepscanned with all programs both in "regular" and safe mode. The pop-ups and warnings have quit but the "home" page still opens eventhough I reset the homepage to

    I followed directions here but no success:,27725,backpage=,sv=

    This post describes the same problem:,52400,backpage=,sv=

    I would really appretiate any help. Please let me know if more info is needed.

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Don't you think it's time to stop using that crappy IE? (other than for Windoze updates)
    Go to !!!

    Follow the instructions from here:
    Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

    Run CWShredder
    Uninstall/delete anything to do with Netzero while you are at it.
    Next, click on Start/Run and type in (followed by press Enter):
    REGSVR32 /U C:\WINDOWS\system32\BlockActivex.dll

    Fix this lot:
    C:\Program Files\NetZero\exec.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hpB248.tmp
    O2 - BHO: BHOPopupSmasher Class - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - C:\WINDOWS\system32\BlockActivex.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    Fix ALL your O16 - DPF: entries
    Unless these IP-numbers are from your ISP, fix this O17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79447675-C505-4F06-9237-740DD3251A9B}: NameServer =
  3. wtbman

    wtbman TS Rookie Topic Starter

    Thanks a lot! I have control of homepage now!

    But, I have run ad-aware 3 times and it keeps finding malware.psguard, type: regkey, object: hkey_local_machine:software\\

    Ad-aware is up to date.

    I delete everytime but it keeps coming back.

    Spybot cannot sense it.

    Also when going through the "how to remove..." steps when in safe mode there were 3 svchost.exe processes running... is this normal?

    Thanks again.
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Don't touch the svchost stuff.

    And check the other psguard posts in this forum.
  5. wtbman

    wtbman TS Rookie Topic Starter

    Thanks, I'd buy you a round if I could...... The Ewido worked a little better than the ad-aware. Ewido still cannot completely erase the psguard. It keeps reporting "Error during cleaning" after every registry scan.

    I've scanned in safe mode with restore off several times with same results. I found the folder in the registry under hkey_local_machine/software/ but it will not let me delete it. There is no value set. The computer is running good so is it ok to leave this or do I need to find a way to delete?
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    It does not do any harm there, but rightclicking it should offer the option Delete.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...