About 2 months ago I obtained a virus that redirects my IE start page to a host of various start engines. Each morning I run Spybot and Ad-aware 6.0 and they find the registry changes made by the virus, change the registry back to what it should be, but by the next morning the registry has been changed back by the virus. I dont know how to find and delete the virus. Anybody else have this problem. Attached to this post is a word document with a screen print showing the registry changes that Spybot finds and fixes. Please help.
What action has your anti-virus taken?
You have got one haven't you? And a firewall?
This is a copy/paste from TweekXp
Here is what you do to fix it:
1. Delete your current hosts file. Open Windows Explorer and go to C:\Windows\system32\drivers\etc - in that folder you will see your hosts file, right click on it and select delete (if you have a hosts backup file delete it as well).
2. Flush your DNS resolver, start - run and type ipconfig /flushdns
3. Download SpyBot Search & Destroy and update it. Once you install it open the program in advanced mode and select "search for updates" check EVERY box then select "download updates". Once it is done SpyBot should restart itself, then select the "Immunize" icon on the left, under this tab select the "Immunize" button and select the "Install" button for "Block all bad pages silently", then check the box "Lock Hosts file read-only as protection against hijackers". Now scan your pc with SpyBot, select the "Search & Destroy" icon at the top left then select "Check for problems", once is done scanning DELETE EVERYTHING IT FINDS.
4. Download Ad Aware and update it and scan. Once you install it select "Check for updates now" and install the latest reference file. Once that is done select the "Scan now" button and select "Customize", check EVERYTHING there, then select "Clixk here to select drives + folders" and make sure ALL your partitions and drives are selected. Now select "Proceed", then scan your pc and DELETE EVERYTHING IT FINDS.
5. Download SpywareBlaster and update it. Once you install it open the program and select "Check for Updates" then select "Download Update(s)" then "Finish" once you have done that it takes you back to the main program, now select "Select All" then "Protect Against Checked Items!" then close the program.
6. Delete your temporary internet files and cookies.
7. Make sure you have ALL of the latest Windows Updates, this is possibly caused by a flaw in IE.
8. LuzArius, a new member has posted a link to F-Secure Antivirus, according to this it is a trojan, read HERE about it. So make sure your antivirus app is up to date and it's hueristics are set to the highest level and do a thorough system scan.
You can also follow this excellent tutorial with graphics if you have any problems HERE.
By following ALL of the above you should have eliminated any spyware or hijackers from your system and prevented them from infecting you in the future. If you are still having problems please try and stick to just one thread about this topic so we can narrow down the particular problem you are having.
Everyone PLEASE follow this advice, the staff here ALWAYS highly recommends using all of the above mentioned apps and doing the other things suggested. If everyone had done these things this would never have been an issue. Just be thankful it is an easy fix and not a malicious trojan or spyware.
The TweakXP Staff
I have the very same problem as Ctlong.
And I was happy to finally see a solution, BUT... :( It didn't work!
My startpage randomlly sets itself to this: http://www.cool-search.net/
Well, thats what it says in the browser. In Internet Explorer> Tools> Options, the startpage says : http://t.rack.cc/hp. php
(I've made a space between the dot and php, so nobody accidentally clicks it)
But it comes up as cool-search...
anyway - I'm desperate to get that page away. I used Ad-aware, Stinger and McAffe (Only Ad-aware found something, but it comes back anyway) I tried to open Spybot, but it won't start up for some reason.
Also I have StartPageGuard, but that program just seems to notice a difference, not do anything about it...
Why do people do this? Do they actually think it's good for buisness? Will I ever use Cool-search when it acts like that?
I guess last option is format the harddisk...
Btw, Caperjack> looked for this TweekXP - Couldn't find much? Could you direct me in the right direction? :)
Please Download hijackthis from
Unzip, doubleclick HijackThis.exe, and hit "Scan".
After the scan has finished the "scan" button will turn into a "save log" button
save the log file and paste it here
Do not delete anything yet, as most things hijackthis finds are harmless and needed.