Hello. I have WinXP, Internet Explorer 6 SP1..I am having any issue changing my homepage. Whenever I change it in Internet Options, it returns the adware one (Microsoft Search the Web, in this case). I have taken basically every measure possible to eliminate this. I scanned my PC using Norton Antivirus 2004. I was shown that I had a Trojan.BookMarker virus that automatically changes the webpage. I have deleted this from my computer. I have also used Ad-aware, Spybot Search and Destroy, and HijackThis, without success. It seems that my "Hosts" file in "Windows/system32/drivers/etc cannot be altered since the line "213.159.117.235 auto.search.msn.com" keeps coming back after being deleted.. Here is my HijackThis! log if it helps. Thanks for any assistance with this.. C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\EPSON\ESM2\eEBSVC.exe C:\Program Files\EPSON\ESM2\eEBAgent.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Documents and Settings\Administrator\My Documents\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O1 - Hosts: 213.159.117.235 auto.search.msn.com O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM) O9 - Extra button: AIM (HKLM) O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlsni.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.16/comload.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

MattC Hi Looks like you still have some of cool web search hijack left...when I entered that ip from your hosts file in the ie address bar; I was taken to cool web search. You can download the removal too here: CWShredder Run the tool while offline Reboot and run again just to make sure you are clean. Then remove these lines from hijack if still there. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O1 - Hosts: 213.159.117.235 auto.search.msn.com O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.16/comload.dll O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96} Make a visit to windows update...the latest IE patch prevents this hijack!...Install all the criticals listed for windows and IE. Reboot and post new log if you still have problems. ____________________________________ I never give up! Windows Update

I ran CWShredder and deleted the files that it found. I then ran HijackThis! and once again, deleted the files you listed. This seemed to fix the problem, at least for now....Thanks you for your help!!! Matt

Now you're squeaky clean download/install SpywareGuard which has an anti-hijack feature. Don't forget to keep it updated Good luck V...

MattC Thanks for posting back...glad it worked. As well as SpywareGuard Val suggested also get Spywareblaster. And if you havn't already....get your windows updates..or you WILL get re-infected Spywareblaster SpywareGuard Take care __________________________________ I never give up! Windows Update