Homepage Hijacked  --  Browser Hijacked ? Spyware   

my homepage hijacked by a Trojan or Virus - I have tried all the virus
programs nothing takes this out .. I have also made changes registry
and taken out several settings to no luck ?

I am advanced computer user .. 

 I need a REGISTREY FIX ? regedit - nothing less ? have already been
to the most common registry fixes  .. deleted = homepage etc.  still
no luck removing this.

http://a-search.biz/?wmid=1010     replaces my Homepage

Full Version ? paid subscriptions ? did not work  ( I purchased to
take this Virus out )

TrendMicro - Full Version ?newest updates? ? also sysclean they sent me. 
Norton - brand new copy
SpySweeper ? full Version

FREEWARE  I ran 

Ad-Aware: ( this is best ) recommend this to all 
http://www.lavasoftusa.com/software/adaware/

Spybot Search and Destroy:  ( very good ) 
http://www.safer-networking.org/index.php?lang=en&page=download

Hijackthis: (advanced)  will tell you what is running on your system 
http://www.merijn.org/files/hijackthis.zip

Running processes:   this is the latest Hijack this report :

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend
Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend
Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec
Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background

* Posting this to help others who are going through this

---

Clarification of Question by pingzell-ga on 11 Sep 2004 06:36 PDT

This has to be a Registry Fix - The viris was originally installed as
"Internet Optimizer" in my add and remove programs Would NoT DELETE -

Finally did delete Internet Optimaizer "from" the registry for add and
remove programs file .. as it would "NOT" delete in the add and remove
panel -
this did nothing the virus was not there, virus was already installed
in other areas ?

 * I got Virus at LimeWire.com downloading a program.

* also Virus was originally downloaded in another computer I tossed
out the other due to this Virus for a reformat .. and "moved my files"
to a new Dell 3200 MHZ .. and the "same" Virus came with it in the
programs I moved over.
have no idea where it is hiding.

SO if I reformat this new harddrive .. and move my files ( which are
many and valuable ) are infected with this Virus I would just
re-infect - THIS IS A MONSTER and costing me huge time and efforts, no
one has been able to solve this not even Trend Micro Tech Support -
LIVE PHONE SUPPORT

---

Request for Question Clarification by googleexpert-ga on 11 Sep 2004 13:34 PDT

Hi pingzell,
Apologies in advance,...
Have you tried running the fixes in Safe Mode with Networking?

---

Clarification of Question by pingzell-ga on 12 Sep 2004 09:18 PDT

I FOUND THIS:  Q: after deleted folder/domains / after re-boot domians re-appear 

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion >
Internet Settings > ZONEMAP > DOMAINS

 This "Domains folder" is loaded with over 100 domains:
( CASINO, ADULT, aiFind.info ) 80% offensive > 

QUESTION : I deleted "every" domain in the registry - and also deleted
the entire FOLDER ! comes back after reboot.

Every-time I ** re-boot the folder is "back" ** in the registry ! its
alive ! need to find out what makes this thing breath.

---

Clarification of Question by pingzell-ga on 12 Sep 2004 17:12 PDT

RESPONSE TO POST:  NEGATIVE RESULT - NOT THE SAME VIRUS NAME - BUT SAME TYPE

TECH:
here's something Rgeistry related from sarc.com 
http://securityresponse.symantec.com/avcenter/venc/data/adware.cdt.html

This is Trend Micro's take on it or something similar:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.AJ

RESULT OF REGISTRY CHECK OF URL'S ABOVE : NEGATIVE - "SAME TYPE OF
VIRUS" BUT REGISTRY CAN FIND ANY OF THESE PATTERNS IN THE ABOVE LINKS
-
* NOT THE SAME VIRUS " BUT .. SAME TYPE OF HIJACK" 
*I NEED TO PUT A NAME ON THIS VIRUS - HAVE NOT FOUND THE EXACT MATCH YET.

---

Clarification of Question by pingzell-ga on 12 Sep 2004 17:38 PDT

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion >
Internet Settings > ZONEMAP > DOMAINS

 This "Domains folder" is loaded with over 100 domains:
(CASINO, ADULT, aiFind.info ) 80% offensive > here are a few > 

008i.com
171203.com
39-39.com
audult-personals.us
aifind.info
alfa-search.com
cashsearch.biz
d55.biz
dailyteenpic.com
dailer2004.com
digital-pronography.com
eager-sex.com
ergosites.com
freecj.com
greg-search.com
is-best.com
killerpornstars.com
lollotop.com
love-host.com
mommykiss.com
myexexex.com
my-finder.com
onlineclick.net
onlysex.ws
regfreeze.com
ruworld.com
selltraffic.biz
sexunique.net
sinpu**y.com
teenhost.net
therealsearch.com
ultraload.net
v61.com
vse-moe.biz
xsex.ws

Note: "posted these domains" to help find and identify the virus by Russian Hackers.

---

Clarification of Question by pingzell-ga on 15 Sep 2004 15:04 PDT

THIS IS FINAL - Virus was unable to be uninstalled - or removed 

TREND MICRO 'S VERY BEST was "unable" to remove this Trojan - 

Trend Micro s escalation service gave up on it and recommended another
browser - to leave the Tojan on my machine - what a joke -

* next step will be a format and loss of data.  

END OF STORY

Will this help? http://www.kephyr.com/spywarescanner/library/internetoptimizer/index.phtml

QUESTION:
 Have you tried running the fixes in Safe Mode with Networking?

ANSWER:
YES .. ran Safe Mode & selected "Networking" option .. 
I ran several ad-ware programs including Trend Micro's "SysClean" in Safe Mode
it runs every pattern known to man, they say - did not work . . . 

PROBLEM : there is something somewhere still- "re-setting" my homepage
- its not the Internet Optimizer - or maybe it is ?
* I deleted most everything related to that in the registry -
there is something somewhere in the registry re-directing my HomePage.

I did run this FreeWare :  http://www.kephyr.xaviermedia.us/spywarescanner/
real nice gives all the registry fixes - still investingating registry
file for the internet optimizer appears all are gone ..

 "but" still getting re-directed HonePage! 

who ever solves this will be "knighted Super Geek" !

Here's 2 links that might help.

http://www.doxdesk.com/parasite/InternetOptimizer.html

http://www.spysweeper.com/internet-optimizer-removal.html

Based upon the most recent post, here's something Rgeistry related
from sarc.com http://securityresponse.symantec.com/avcenter/venc/data/adware.cdt.html

This is Trend Micro's take on it or something similar:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.AJ

This hijack thing is painful, I agree.

As a thought, I wonder if, after cleaning even once, and using
HijackThis from safe mode WITHOUT network, that using ZoneAlarm, as
well as clearing your "hosts" (clear it, create it blank and make it
READ ONLY) file before Internet Connection, that you can prevent
downloading again.

BTW, I am not a GA Researcher. My information is free. I faced
something similar and didn't have the time to clean this completely,
although I got around it a bit by not using IE. Netscape 7.2 I dl'd by
ftp. Unfortunately, this prevented using windowsupdate.microsoft.com,
which is quite the bummer.

I'd like to know what "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main"'s "local
Page and start page" are set to.
---
This may be the closest SARC.com to your latest info:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.e.html
It points to Microsoft Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;320159 ... One
thing I can say is that I loaded NoAdware.net and I found it "found"
more than most other things. I didn't pay to have it work, because I
just used its list. (I did a full system scan, including DLL's.)