I've recently contracted a spyware on my winxp computer. It hijacked my IE home page and set the home page to something like http://fadfg.outhost.info
it didn't work when i tried to restore my browser settings. I googled the URL and found that it didn't exist, so i suspect the page was cached on my computer.
I have no idea how it got into my computer, because i have zone alarm, norton antivirus 2004, and i run ad-aware scans every so often. I made 10 complete scans with up-to-date ad-aware and found no problem. my browser was still hijacked.

What shocked me was the detail the programmer went into, to prevent me from removing the spyware.

Firstly, it simply closes my browser if i visit any sites containing words such as "spyware", "spybot" etc. It closes my Opera browser too. I had to use my other operating system on the computer just to come into this forum.

Secondly, since i couldn't visit the spybot homepage i went on download.com to try and download it. My fast clicking skills actually let me download the file before the browser closed, however when the file reachs 100% and starts to transfer from the temp folder to the designated folder, windows gives me an error saying the file is not found. I tried using the open file option when downloading and it doesn't opens. Frustrated, i used my other computer to download hijackthis and try to unhijack the browser. i saved hijackthis on a floppy and put it into the infected computer. the spyware prevented me from seeing the file in windows explorer. So i went to start->run A:\hijackthis.exe, and it closed the .exe the second it opened.
Then i went into safe mode, and actually got hijackthis to work, but it didn't fix anything, my browser was still hijacked when i restarted in normal mode.

I went and downloaded spy sweeper and scanned my system twice, it found nothing.

I then went into a different OS, win2k, and downloaded spybot and installed it on win2k and scanned my system, found no problem. I had to rename the spybot setup file in order to see it in XP. I switched back to XP, ran the setup file, as usual it closed. I tried it in safe mode, i actually got it to install but after install finishes i cannot find spybot anywhere. Not on the desktop, not in the start menu, not in program files and not even in the registry.

I tried using malwhere, in normal mode, it detected a process called zlclient.exe or dll i don't remember. It was the only suspicious process on the list. I could not end it, it gave me an access denied message.

In safemode, the zlclient process didn't exist but i still couldn't get spybot to work. Looks like who ever made this spyware took every measure to prevent me from using spybot.
I gave up after spending my entire day trying to get rid of it. I am still looking for a solution to my problem, i would be grateful if anyone would give me suggestions or advice on removing this dreaded spyware.

I am absolutely shocked and disgusted that someone would spend so much time on the details to make my life miserable.

im wondering if you cant use the browser on the other computer to find what kind of hijack this is.. and do a registry edit and delete them.. Can you return to an earlier time on your machine? before all this happend? Sounds alot more then just your friendly Micro hijacker.

You can just edit your registry to reroute the start page away from its current one.

The zlclient is not your problem. That is just your zone alarm running. Wish I could help you but I have never had a hijacker cause that much trouble. Good luck.

i would try doing it by editing the registry or have you tried to reinstall your browsers maybe that would work.

I'm pretty sure I heard of a virus that did something like this. I know you've scanned with spyware programs, but have you done a simple antivirus scan with the latest detections?

Also, when in windows, bring up the task manager (ctrl + alt + del), and tell us EVERY singe process running. Close any you know you don't need also, you may have better luck after the program is killed.

hmmmmmmmmm sound very much like royal search. it was a hijack thing that took over my buddys ie.

I don't think dabbling in the registry will work because as soon as you reboot it will reset the homepage. Don't you think whoever designed the hijack program would have thought about that?

http://cexx.org/adware.htm

Scroll about half way down this page and it will give you a list of known homepage hijackers around at the moment and what to do with them.

What I would do is restart and go on command prompts, then go to windows\system32 and type dir *.exe /od
this will give u the exe sorted by date, see the newest exe file and rename it just in case.

you can always use p2p to find your AdAware and Spybots... don't have to use IE.

That is a hardcore hijack - never heard of one that malicious...

Ironically, http://fadfg.outhost.info/ has link labeled "Spyware Removal" at the bottom of the page, under the copyright.

yes ironically, but when i clicked on it, it gave me a list of anti-spyware programs and it closes the browser as soon as i clicked on them.

I actually sort of got it fixed, some how, by installing spybot in safemode into a directory not containing the word "spybot". I could see the directory and all the files in it except the main spybot.exe file. So i randomly tried every executable in the folder and started spybot using update.exe. I made a scan and removed some parts of the spyware. Then i restarted in normal mode and scanned again and fixed more parts.

Right now, my browser is no longer hijacked, and i can go on sites containing words like "spybot" but i still can't see the spybot files.

There are insidious new spyware dll's by NicTech that install this registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian

If you have that key then you'll know what dll's are installed and you'll be able to delete them in safe mode and get rid of the sites they redirect you to with HijackThis.

That sounds very similar to what has happened to a friends pc. On his pc initially it just seemed that when he went to beta news the page was hijacked. I went to download the new spybot beta, and all hell broke loose. IE page not found, downloads blocked. The only way i could get the program, was to download it on his daughters pc, and mail it to him. Running it has not solved anything. Im still looking for answers, but if needed we will just frigging format.

Something like that happened to me a while ago.

Each time I'd try to access the net, my start page was automatically redirected to porn sites! And after, it was popup galore, they kept popping up even after i've disconnected to the net. Was lucky enough to be able to access the net and cry for help at the bb I usually hangout. They told me to get AVG installed. AVG is a kick ass antivirus and warns ya if a virus/trojan is detected. What I caught according to AVG was the trojan esrporQ, which no one have never heard of. At the end, I was sure I had to reformat my drive to get rid of it but AVG and precise surgery on the WINDOW folder, was able to finally get rid of it.

A lot of times, those malicious files hide themselves in WINDOW\Temp internet files\content IE files...

He is running AVG, but his security settings were not the best. That has been changed now, as I got things set so strict that he cant even fart without clicking yes.

To remove most browser hijacks all you need is cwshredder http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
This should do the trick.

Thanks man, will try this on his pc this weekend. When i get time that is.

It sounds like you have some form of the hijacker 'CoolWebSearch', or something like it. CWshredder, mentioned above, is just what you need. The variant that closes anti-spyware pages and programs, though, can't be removed by cwshredder alone. Download this file, and run it first. Then run cwshredder, and your system should be just fine!

http://download.softpedia.com:8080/ANTIVIRUS/delcwssk.zip

Ok this is what solved my friends problem.http://www.mvps.org/sramesh2k/toolbarcop.htm

Need update, did it get fixed or still on the pc?

Have you tried going to the run command line box in the start menu and typing in msconfig.

From there I would check your startup programs and take off anything that you even question as being a possible spyware application.

Good luck man.

Need update, did it get fixed or still on the pc?

His pc is all cleaned up and working great.

Great news!! Spyware takes all the fun out of computers! If we wanted to see ads, im sure we would watch the two hour finale of friends.

This is a serious pain this one - I wasted bloody hours fixing it.
Amongst other things it:

a) looks for a regedit memory image in memory and disables it as soon as you open it up (there is a svhost.exe entry in the auto run section)
b)it also kills various antivirus programs automatically
c) it automatically recreates the hxdefdrv.sys file in /winnt which it uses to create a backdoor into your PC AFTER you delete it
d) it stuffs around with your HOSTS file to redirect various requests for websites to other websites
e) it creates some registry entries for Tcpip services which I could only find with Hijackthis (once I'd got rid of the other stuff manually that stopped Hijack this running) and ... it may also stuff around with your default windows stylesheet.

The registry entries identified by Hijackthis I got rid of were:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AA55F8B-259A-49E7-A622-C72B9ECFE8FC}: NameServer = 10.0.0.2,10.0.1.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5BE61EE-69CC-4D01-A03A-6EE6ABC508B5}: NameServer = 194.72.9.55 194.74.65.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O19 - User stylesheet: C:\WINNT\system32\vuodjr.af6

And the config file it uses to install/run itself is this (winunins.ini):

[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*

[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINNT\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys