Hijacked homepage is warningmessage.com and securityerror.com

[wtbman]

Hello, I'm completely new to all this.......2 days ago caught something...

Running 02 windows xp home addition
HJT log is attached

I have a dial-up connection and when I'm connected and open IE it opens warningmessage.com trying to sell AS programs and warnings indicating a w32.sinnaka.a@mm worm. If I'm not connected it tries to open securityerror.com. While trying to open wm.com this is in the address box:
res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm

I was able to locate and delete several nasties with Aluria, MS Spyware, Spyware Detector, Spybot, Ad-Aware & AVG Free. Before I down loaded all the AS programs there were pop-ups (mainly casino ads).

I have deepscanned with all programs both in "regular" and safe mode. The pop-ups and warnings have quit but the "home" page still opens warningmessage.com eventhough I reset the homepage to google.com

I followed directions here but no success:
http://forum.grisoft.cz/freeforum/read.php?4,27725,backpage=,sv=

This post describes the same problem:
http://forum.grisoft.cz/freeforum/read.php?4,52400,backpage=,sv=

I would really appretiate any help. Please let me know if more info is needed.

 

[RealBlackStuff]

Don't you think it's time to stop using that crappy IE? (other than for Windoze updates)
Go to www.getfirefox.com !!!

Follow the instructions from here:
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

Run CWShredder
Uninstall/delete anything to do with Netzero while you are at it.
Next, click on Start/Run and type in (followed by press Enter):
REGSVR32 /U C:\WINDOWS\system32\BlockActivex.dll

Fix this lot:
...................................
C:\Program Files\NetZero\exec.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hpB248.tmp
O2 - BHO: BHOPopupSmasher Class - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - C:\WINDOWS\system32\BlockActivex.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
Fix ALL your O16 - DPF: entries
Unless these IP-numbers are from your ISP, fix this O17
O17 - HKLM\System\CCS\Services\Tcpip\..\{79447675-C505-4F06-9237-740DD3251A9B}: NameServer = 64.136.20.121 64.136.28.121
...................................

 

[wtbman]

Thanks a lot! I have control of homepage now!

But, I have run ad-aware 3 times and it keeps finding malware.psguard, type: regkey, object: hkey_local_machine:software\psguard.com\

Ad-aware is up to date.

I delete everytime but it keeps coming back.

Spybot cannot sense it.

Also when going through the "how to remove..." steps when in safe mode there were 3 svchost.exe processes running... is this normal?

Thanks again.

 

[RealBlackStuff]

Don't touch the svchost stuff.

And check the other psguard posts in this forum.

 

[wtbman]

Thanks, I'd buy you a round if I could...... The Ewido worked a little better than the ad-aware. Ewido still cannot completely erase the psguard. It keeps reporting "Error during cleaning" after every registry scan.

I've scanned in safe mode with restore off several times with same results. I found the folder in the registry under hkey_local_machine/software/psguard.com but it will not let me delete it. There is no value set. The computer is running good so is it ok to leave this or do I need to find a way to delete?

 

[RealBlackStuff]

It does not do any harm there, but rightclicking it should offer the option Delete.