«

Hello there,

I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
problem.

I have updated and run both Spybot 1.3, and Adaware SE and have also
detected and deleted some infected files with AVG.

But the Spybot Resident keeps telling me that the browser homepage has been
changed. ie from www.loads of gibberish directing to mywebsearch.com to
www.moreloadsof gibberish directing me to the same place.

No matter how many times I hit the "deny change" it still pops up a couple
of minutes later.

I have also run hijackthis and came up with the following log.

Logfile of HijackThis v1.98.2
Scan saved at 21:51:24, on 21/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\configldr.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Tiscali\tkonnect\tkonnect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\karen\Desktop\Downloaded
Items\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://web.fffqjzylmemt.com/W7CfjWMQ...4Kkh86_YJ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.oirrhkcvhgvo.com/W7CfjWMQ...IZnEUnD44.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -
C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\bluebows.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
O4 - HKLM\..\Run: [QuickTime Task]
"C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
settings\temp\qBbgt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AutoLoaderxsrk1KNjIRXP]
"C:\WINDOWS\System32\midbkend.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe
O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe
updatemode
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
soap fast.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program
Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
Player 2K2) - http://www.napster.co.uk/client/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.co...?1101061670937
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary...t.cab31267.cab

END LOGFILE

I hope some can help me out there!!

Thanks for your time
Karen

Have Hijackthis fix the following lines, then go to
http://windowsupdate.microsoft.com and download and install all the critical
updates. You have running something called mslaugh.exe which is part of the
blaster worm. You need the MS updates to block it. Why your antivirus did
not pick it up I don't know. You will have a choice to install SP2 I suggest
you do it. If not then get all the other updates.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://web.fffqjzylmemt.com/W7CfjWMQ...4Kkh86_YJ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.oirrhkcvhgvo.com/W7CfjWMQ...IZnEUnD44.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.tiscali.co.uk/
O2 - BHO: (no name) -
{C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\bluebows.exe

O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
settings\temp\qBbgt.exe
O4 - HKLM\..\Run: [AutoLoaderxsrk1KNjIRXP]"C:\WINDOWS\System32\midbkend.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe

O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
soap fast.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
Player 2K2) - http://www.napster.co.uk/client/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.co...?1101061670937
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary...t.cab31267.cab


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
Sharpvision simply the best http://www.seedsv.com



"the.tall.hobbit" < > wrote
in message news:...
> Hello there,
>
> I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
> problem.
>
> I have updated and run both Spybot 1.3, and Adaware SE and have also
> detected and deleted some infected files with AVG.
>
> But the Spybot Resident keeps telling me that the browser homepage has
> been
> changed. ie from www.loads of gibberish directing to mywebsearch.com to
> www.moreloadsof gibberish directing me to the same place.
>
> No matter how many times I hit the "deny change" it still pops up a couple
> of minutes later.
>
> I have also run hijackthis and came up with the following log.
>

On Sun, 21 Nov 2004 22:14:49 -0000, in
<>
the.tall.hobbit scrawled:

>Hello there,
>
>I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
>problem.
>
>I have updated and run both Spybot 1.3, and Adaware SE and have also
>detected and deleted some infected files with AVG.
>
>But the Spybot Resident keeps telling me that the browser homepage has been
>changed. ie from www.loads of gibberish directing to mywebsearch.com to
>www.moreloadsof gibberish directing me to the same place.
>
>No matter how many times I hit the "deny change" it still pops up a couple
>of minutes later.
>
>I have also run hijackthis and came up with the following log.
>
>Logfile of HijackThis v1.98.2
>Scan saved at 21:51:24, on 21/11/2004
>Platform: Windows XP SP1 (WinNT 5.01.2600)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:

<snip>

>C:\WINDOWS\System32\configldr.exe

You are infected with the Agobot worm.
End task the above process (CTRL+ALT+DEL).

Remove the following entries from your
registry (Start / Run / regedit):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\
Configuration Loading = configldr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\
Configuration Loading = configldr.exe

Scan your system with UP TO DATE antivirus, and at least
two online scanners.

Online Antivirus scanners:
================
http://housecall.trendmicro.com/hous...start_corp.asp
http://www3.ca.com/virusinfo/virusscan.aspx
http://security.symantec.com/sscv6/default.asp
http://us.mcafee.com/root/mfs/default.asp


>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>http://web.fffqjzylmemt.com/W7CfjWMQ...4Kkh86_YJ.html

Have HijackThis fix the above.


>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>http://www.oirrhkcvhgvo.com/W7CfjWMQ...IZnEUnD44.html

Have HijackThis fix the above.


>O2 - BHO: (no name) - {C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -
>C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\bluebows.ex e

Unless you know what "bluebows.exe" is, have HijackThis
fix the above.


>O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

You are also infected with the BLASTER worm!
See the end for details of how to remove.


>O4 - HKLM\..\Run: [Configuration Loader] configldr.exe

Have HijackThis fix the above.


>O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
>settings\temp\qBbgt.exe

Have HijackThis fix the above. Boot into Safe Mode and empty
your "local settings\temp" folder. See my signature.


>O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
>O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Another nail in the coffin of AVG! AVG is CRAP. Remove it
and protect yourself with an antivirus that actually works:

Anti-virus programs:
--------------------
KAV (Kaspersky)
http://www.kaspersky.com/

Sophos
http://www.sophos.com/products/sav/


>O4 - HKLM\..\Run: [AutoLoaderxsrk1KNjIRXP]
>"C:\WINDOWS\System32\midbkend.exe"

Have HijackThis fix the above.


>O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Adware. Have HijackThis fix the above.


>O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
>Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe

Unless you know what the above is, have HijackThis fix it.
Look at the names.


>O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe

Have HijackThis fix the above.


>O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
>soap fast.exe

Unless you know what the above is, have HijackThis fix it.
Look at the names.


>O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
>Player 2K2) - http://www.napster.co.uk/client/setup.exe

This (napster) is probably where you have been infected from.


>END LOGFILE
>
>I hope some can help me out there!!
>
>Thanks for your time
>Karen


BLASTER REMOVAL:

Boot into Safe Mode and start your registry editor:
Start / Run / regedit

Navigate to:
HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows
+CurrentVersion
+Run

In the right-hand pane, look for any entry/ies that include
MSBLAST.EXE, PENIS32.EXE, TEEKIDS.EXE, MSPATCH.EXE,
MSLAUGH.EXE, ENBIEI.EXE, ESCHLP.EXE or TFTP.EXE .
DELETE it/them.
These are the files associated with the different variants:
Variant A - msblast.exe
Variant B - penis32.exe
Variant C - teekids.exe
Variant D - mspatch.exe
Variant E - mslaugh.exe
Variant F - enbiei.exe
Variant G (aka T) - eschlp.exe & svchosthlp.exe
Variant H (aka K) - mschost.exe & tftp.exe

You just disabled the worm from running at startup, so boot into
normal mode again, and turn off ALL system restores to purge
your system.

Open Windows Explorer to the ..\Windows\System32\ or
...\WinNT\System32\ folder and DELETE *any* of the
files named above.

Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
and find the reference to the above file/s (any reference will
be similar to: <filename.exe>-<alphanumerics>.PF), for example,
msblast.exe-0235D8H6.pf, and DELETE it/them.

Now you can download and install the patch, configure your
firewall and update your virus scanner.

Virus Alert About the Blaster Worm and Its Variants
http://support.microsoft.com/default.aspx?kbid=826955

Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/sec...n/MS03-026.asp

What you should know about the Blaster worm
http://www.microsoft.com/security/incident/blast.asp

Windows RPC DCOM Buffer Overflow Remote Exploit (MS03-026)
http://www.k-otik.com/exploits/07.25.winrpcdcom.c.php

How to Use The KB 823980 Scanning Tool to Identify Host Computers
That Do Not Have The 823980 Security Patch (MS03-026) Installed
http://support.microsoft.com/default.aspx?kbid=826369

W32.Blaster.Worm
http://www.symantec.com/avcenter/ven...ster.worm.html

W32.Blaster.B.Worm
http://www.symantec.com/avcenter/ven...er.b.worm.html

W32.Blaster.C.Worm
http://www.symantec.com/avcenter/ven...er.c.worm.html

W32.Blaster.D.Worm
http://www.symantec.com/avcenter/ven...er.d.worm.html

W32.Blaster.E.Worm
http://www.symantec.com/avcenter/ven...er.e.worm.html

W32.Blaster.F.Worm
http://www.symantec.com/avcenter/ven...er.f.worm.html

W32.Blaster.T.Worm (aka G)
http://www.symantec.com/avcenter/ven...er.t.worm.html

W32.Blaster.K.Worm (aka H)
http://www.symantec.com/avcenter/ven...er.k.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/ven...oval.tool.html





--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html

On Sun, 21 Nov 2004 22:14:49 -0000, "the.tall.hobbit"
< > wrote:

|>Hello there,
|>
|>I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
|>problem.
|>
|>I have also run hijackthis and came up with the following log.

You've got some work ahead of you that's for sure.
Paste your Hijackthis log here:
http://hijackthis.de/index.php?langselect=english
and go from there.

thanks all, lots to do then!

I'll post back with updates etc
karen

Why not call this guy stupid too? After all - he picked up a virus!

pcbutts1 <> wrote in message
news:EV8od.24601$ om...
> Have Hijackthis fix the following lines, then go to
> http://windowsupdate.microsoft.com and download and install all the
critical
> updates. You have running something called mslaugh.exe which is part of
the
> blaster worm. You need the MS updates to block it. Why your antivirus did
> not pick it up I don't know. You will have a choice to install SP2 I
suggest
> you do it. If not then get all the other updates.
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>
http://web.fffqjzylmemt.com/W7CfjWMQ...RlUEoh5kFlD7U9
bykcnLu4Kkh86_YJ.html
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>
http://www.oirrhkcvhgvo.com/W7CfjWMQ...IZnEUnD44.html
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://www.tiscali.co.uk/
> O2 - BHO: (no name) -
>
{C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\
bluebows.exe
>
> O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
> O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
> O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
> settings\temp\qBbgt.exe
> O4 - HKLM\..\Run:
[AutoLoaderxsrk1KNjIRXP]"C:\WINDOWS\System32\midbkend.exe"
> O4 - HKLM\..\Run: [AutoUpdater] "C:\Program
Files\AutoUpdate\AutoUpdate.exe"
> O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
> Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe
>
> O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
> soap fast.exe
> O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
> O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
> Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
> O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
> Player 2K2) - http://www.napster.co.uk/client/setup.exe
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
>
http://v5.windowsupdate.microsoft.co.../x86/client/wu
web_site.cab?1101061670937
> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
> Class) -
> http://messenger.zone.msn.com/binary...t.cab31267.cab
>
>
> --
>
>
> The best live web video on the internet http://www.seedsv.com/webdemo.htm
> Sharpvision simply the best http://www.seedsv.com
>
>
>
> "the.tall.hobbit" < >
wrote
> in message news:...
> > Hello there,
> >
> > I'm running xp pro, and I appear to have got a homepage
hijacker/searchbar
> > problem.
> >
> > I have updated and run both Spybot 1.3, and Adaware SE and have also
> > detected and deleted some infected files with AVG.
> >
> > But the Spybot Resident keeps telling me that the browser homepage has
> > been
> > changed. ie from www.loads of gibberish directing to mywebsearch.com to
> > www.moreloadsof gibberish directing me to the same place.
> >
> > No matter how many times I hit the "deny change" it still pops up a
couple
> > of minutes later.
> >
> > I have also run hijackthis and came up with the following log.
> >
>
>