Another useful tool is BHODEMON. This plugs into your MSIE and provides additional protection against Browser Helper Objects (BHOs). Malicious BHOs could have a part in some hijacking cases, although I could not say that is the case with yours. Check out more about it at:
http://www.definitivesolutions.com/bhodemon.htm

This tool saved me once recently.

I will reiterate the notes written earlier about being careful with the tools mentioned as they are quite powerful.

http://www.pchell.com/support/spyware.shtml
Go here and get a little education on what has happened to you so you can make an informed decision on how to handle it. There is such a wide variety of homepage hijackers and some of them or polymorhpic and resist standard removal methods. You will need a copy of HiJack this, and don’t forget to read the tutorial or you will end up breaking more than you fix. HiJack this will ensure that all spyware is removed. The reason for the other programs is that they will also removed the executables that loaded the crap in the first place.

Using the new “Giant” aka Microsofts Beta software is a good place to start. You can also use Counterspy free for 30 days.Make sure to download Spybot and configure it properly as was also noted.If your winsock is broken after removal you will also need to repair your winsock or have a winsock repair tool BEFORE you attempt repair.

http://www.spywareinfo.com/~merijn/
Go here to get the other tools you might need such as the winsock repair tool or some of the other specialty tools requires such as CWS shredder for Cool Web Search. Then either educate yourself or download Firefox or use an alternate browser to keep some of this spyware that uses active x installers from installing through IE.
No doubt you’ll have much more spyware on your computer than you think you have.

So, run Giant first, then Spybot with the config mentioned earlier from a well informed respondent. Run Giant/Microsoft and reboot each time until it tells you nothing is left. Then run spybot, and when it tells you nothing is left, then run HIJack This. If it indicates you still have malware, then you’ll have to start digging. YOu can also run CWS shredder just for the heck of it if you don’t know what you are doing. Won’t hurt. Make sure you have the winsock repair tool before you start in case your winsock gets nuked by removing some of the spyware.

Before you open Spybot, set your internet explorer home page to what you want it to be. Then open Spybot, click on the “mode” pull down menu and select advanced mode. This will now show the other options. Click on “Tools”. On the right, I check everything except “bug report”. This will show more options under tools (back on the left). Go through them all, as they all have great value.

Click on “Browser Pages” and look at each one on the right. If one does not look like one you use, click the change button, and change it to something you want. “About Blank” is fine if you don’t want another, but I usually use Microsoft, or Google, but you can pick any you want. Now, click on “IE Tweaks” and make sure the “Lock IE Start page setting against user changes (current user)” Note: this is user dependant, and you will need to do this for each user that may log on this pc. Also, if you ever want to change your home page, you will have to uncheck this as the option to change in IE will be grayed out. Notice the Lock Hosts file option, as I mention this later.

Now click on “Resident” and make sure the check box for “Resident “TeaTimer” (Protection of over-all system settings) active.” is checked. Again, this is per user. This can be a pain in the butt, however, less painful than not using it. Rule of thumb for non IT people, if your doing something (windows updates, program installations / changes etc.) and you get the teatimer popup window, allow it. If your not intentionally doing something, deny registry change.
This should clean up your browser hijack issue.

Now, there are a lot of people who will argue this one, and I’m not going to argue. I know the hosts file was created with a different intent, but I do use the spybot “host file” feature. It will add known bad sites to your host file, and point it to localhost so the page will not show up. From time to time after updates, I remove them and re-add them in case an update also includes hosts file updates. I’ve also used this very same list, with the addition of my own to my firewall block list.

I also believe you have some issues in “system startup”. New or changed entries since the last time you were in system startup will be in bold. There is a Vertical bar on the right hand side that should be moved to the left (it has a left arrow at the top, and bottom). Now when you click on an item in system startup, if Spybot knows about the product, it will tell you what it knows. Spybot does not know about everything, but it’s surprisingly good. Feel free to “toggle” the status, and later delete should an item not be needed. Be warned, deleted items do have a method of re-appearing, if this happens, you got something else going on that has gone undetected, and will require further investigation.

Spybot is a freeware program, and if used properly, does a good job, however, I still find other anti-spyware programs are needed for maximum protection. To keep the author of Spybot producing signature files, you should make a donation. And no, I don’t know the author, but like the program, but wish for more frequent updates.

Good luck.
Robert

This is one of those stealth apps that re-installs itself – so you need make sure that everything is clean.

Just make sure you know what you’re doing. HijackThis is a powerful tool – which will also allow you to shoot yourself in the foot.

Bob