Totally shocked

[net_exodus78]

I've recently contracted a spyware on my winxp computer. It hijacked my IE home page and set the home page to something like http://fadfg.outhost.info
it didn't work when i tried to restore my browser settings. I googled the URL and found that it didn't exist, so i suspect the page was cached on my computer.
I have no idea how it got into my computer, because i have zone alarm, norton antivirus 2004, and i run ad-aware scans every so often. I made 10 complete scans with up-to-date ad-aware and found no problem. my browser was still hijacked.

What shocked me was the detail the programmer went into, to prevent me from removing the spyware.

Firstly, it simply closes my browser if i visit any sites containing words such as "spyware", "spybot" etc. It closes my Opera browser too. I had to use my other operating system on the computer just to come into this forum.

Secondly, since i couldn't visit the spybot homepage i went on download.com to try and download it. My fast clicking skills actually let me download the file before the browser closed, however when the file reachs 100% and starts to transfer from the temp folder to the designated folder, windows gives me an error saying the file is not found. I tried using the open file option when downloading and it doesn't opens. Frustrated, i used my other computer to download hijackthis and try to unhijack the browser. i saved hijackthis on a floppy and put it into the infected computer. the spyware prevented me from seeing the file in windows explorer. So i went to start->run A:\hijackthis.exe, and it closed the .exe the second it opened.
Then i went into safe mode, and actually got hijackthis to work, but it didn't fix anything, my browser was still hijacked when i restarted in normal mode.

I went and downloaded spy sweeper and scanned my system twice, it found nothing.

I then went into a different OS, win2k, and downloaded spybot and installed it on win2k and scanned my system, found no problem. I had to rename the spybot setup file in order to see it in XP. I switched back to XP, ran the setup file, as usual it closed. I tried it in safe mode, i actually got it to install but after install finishes i cannot find spybot anywhere. Not on the desktop, not in the start menu, not in program files and not even in the registry.

I tried using malwhere, in normal mode, it detected a process called zlclient.exe or dll i don't remember. It was the only suspicious process on the list. I could not end it, it gave me an access denied message.

In safemode, the zlclient process didn't exist but i still couldn't get spybot to work. Looks like who ever made this spyware took every measure to prevent me from using spybot.
I gave up after spending my entire day trying to get rid of it. I am still looking for a solution to my problem, i would be grateful if anyone would give me suggestions or advice on removing this dreaded spyware.

I am absolutely shocked and disgusted that someone would spend so much time on the details to make my life miserable.

[shawners]

im wondering if you cant use the browser on the other computer to find what kind of hijack this is.. and do a registry edit and delete them.. Can you return to an earlier time on your machine? before all this happend? Sounds alot more then just your friendly Micro hijacker.

[fireforce555]

You can just edit your registry to reroute the start page away from its current one.

[chuckv64]

The zlclient is not your problem. That is just your zone alarm running. Wish I could help you but I have never had a hijacker cause that much trouble. Good luck.

[tackdaddy]

i would try doing it by editing the registry or have you tried to reinstall your browsers maybe that would work.

[phalkon30]

I'm pretty sure I heard of a virus that did something like this. I know you've scanned with spyware programs, but have you done a simple antivirus scan with the latest detections?

Also, when in windows, bring up the task manager (ctrl + alt + del), and tell us EVERY singe process running. Close any you know you don't need also, you may have better luck after the program is killed.

[aboi]

hmmmmmmmmm sound very much like royal search. it was a hijack thing that took over my buddys ie.

[Induna]

I don't think dabbling in the registry will work because as soon as you reboot it will reset the homepage. Don't you think whoever designed the hijack program would have thought about that?

http://cexx.org/adware.htm

Scroll about half way down this page and it will give you a list of known homepage hijackers around at the moment and what to do with them.

[acegik]

What I would do is restart and go on command prompts, then go to windows\system32 and type dir *.exe /od
this will give u the exe sorted by date, see the newest exe file and rename it just in case.

[cjules13]

you can always use p2p to find your AdAware and Spybots... don't have to use IE.

That is a hardcore hijack - never heard of one that malicious...

[smokingbevel]

Ironically, http://fadfg.outhost.info/ has link labeled "Spyware Removal" at the bottom of the page, under the copyright.

[net_exodus78]

yes ironically, but when i clicked on it, it gave me a list of anti-spyware programs and it closes the browser as soon as i clicked on them.

I actually sort of got it fixed, some how, by installing spybot in safemode into a directory not containing the word "spybot". I could see the directory and all the files in it except the main spybot.exe file. So i randomly tried every executable in the folder and started spybot using update.exe. I made a scan and removed some parts of the spyware. Then i restarted in normal mode and scanned again and fixed more parts.

Right now, my browser is no longer hijacked, and i can go on sites containing words like "spybot" but i still can't see the spybot files.

[napho]

There are insidious new spyware dll's by NicTech that install this registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian

If you have that key then you'll know what dll's are installed and you'll be able to delete them in safe mode and get rid of the sites they redirect you to with HijackThis.

[The Hunter]

That sounds very similar to what has happened to a friends pc. On his pc initially it just seemed that when he went to beta news the page was hijacked. I went to download the new spybot beta, and all hell broke loose. IE page not found, downloads blocked. The only way i could get the program, was to download it on his daughters pc, and mail it to him. Running it has not solved anything. Im still looking for answers, but if needed we will just frigging format.

[miss_silver]

Something like that happened to me a while ago.

Each time I'd try to access the net, my start page was automatically redirected to porn sites! And after, it was popup galore, they kept popping up even after i've disconnected to the net. Was lucky enough to be able to access the net and cry for help at the bb I usually hangout. They told me to get AVG installed. AVG is a kick ass antivirus and warns ya if a virus/trojan is detected. What I caught according to AVG was the trojan esrporQ, which no one have never heard of. At the end, I was sure I had to reformat my drive to get rid of it but AVG and precise surgery on the WINDOW folder, was able to finally get rid of it.

A lot of times, those malicious files hide themselves in WINDOW\Temp internet files\content IE files...