beware of this monster!! i just got this on my win98 machine(luckily not my winXP) and cant delete it from the registry. i have the latest Spybot, Adaware, CWSShredder and nothing works and i do mean NOTHING. when you run any of these it does indeed find the virus and it says it deletes it but it doesnt..its still there. The HOMEOLDSP setting is actually a hijacker underneath that steals the default IE page and names it about:blank. interesting enough the page isnt blank, its a page filled with advertisements for links from anything dealing with the classifieds to cars. the is a NASTY beast. so what did i do? i went into the registry itself to delete it but it still comes back when i reload an IE window. also if you reboot it re-propagates itself back into the registry. its a CoolWebSearch .dll file it seems from reading about it that is responsible for reloading it back into the registry.. but heres the kicker...it renames itself every time..and you are left scrambling to find it. i dunno how to find it even if i know cos it is hidden. if you do a search on ur desktop it wont see it. what to do i dunno but if anyone has come across this please let me know.. to know how serious it is all you have to do is go to google and type in HOMEOLDSP and youll see. go to google groups and its everywhere. the last thing about this is that its a variant -- meaning that someone who got this 2 weeks ago will have a different version that me. the spyware removal sites are scrambling to figure out how to attack this. thanks for your time in reading this and i pity the person that has to deal with it.. heres a link from google groups to read about whats going on... http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=a272553d.0405160544.7a5e316c%40posting.google.com&rnum=1&prev=/groups%3Fq%3Dabout%253Ablank%26ie%3DUTF-8%26hl%3Den

[wow]
and you sir, are now deemed paladin of Gamedev.

(ie. thanks for the heads-up!)

thanks for the support -- this thing is a killer.. i dunno what to do.. im at a loss...

reformat...... it's looking like

its a new variant of the CoolWebSearch hijacker. right now i am just going to update spybot/adaware/CWSshredder and HiJackthis until i can get a fix. i will try safe mode tonight..lets hope this works..

Try monitoring any file-changes with Filemon and registry changes with for example regmon, so that you can determine what executables are involved. That way, you might be able to delete them all at once. You should do the deleting job in DOS-modus BTW (F8 on startup -> DOS modus). That way, you can be sure no process is running to stop you from deleting anything. The integration in Internet Explorer is a nasty one, usually hard to remove. Try useing mozilla or another alternative browser for a while. Another measure that I'd take is to install a firewall (I very much recommend Sygate personal firewall, which is free for personal use), and block IE from any internet access.

Good luck with this one!

well i have McAfee Professional Firewall and Virus Scan which is better than sygate(i have tried this), but i would expect it to be better cos it wasnt free. this is not how the hijacker got on my system though..that is it didnt bypass by firewall, something else has happened. currently none of the spyware programs out there removes this variant..and i do mean NONE of them. if you go onto the adaware(lavasoft) boards or spybot or CWSShredder or anything like that you will see they are working on it but are trying to write up a fix for this. i found out how someone else got rid of theirs, by going into Safe Mode and running the spyware from there and deleting certain registry keys, so i am going to try that when i get off work. it doesnt mean i will b/c this hijacker has many different variations so if i dont have the same one this person has, it might not work like it did for him....so with that said..its a lengthy process. its almost like, run spyware, delete everything it finds..reboot and go into safe mode, tape your nose one time, and stomp twice, delete registry keys again running spyware, download XSpyware to remove so and so .DLL, then reboot back into safe mode, yodle out loud, ...well you get the idea, its kinda humorous but you get my drift.. anyway thanks for your post!

I've had a similar spyware thingy on my WinXP machine (less harmfull then the one described in the google page). While AddAware was able to remove it, after the next reboot it would simply re-install itself again.

The solution was to remove one startup link (not 'autostart', type 'msconfig' @ start > run), and delete the .exe file it was pointing to from my system32 folder. For some reason AddAware didn't know about that...
You'll have to remove the registry key msconfig is pointing to though, or it'll bother you about "restoring proper system settings" at each startup.

Dunno if that'll solve your problem, but you should at least give it a try...

Quote: Original post by OpenGL_Guru

well i have McAfee Professional Firewall and Virus Scan which is better than sygate(i have tried this), but i would expect it to be better cos it wasnt free.

Oh well, the good thing about Sygate with me that it seems to block most nasty spyware-progs just as well as any other. And it works for free without any nagging, in contradiction with for example ZoneAlarm. Then there's Kerio's firewall of course, but that one, like ZoneAlarm, doesn't let you share an internet connection in the free version...

Quote: this is not how the hijacker got on my system though..that is it didnt bypass by firewall, something else has happened. currently none of the spyware programs out there removes this variant..and i do mean NONE of them. [cut away lots of arguments]

I believe you ;)

Quote: it doesnt mean i will b/c this hijacker has many different variations so if i dont have the same one this person has, it might not work like it did for him....so with that said..its a lengthy process. its almost like, run spyware, delete everything it finds..reboot and go into safe mode, tape your nose one time, and stomp twice, delete registry keys again running spyware, download XSpyware to remove so and so .DLL, then reboot back into safe mode, yodle out loud, ...well you get the idea, its kinda humorous but you get my drift..

Well, I wasn't talking about safe mode. I was talking about DOS mode. That anti-spyware tools can't remove the stuff doesn't mean you can't. A rule for all programs is that once there's no way to recover themselves they can't recover themselves. Simple as 1+1. So the first thing to do is to try to remove any executable code related to the program from your harddrive, and you can find out which executable code is related by looking into what process accesses what files and/or registry keys. And I didn't say you should do it (deleting files) in safe mode, you should do it in DOS mode!. So, naturally, you overlook some part of it. But that part probably won't be the full viral code, so it'll need to get the rest of it's own code back somehow. That's why you block your internet-connection. While booted in safe mode (no internet connection), you follow up Wildfire's hint, and remove any conspicious programs from startup. And for any other users haveing any spyware to remove useing XP: Check if any suspicious services are running and/or set to be run. They might be hideing files they don't want you to see.

Quote: anyway thanks for your post!

My pleasure. Just read what people say, and loose the attitude of "what an anti-spyware tool can't do, I can't do". We all need to get down and dirty sometimes!

yeah i have read some fixes for winXP as you mention on the last part of your post. the machine that got infected was my Win 98 machine. my win XP is offline for now until i get rid of this beast..