Computer/Virus Question

**samoth** · 04-12-2004, 07:39 PM

Ok, I don't think this is a virus, but my homepage switches to some strange 'search' page once a day or so.

Spybot doesn't catch it, and Hijack This brings up the following:

"A registry value that has been created and is not present in a default Windows install nor needed, possibly resulting in a changed IE Search Page, Start Page, Search Bar Page, or Search Assistant."

The things come up as (obfuscated), and I don't know what this means in computer lingo.

Any ideas how to fix it? The actual file name, which I think comes from a .dll file, has changed names after I tried messing around trying to delete it... probably why Google searches on the file names don't work.

Only thing I downloaded since this happened was Delta Graph, a graphing program for my physics class... so I don't know where this 'bug' is coming from, or how to fix it.

Any ideas?

**HyperSick** · 04-12-2004, 07:45 PM

Why isn't spyware illegal? What a load! And Claria is going public soon too!

Have you tried AdAware and SpywareBlaster? Might be worth a shot.

As far as I know, obfuscated means hidden or hard to understand.

Good luck!
This kind of stuff really pisses me off!

**samoth** · 04-12-2004, 07:49 PM

Originally Posted by HyperSick

Why isn't spyware illegal? What a load! And Claria is going public soon too!

Have you tried AdAware and SpywareBlaster? Might be worth a shot.

LOL, probably is illegal for all I know, but it simply cannot be caught.

What's Claria?

And I haven't tried AdAware or SpywareBlaster yet... I have Spybot that I have been using. Do different one search and find different files? I'll download more if they work better combined.

Also, I thought I remembered hearing on either here or EF about 'registry values' being something very difficult to fix?

I'm really computer illiterate if you haven't noticed

**5211969** · 04-12-2004, 07:56 PM

Do you have a search bar on your IE, that was never there before. such as Isearch... let me know i can help ya ( i think) lol

**samoth** · 04-12-2004, 07:59 PM

Originally Posted by 5211969

Do you have a search bar on your IE, that was never there before. such as Isearch... let me know i can help ya ( i think) lol

Nope, no new search bar. I've had the Google search bar for several months... that's it.

My problem is a (what seems like) 24 hour reset of my homepage. I switch it back, and sometime the next day it's back to the virus/bug search page. Reset my homepage, and it happens again! LOL, I have no clue how to remedy it. I'll try getting some more/different spyware virus search and destroy things to see if they work.

**5211969** · 04-12-2004, 10:34 PM

What page is it that it goes too? Have you gone into msconfig to see if there is any unusuall programs starting on start up? What OS do you have

Did you go into Tools/ Internet Options to change your home page?

**samoth** · 04-13-2004, 04:43 PM

Originally Posted by 5211969

What page is it that it goes too? Have you gone into msconfig to see if there is any unusuall programs starting on start up? What OS do you have

Did you go into Tools/ Internet Options to change your home page?

It goes to "About: Blank". It is a search page, but I don't know the identity as it's not explicitly stated.

MSConfig... not. I will do that shortly. I have hit ctrl+alt+delete to see what's running... found nothing unusual to my naive eyes.

I am using Windows XP Professional 2002.

I have done the tools/internet options numerous times... it works... until a day later when the homepage resets again!

As of yesterday night, I found the NEW .dll file and deleted it, as well as everything Hijack This brought up. So far, so good. However, I did this a week ago (deleted everything, and the .dll) and it all popped up again, under a different .dll name that did the exact same thing.

I'll post again if the .dll file pops up AGAIN. But any advice you have would be welcome, as I really need to know more about computers anyway... and in this day and age of virus, etc, this is an area I need to be familiar with!

**5211969** · 04-13-2004, 06:26 PM

About blank is sort of the defualt windows page, no worries there. Highjack is good.
Not sure if you know about msconfig though, go to run/msconfig then click the start up tab, that will show you everything that is loading on start up, i would say that 95% of those things there you don't need to have start up, just makes for a faster boot.

This may seem like a stupid question, but do you hit apply after redoing the home page settings?

what was the original DLL file that you deleted if you can remember and also the new one?

The bad thing about computers is either you know what is wrong or you have to find alot of stuff to get to the problem first.. It's fun but hey why can't it be easy lol..

Let me know what you come up with

Oh do you have a anti virus program? If so what is it?

**spywizard** · 04-13-2004, 06:52 PM

format C:

new install.................... works everytime..........

**samoth** · 04-13-2004, 07:49 PM

Yup, virus thing just kicked in now when I opened the internet!

Originally Posted by 5211969

About blank is sort of the defualt windows page, no worries there.

Buuut... everytime this happens, Hijack This comes up with 7 or 8 things from a .dll file. I know (I think...) from past experience that there is a 'hijack', 'bug', or whatever in my computer changing my homepage among other things I haven't found yet. Also, everytime I delete it, it COMES BACK! Under a different name, no less! I really don't think this is a good thing.

Not sure if you know about msconfig though, go to run/msconfig then click the start up tab, that will show you everything that is loading on start up, i would say that 95% of those things there you don't need to have start up, just makes for a faster boot.

Thank you! Will do this shortly!

This may seem like a stupid question, but do you hit apply after redoing the home page settings?

LOL, yes, I made sure to do that! And when it comes to me, there are no "stupid questions". I am really ignorant to most computer functions.

what was the original DLL file that you deleted if you can remember and also the new one?

The first I found (I used 'search' under the start menu, so they are still there) was gnknbpo.dll. The second was iefeats.dll. The current one running just now is kldd.dll.

The bad thing about computers is either you know what is wrong or you have to find alot of stuff to get to the problem first.. It's fun but hey why can't it be easy lol..

LOL, I enjoy learning about this, and luckily it is not a major issue affecting my computer function. However, it is annoying, and I want to remedy it... but I really should be taking care of my academic studies instead!

Let me know what you come up with

Oh do you have a anti virus program? If so what is it?

I'm using "Spybot". Usually doesn't come up with anything, as I rarely go outside of my school website, three message boards, and websites involving physics/math/chemistry. So I usually don't enter situations where negative things happen to my computer.

I'm also using "Hijack This", which is a "general browser hijacker detector and remover". This is where I have lots of stuff come up commonly... usually BHO's and related stuff.

Originally Posted by spywizard

format C:

new install.................... works everytime..........

Forgive my ignorance, but what does this do (briefly, in laymans terms)? Just curious, as I don't want to inadvertently do anything permanant to this foreign electrical device sitting in front of me! From what I am aware, formatting/reformatting is a 'major' thing to do to a computer... will this affect any settings, saved things, etc that I have now?

Thanks for all your help! I wish there was just one huge five-thousand page book you could get that would explain every function of 'normal', store-bought computers in the most basic way possible. Actually, that would probably have to be more like ten-thousand pages, lol.

Actually, does anyone know any basic computer books that explain the 'normal' operations of a computer? I could see that being helpful.

**5211969** · 04-14-2004, 07:36 AM

Ok, first things first.

1. Spybot is not a Anti-Virus program, it detects spyware/adware
Norton's or McAfee ( i personnaly like Norton's) are Anti-Virus programs. You can go to there website and run a scan on your computer to see if you have any virii.

This will test your vulnrability,

http://security.symantec.com/sscv6/d...d=ie&venid=sym

and this one will check to see if you actually have a virus

http://security.symantec.com/default...d=ie&venid=sym

Norton's has a free trial version, not sure what you can do or not do with it, McAfee you can get on the net for free. Both work well.

2.A Virus can get in even if your not surfing the web !!! As long as you are connected to the internet, you can have a virus/trojan get into your computer.

3.Format C: is a last resort. and yes you will lose everything you have on your computer.. It basically erases everything then reinstalls the operating system, so you have a "clean" system. ONLY DO AS A LAST RESORT.

4.I ran a search on Google for the DLL's that you listed and only found one IEFEATS.DLL, this is what i found.

http://securityresponse.symantec.com...e.iefeats.html

That should explain all of it. THe HKEY's are in your registry, if you feel uneasy about going into that don't be, It's a simple proceedure.

5.the other options is for you to go into your system restore and restore your system back to a time that this did not occur. there are some flaws with that too,

1. The virus could be in your restore files.
2. You could lose some information or programs downloaded after the restore point.

This is a good option. If you do this then after it is done and it worked, which we hope it will, Left click on My Computer go to properties, Click the system restore tab. and turn off your system restore restart, This will in affect erase everything that was in there. also the virus that you may have gotten, After restart repeat the procedure but turn system restore back on. That should do it.

Let me know how it works out for ya...

**samoth** · 04-14-2004, 09:01 AM

Wow... excellent! Thank you!

Originally Posted by 5211969

Ok, first things first.

1. Spybot is not a Anti-Virus program, it detects spyware/adware

LOL, shows what I know!

3.Format C: is a last resort. and yes you will lose everything you have on your computer.. It basically erases everything then reinstalls the operating system, so you have a "clean" system. ONLY DO AS A LAST RESORT.

I am VERY glad you told me this!!

**5211969** · 04-14-2004, 09:56 AM

Do you know how to clean out your computer of recently beentoo sites? How to clean out your computer of Temp Internet Files( that don't need to be there and only take up space)? Have you ran the Disk Clean up option? Do you know how to defrag your computer..? All easy things couple clicks and your on a roll. Just some of the basics.

**samoth** · 04-14-2004, 10:53 AM

Originally Posted by 5211969

Do you know how to clean out your computer of recently beentoo sites?

Yes. Temp internet files and cookies. I do this often because (LOL) I have yet to sign up for an organic chem-draw site that only allows me to access 5 times. I erase files/cookies and get back in!

How to clean out your computer of Temp Internet Files( that don't need to be there and only take up space)?

Yes.

Have you ran the Disk Clean up option?

I was going to in the near future. Not sure how, but I have an idea.

Do you know how to defrag your computer..?

Hmm... I've seen this done back home and at work, but am unsure how (or even WHAT is does... "defrag"? Defragment? I'm not sure of the meaning of the word.

All easy things couple clicks and your on a roll. Just some of the basics.

Again, thank you for the help!!

**spywizard** · 04-14-2004, 11:21 AM

If configured correctly, and you are backing up your files....... documents, and images on another device, or a folder, you can save these....

An operating system over time becomes corrupt with processes, downloads that fail....... hackers that tweek it for you, viruses that don't launch all the way......

by formating... deleting all the data....... you start fresh...... and fast...

and then you add back the files that really matter, deleting those that don't matter......

note....... a reinstall is not going to fix the issue..... you must format, getting rid of the .dll, and other files that have been corrupted....... as part of an ongoing practice you should do a sector analysis........ that way you don't end up with corrupted data also....

good luck....

Originally Posted by samoth

Yup, virus thing just kicked in now when I opened the internet!

Forgive my ignorance, but what does this do (briefly, in laymans terms)? Just curious, as I don't want to inadvertently do anything permanant to this foreign electrical device sitting in front of me! From what I am aware, formatting/reformatting is a 'major' thing to do to a computer... will this affect any settings, saved things, etc that I have now?

Thanks for all your help! I wish there was just one huge five-thousand page book you could get that would explain every function of 'normal', store-bought computers in the most basic way possible. Actually, that would probably have to be more like ten-thousand pages, lol.

Actually, does anyone know any basic computer books that explain the 'normal' operations of a computer? I could see that being helpful.

**5211969** · 04-14-2004, 12:29 PM

Originally Posted by spywizard

If configured correctly, and you are backing up your files....... documents, and images on another device, or a folder, you can save these....

An operating system over time becomes corrupt with processes, downloads that fail....... hackers that tweek it for you, viruses that don't launch all the way......

by formating... deleting all the data....... you start fresh...... and fast...

and then you add back the files that really matter, deleting those that don't matter......

note....... a reinstall is not going to fix the issue..... you must format, getting rid of the .dll, and other files that have been corrupted....... as part of an ongoing practice you should do a sector analysis........ that way you don't end up with corrupted data also....

good luck....

quite off base, but if you feel that you should reformat then go right ahead. The option is there yes. But to get rid of some spyware and adware, is going a bit overboard.

If you had a virus that corrupted many system32 files or the root directory,and were unable to start up your machine, then yes a reformat is in order.

Files do get corrupted over time as to why is unclear if it is not due to a virus or attacker. a basic reinstall will replace all the corrupted files and put everything back in order..

adware/spyware items are quite pesky and annoying if anything. They can be removed, if a proper spyware/adware program is not in use it will be all for not.

suggestion

1. Get a Anti-Virus program
2 Get a good spyware/adware program
3. Get a good pop-up blocker
4. Clean out your system regularly ( delete temp and cookies)
5. Defrag often if you are constantly removing files and downloading files or programs( this will keep everything where it should be and not slow down the system)
6. Refer to 1 and 2

Good Luck Samoth.

**samoth** · 04-14-2004, 07:44 PM

Yep, it's on a 24 hour reboot/refresh. I will try the suggestions here if I have time tonight after studying.

**juicehoe** · 04-14-2004, 08:00 PM

my dad had this same problem.... its more of a virus then spyware. It changes its name and reproduces (so if you delete it... it will be back). I turned off all his programs in the startup... didnt help. Its a beast and he still has it on there. It just changes his start page. Let me know if you figure out a way to kill it

**5211969** · 04-14-2004, 10:03 PM

There is a way to kill it, Going into Msconfig WILL NOT STOP IT. You have to edit the registry to stop it.. Even though you delete the DLL file. it is still in the registry. so it will then start up again, They are pesky. And annoying. You have to get to the root of the problem. The DLL,msconfig( if it is even there) are just a smoke screen.

Try Adware 6.0 http://download.com.com/redir?pid=10...-10214379.html

run that and see what happens..

And again get a good Anti-Virus program.. Some of the newer ones also scan for adware and spyware

Good Luck

**spywizard** · 04-15-2004, 09:56 AM

Actually............

he has already run adware, and spybot.... the problem is his registry has been compromised........

thus the only way to recover is a new install...

that is the reason for the advice..........

mines bigger than yours.............

Originally Posted by 5211969

quite off base, but if you feel that you should reformat then go right ahead. The option is there yes. But to get rid of some spyware and adware, is going a bit overboard.

If you had a virus that corrupted many system32 files or the root directory,and were unable to start up your machine, then yes a reformat is in order.

Files do get corrupted over time as to why is unclear if it is not due to a virus or attacker. a basic reinstall will replace all the corrupted files and put everything back in order..

adware/spyware items are quite pesky and annoying if anything. They can be removed, if a proper spyware/adware program is not in use it will be all for not.

suggestion

1. Get a Anti-Virus program
2 Get a good spyware/adware program
3. Get a good pop-up blocker
4. Clean out your system regularly ( delete temp and cookies)
5. Defrag often if you are constantly removing files and downloading files or programs( this will keep everything where it should be and not slow down the system)
6. Refer to 1 and 2

Good Luck Samoth.

**5211969** · 04-15-2004, 10:21 AM

Originally Posted by spywizard

Actually............

he has already run adware, and spybot.... the problem is his registry has been compromised........

Of course the registry has been compromised, everything that you put on your computer goes into the registry.

thus the only way to recover is a new install...

That is not the only way to get rid of it, Unless of course you prefer. If you have nothing on your computer that you want to keep. If you read what he said instead of trying to argue with me, then you would know that he is not the most literate person when it comes to computers. A reformat is simple to those that know how to do it. THERE IS NO BASIS FOR HIM TO REFORMAT !!!

that is the reason for the advice..........

Your advice isn't very thought out. Again, reformatting is an option, BUT ONLY A LAST OPTION. He has many other options that he can go through first.. I posted a link if you didn't see it, which shows him exactly how to get rid of the problem.

mines bigger than yours.............

I COULD CARE LESS, WHATEVER IT IS YOU'RE TALKING ABOUT !

**5211969** · 04-15-2004, 10:29 AM

Deleting the values from the registry

--------------------------------------------------------------------------------
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam," for instructions.
--------------------------------------------------------------------------------

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce

In the right pane, delete the value:

"Updater"= "rundll32 [Path to iefeatsl.dll]\1.new,UpdateDll fs"

Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

In the right pane, delete the value:

"Image"= "rundll32 <Current folder>\image.dll,UpdateDll fs"

Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunServices

In the right pane, delete the value:

"Image"= "rundll32 <Current folder>\image.dll,UpdateDll fs"

Exit the Registry Editor.