windowws.cc/htm?id=9 hijacked home page

My home page (and god knows what else) has been hijacked. A viscous looking popup always appears when this page.

I went through all of the steps to remove spyware, etc. recommended by MajorGeeks, up to and including running HijackThis. Nothing fixed the problem, but HijackThis found:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9

, but cannont remove it (tried repeatedly).

Haven't seen other symptoms yet.

How do I get rid of this?

 

Scroll down to the topic "Super-Spider Garbage" it is the same problem you are having and will save Chaslang some time as he will probrably tell you the same thing. Also, read the sticky at the beggining of this section and download all of the required applications prior to asking for help, that way you are ready to go when someone gets to you.

 

As I stated in my original request, I have already gone through all of those steps.

 

All I can say for now is keep an eye on this thread http://forums.majorgeeks.com/showthread.php?t=42565


I am having the same issues, I can still get online, if you run Adware and Spybot, the change you homepage back in IE you can get online without much difficulty. Its when you get offline the back on the homepage changes and you experience the pop-ups. I seems that we are very close to a solution so hang on for a few days and watch the thread.

 

Sorry about that - thanks for helping.

Couldn't post using the infected machine. Tried using another machine on my network. "Manage attachments" button won't work on that machine. Pasting into the message. Again, I think the problem is the first entry (the R0) entry, which HijackThis can't fix.

 

boot too safe mode

find this file and delete it
C:\WINDOWS\SYSTEM\7KR02N5TYF1X9Z.EXE

next go to start.. run.. type REGSVR32.EXE /u Y2HPXC~1.DLL

then find the file and delete it :C:\WINDOWS\SYSTEM\Y2HPXC~1.DLL

then run HJT and dump the following entries



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\Y2HPXC~1.DLL
O4 - HKCU\..\Run: [romahere2]C:\WINDOWS\SYSTEM\7KR02N5TYF1X9Z.EXE

Then run CWShredder once more.
Post a new log and let us know what's up.

 

This seems to have fixed the problem. Thanks! I can now control my home page. I have attached the requested most recent HijackThis log.

Of some concern is what BitDefender.com found just before I tried your fix:
From BitDefender.com:
C:\WINDOWS\Temporary Internet Files\Content.IE5\WXR7G65Z\go[1].html: infected with HTML.MediaTickets.A
C:\WINDOWS\Temporary Internet Files\Content.IE5\WXR7G65Z\go[1].html: disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\WXR7G65Z\thnall1m[1].exe=>(ASPack 2.12): infected with Trojan.Downloader.Agent.AF
C:\WINDOWS\Temporary Internet Files\Content.IE5\WXR7G65Z\thnall1m[1].exe=>(ASPack 2.12): disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\8TEZ2J0D\mtrslib2[1].js: infected with HTML.MediaTickets.B
C:\WINDOWS\Temporary Internet Files\Content.IE5\8TEZ2J0D\mtrslib2[1].js: disinfection failed

It takes a while to do this scan, so I haven't repeated it since the fix, but I will.

-RickSmith3

 

looks good man.. just empty your IE cache and that should help with the disinfection issue..