I think I contracted a "Trojan" or something. I set my home page to Gixxer, apply, close, no problem, but when I reopen IE it comes up with "about:blank" in the URL field and it is a search page. I have reset it in internet options 1000 times. Ran CWshredder and Adaware 6.0, deleted everything in "Add, remove programs" that I knew didn't belong, but it still comes back EVERY time. I even tried to get smart and get the IP address for it, but it doesn't produce one !! I cleared out the temps & cookies, opened the page and then looked in the folders again, but it doesn't leave a trace. It also doesn't show up in "Processes" with Ctrl-alt-del. I can't wait to start my MCDBA/MCSE course so I can figure these things out !!
If any of you know how to help, please do !! I would greatly apprecite it !!
Thank you in advance. http://www.gixxer.com/forums/images/graemlins/thumb.gif
P.S.~ I am running XP.

grab Spybot Search and destroy , and give that a run first.. if that doesn't do it, then crack open your registry and search for all the keys to do with the 'homepage' setting in IE.

I can't remember where it/they are right now.. but a little hunting never hurt anyone....

oh yeah... hope you've done reg work before ... if not... stay outta the registry, you might break everything http://www.gixxer.com/forums/images/graemlins/smile.gif

good luck mate.

do a search on Kazaa for a cracked version of Spy Hunter that is the best spy remover program I've used. if you just get the trial version you will have to manually go into your registry to remove the spyware, the cracked version will do it for you http://www.gixxer.com/forums/images/graemlins/smile.gif

http://www.tjpromotionsltd.tk/


have a look here , have you looked in your start up items or registry ??

also check c:\windows\downloaded program files

I have that same exact problem. My friend comming over monday to fix it. If ke tells me how i will let you know.

I think I know what that is, little executive file that is located in C:\windows\ Directory. I found a file that didn’t belong (deleted it and anything else that looked similar to it) and after rebooting no more problems. Never seen it again but in my case it was easy because it had a black spacecraft as an icon so… I spotted it right away. It must have a string in config.sys and/or autoexec.bat If not than back up your files and reinstall everything. I do it every 8 months, too much crap (useless driver that computer has to go through to get to the right file) slows down my computer too much. Hope this helps

Thank you very much guys !!! I will try it tonight and let you know what happens. I have already went through C:\Windows and removed everything that I knew didn't belong and then add and remove programs. It is soooo frustrating. I change my home page in Internet options, run CWshredder, adaware6 and then try again and it is STILL there. It's like it's a .exe that is running everytime I open IE that changes my page. It also loads a "Lycos" program that REALLY pisses my off !!

MPD. Do you think you could help me get that program? I did a search, but nothing turned up. I am not using Kazaa anymore because of the RIAAssholes. Plus when I upgraded to XP I lost Kazaa Lite and now if you try to DL it, it makes you jump through a lot more hoops !! I'm using Blubster which SUCKS !!

I tried all of your suggestions, but it didn't get it !!! IDK what to do next.

Proper_Villain said:
I tried all of your suggestions, but it didn't get it !!! IDK what to do next.



So you tried Spybot S&D with no help? hrm! So you've deleted all your temp internet files and cookies. Have you checked your host file yet? about:blank could be set to something else. Have you looked through the startup (msconfig) to see if anything out of the ordinary is there? Post up a screen shot of your running processes so we can have a look. There is a registry edit to where you can change the "use default page" to whatever you want instead of the msn.com page. I don't know if that would help but I'll hunt down the string and see if that helps.

OK, Post a screen shot of this reg. page so we can have a look.

Run>regedit

HKEY_CURRENT_USER > Software > Microsoft > Internet explorer > Main

Don't change anything yet cause it could seriously screw something up.

Ok. Thank you guys. I will do it tonight.

Alright. Here we are. First of all I really appreciate the help. This is soo annoying. I hate not knowing this stuff. Esp. since I have to work with it everyday. That's why I am taking the class soon (CEN 1300).

Ok, I think my problem lies with the "IST" entries and the optimizer. If you guys could explain regedit and what each of the processes are a little to me or send me to a site that I can learn about it better that would be great.
Thanx again ! http://www.gixxer.com/forums/images/graemlins/thumb.gif
http://www.gixxer.com/uploads/regedit1.jpg
Bottom half
http://www.gixxer.com/uploads/regedit2.jpg
And processes
http://www.gixxer.com/uploads/task_mgr1.jpg

First off good call on the optimizer.exe, it's some sort of XXXdialer/virus. Did a quick search with google and came up with these.

http://www.liutilities.com/products/wintaskspro/processlibrary/optimize/
http://www.sophos.com/virusinfo/analyses/dialdyfucaa.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html

I can see why when you bring up explorer it changes the home page. You have a bunch of strings in there for the search all proabably linking to some search page. It should have only one string the reads:(search page) http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch. You also have multiple strings I have never seen before http://www.gixxer.com/forums/images/graemlins/confused.gif . Now this is a tough one cause there will have to be some reg. editing. Please before you go and change anything save your registry as it is so if we F'up we can go back. I'd hate to really screw you up http://www.gixxer.com/forums/images/graemlins/frown.gif .

First here is how my main folder looks like. It doesn't have everything in there yet, but I think this is how it is "stock"

http://www.gixxer.com/uploads/reg.jpg

First off you see that start page_bak, delete that. There you can change your start web page from start page: about:blank to gixxer.com. Second is I would delet the Search bar & page_bak, then change the search page back to http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch. I guess you had some sort of search bar w/ internet explorer like google or something so I have no idea what would go there. Lets try these first and see where your at. Next is check your host file under windows>system32>drivers>etc. Open that up with Notepad and see if you have a bunch of www's with IP's after them. You shouldn't have many if any at all.

It's strange that Spybot didn't pick these up cause that spyware has been out for some time. Good luck dude and keep us updated with progress. If anyone elese(beanfield, mtmra)has any other suggestions or warnings please speak up http://www.gixxer.com/forums/images/graemlins/smile.gif

Okay I have done all of that, but I am still getting the about:blank page.
Here is regedit now
http://www.gixxer.com/uploads/regedit_3.jpg

I keep tracing down a file named hcimme.dll, but I can't delete it !! It keeps saying "file access denied" How can I?
http://www.gixxer.com/uploads/hcimme.jpg

I appreciate all that you have done. I think I'm close. I just need to figure this last bit out. I throw Spybot, CWShredder, Adaware and NIS at it. It will come up clean and then I will run it again and it will find more files !!!
Help.

Hey proper, I don't have to much time tonight so...! You see those strings that have res://.... change those. search bar i thing should be about:blank and the page to the microsoft one. Why do you want to delete the hcimme.dll? If you really want to delete it try going into safemode then try to delete it or rename the extention, then reboot and delete. I'll check back tommorow http://www.gixxer.com/forums/images/graemlins/thumb.gif

Also try Ad-aware. It can kill any redirect software on your system.

My dad has a similar problem. Ad Aware and spybot haven't done shit. I tryed killing the .dll file and the registry entries, with no luck. I'm about to just FFR the fucker and get it over with.

I have used Adaware6, Spybot S&D, CWShredder AND N.I.S. scan. Just when I think I have killed it, I open a browser and it reappears !!! I wish I could lock down the system where nothing can be installed or redirected w/out my permission. I can up the NIS security, but then Google won't even load !!! I am soooo frustrated and I DON'T want to reformat, but that is the road I am heading down unless someone can help me out soon or I figure it out !!! So with that being said. Put in your 2 cents (about this problem) even if you don't know if it will work.

What version of SpyBot are you using? The latest beta ver. is 1.3, it finds a lot more stuff than 1.2. Hrrrm I am running out of ideas http://www.gixxer.com/forums/images/graemlins/frown.gif. How does your host files looks like? Were you unable to still get rid of the .dll file?

NIS did get rid of the .dll. It said "Would you like us to remove this file on your next reboot?". I am soo frustrated. This is the most effective virus I have ever seen !! Just when I think I have gotten rid of it, I open a IE browser and "Bam" it's back !!! Could you email me a larger screen shot of your regedit for me to see? I thought I was in big trouble a little while ago. I tried to delete some of the values in there and it said "access denied".
Thank you for everything you have tried !!! IDK what to do next.

http://www.gixxer.com/uploads/reg22.jpg

There you go bro! Just save it to your hard drive and you should be able to view it in full. LOL ya, the registry is tricky and you can mess something up very easily. Did you happen to save a copy for yourself? What values did you try to edit and coudn't? And what you describe is typical spyware, once you delete the string then it will reload it everytime you boot windows. Are you sure you were unable to get ride of "optimze.exe"? Post a screen shot of your startup, type "msconfig" in the run command and then go to startup. I want to see what is starting up when windows loads. I dunno man I'm still trying to help ya but I think this spyware has got us beat http://www.gixxer.com/forums/images/graemlins/grin.gif . Post up a screeny and will see!

d/l hijackthis and post up the log report

http://www.hijackthis.com for the DL? I am getting farther. I scan the living shit out of it and it will stay gone for awhile and then I was on GDC, went to Google and it came back up. I really appreciate all of your help Bostich. I finally got rid of optimzer.exe. I just can find the root I'm thinking. I keep chopping down the tree, but the roots are down there somewhere. I need to learn the characteristics of it to kill it for good. I found a folder in C:\Windows named "Prefetch" with a lot of *.exes in it. I quarantined that instead of deleting it because some of them looked legit. It seems to be running just fine without it though, so I think I can delete it.

I will get the "msconfig" up for you soon.
Thank you,

http://www.astalavista.com/?section=dir&cmd=file&id=382

Here is the program HijackThis 1.97.7. Just save the zip file. It's a tool that scans the registry for hijacks. Post up the log file of this too.

Here are my Msconfig screen shots. I'm not sure what a lot of these are so if any of you can explain them I would appreciate it. My system bogs down so much.

http://www.gixxer.com/uploads/msconfig_01.jpg

http://www.gixxer.com/uploads/msconfig_02.jpg

Here is the log file from hijack this.

http://www.gixxer.com/uploads/hijackthis_log.jpg

You don't have very many things loading in the startup, but I see the remains of optimize.exe...lol. Looks like coolwebsearch, do you have a "filter.log" in the root of C:\ ? Delet the first ten lines (all those res:\\, and the oeiek.dll) all the way down to the BHO's. Then go delete the log file. Then go try to delete the .DLL's in the system32 folder. Note: you need to do all this in safe mode while you delete the keys and DLL files/filter.log. After all that is done you need to grab the latest and greatest CWshredder. run that in while in safe mode and you should be good to go. http://www.gixxer.com/forums/images/graemlins/thumb.gif I hope this does it.

How do I boot up in safe mode for Win XP pro? I know stupid question. I should know. I can do it in 95-2K, but I'm new to XP. That you . I also need to find the newest version of Spybot (1.3 I think). I think that's what someone said earlier. Your reply was a litlle cloudy, but I will figure it out. You're right. I've deleted the optmize files, but it is still in the "msconfig". http://www.gixxer.com/forums/images/graemlins/confused.gif
Thank you. I will check back soon.

lol...that was me that said to download the latest ver. of SB. Go here:

http://www.majorgeeks.com/download2471.html

It's a beta version but has twice as much stuff blocked. To get into safemode you need to hold the F8 button down after the BIOS is finished. You should see a number of prompts, just highlight "safemode" and it will start. Also go download the latest version of CWsredder. Don't worry about optimize.exe in the startup, it's just the remains of what you removed. You can see it's not checked to run at startup and if you checked it you would prolly just get an error. Whatever part was cloudy for you just post back up what confuses you and I will try to clear it up. Good Luck http://www.gixxer.com/forums/images/graemlins/thumb.gif

Get Spybot search & destroy it finds most thing

What can I get rid of in the "Hijacker" log (above)? Does anyone know?

You see the save log in the bottom left corner? Save the log, open it, then copy and paste the text. I really don't want to type out the whole thing. But in short, while in safe mode, take out the strings with the (obfuscated) behind them. Then take out the HomeOldSP=about.blank. Delete the Default URLsearch......then the two BHO's below that. After that go into the Windows/system32 and try to delete the oeiek.dll. Also you never told me if you have filter.log located in the c:\windows, if so delete that. Then reboot back into safemode and run Hijackthis and see if those same strings came back. If not, then run the latest ver. CWshredder/SB while still in safe mode. Reboot back into normal the run Hijack this and see if those strings came back, if so then there must be another DLL reloading the trojan.