futaba 09:16 10 Dec 2003

This is driving me crazy, have downloaded and run "cwshedder" which seems to clense my system, trouble is every time I visit just about any website my homepage is set back to cool-search or something similar, my prefered homepage is blank, This is with IE6, WXP pro. Does anybody have any ideas how I can stop being infected every time I go online, have to say messing in the registry worries me somewhat.

  Jester2K II 09:25 10 Dec 2003

Download latest version of CWS.

Close ALL IE windows.

Run CWS again.

  Stuartli 09:26 10 Dec 2003

Try going to click here or similar AV website and keying in the details of what appears to be a virus or similar into the Search box.

You should then be given details of how to remove it.

Another alternative is to install the free version of AVG, update it and then run it to scan your system.

  Jester2K II 09:26 10 Dec 2003

Latest version is 1.39.2

  futaba 10:23 10 Dec 2003

Hi Guys.
Have run AVG (latest) and CWS 1.39.2, both find the virus and cure it, however go back on line and it returns again.

  Jester2K II 11:45 10 Dec 2003

Also try SpyBot click here and AdAware click here

  Jester2K II 11:45 10 Dec 2003

What does the AVG and CWS call this virus?

  Gaz 25 12:28 10 Dec 2003

Sounds like an RPC virus, such as Gaobot...

  Gaz 25 12:36 10 Dec 2003

Actually it is RANDEX.

"Microsoft Runtime"="CfgDll32.exe"


Services.exe - is also a Randex Variation.

The .R variation is supposed to Hijack your hompage.

You need to install the Microoft patch if you run 2000/XP, and install a firewall.

This is randex.BF -

Randex.BF is a Trojan worm with characteristics that spreads across networks and enterprises quickly. It generates IP addresses at random and attempts to connect to them, using passwords that are typical or easy to guess, in other words as its own password cracker. If successful, it copies itself in the computers it has gained access to. Similar to the spread of the Blaster worm and Nachia worm.

Randex.BF joins the channel #goep in the IRC server at '' in order to receive remote control commands, from a remote hacker. In this variant of the randex worm, it runs an NTSCAN, in order to crack passwords, and a SYSINFO to obtain users system information.

The virus has no visible symptoms such as messages or any effect on the computers display.

The virus copies to files: GMT16.EXE, MS00.EXE, and it is 71Kb.

Extended information will be added as soon as we can provide extra news. If you think you are infected: click here

Flamewall Security Response

  futaba 20:39 10 Dec 2003

Hi Everyone.
Spybot seems to have fixed my prob.
Thanks for your help.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Honor 9 Lite review

HomePod review

Les meilleurs logiciels de montage vidéo gratuits (2018)