I have a serious problem. A couple of days ago my homepage was hijacked and I started getting a pop-up saying that spyware had been detected on my computer and to "click here" to find out how to remove it. I run Norton Intenet Securities 2003 and never get pop-ups until now. Norton has proved to be no help whatsoever in this case. I ran Spybot S&D and it found two suspicious registry entries and said that they had been removed. When I scanned again, they were still there. I tried to download Spyware Blaster, but it failed to download twice. I activated AdAware, (I de-activated it when I installed Norton,) and scanned my system. It found 7 problems, several in the registry, and said that they had been fixed. But when I re-scanned, there were 32 problems (!) most of them in the registry. It seems obvious that the more I try to get rid of this problem, the more it multiplies. I don't know too much about viruses, worms and such, but I see that I am going to have to be very careful as to how I handle this problem so that it doesn't get out of control. Or maybe it already is. I appreciate any help.

Recommend some registry help, try the bought of trial version of Registry First Aid to clean out the mess that builds up in the registry thru uninstalls and shifting files around to other locations - Clik here for Registry First Aid: http://www.rosecitysoftware.com/Reg1Aid/ Have a look at all these options- Here is a spyware program you need, Spybot Search & Destroy: http://www.spychecker.com/program/spybot.html After you install it, clik the update button and scan it again, all you see in the results are buggering you up, you can check the information about each one before you delete, read carefully. This is a great program. If you dont have an Anti-virus program i recommend Free Edition AVG can be gotten at http://www.grisoft.com/ Update the program definations often, set a scheduler up on the program. Lastly download 'Stinger' from: http://vil.nai.com/vil/stinger/ it will scan for 41 current virus's and worms. If running winXP or ME versions, read info here first before you scan: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm You should increase your privacy/security settings, right clik My Computer, go to properties, then to the Security/Privacy tabs and try increasing your control over imposing website and hijackers. You can get your Free Edition PopUp killer from http://www.panicware.com get the download here: http://download.com.com/3001-7786-10246779.html Additional information: After you install it, clik the update button and scan it again, all you see in the results are buggering you up, you can check the information about each one before you delete, read carefully. This is a great program. If you dont have an Anti-virus program i recommend Free Edition AVG can be gotten at http://www.grisoft.com/ Update the program definations often, set a scheduler up on the program. You should increase your privacy/security settings, right clik My Computer , go to properties, then to the Security/Privacy tabs and try increasing your control over imposing website and hijackers. Lastly, you should if you havent already, delete your temporary internet files and cookies often, from the IE Browser icon, right clik on it, select properties, at the General tab, clik the buttons that delete your Temps and cookies. Let me know if this works for you -Lots of Luck - Lee

OK. So I played around with AdAware long enough that it doesn't find anymore problems. (First selecting and removing registry key entries, and then CoolWebSearch entries, and finally narrowing it down until no problems were recognized.) However, my homepage is still hijacked, and Spybot S&D continues to find two hijack programs in my registry.

Browser hijacks can usually be handled by HiJack This! CoolWebSearch by CWShredder - both available here Hopefully you can d/l them. Not sure, but you may also need to disable system restore (I'm not that familiar with XP) The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it.

I had a similar problem for a couple of days. Running Ad-Aware, SpyBot and CWShredder didn't help until I ran the latter with no other programs running in the background. The old rule of thumb is that you shouldn't have any antivirus program running whenever you attempt to do anything serious, such as run a software install, etc. With all programs closed, CWShredder found similar information and removed it. I rebooted, reset my homepage, and it hasn't changed back since. Good Luck!

It's good advice Jude, I would add make sure you turn off system restore as well. Then boot into SAFE mode and run all your tools. Jimi_l

CW Shredder worked great. I ran Hijack This, but there were so many entries that I thought I would get some advice first on what to delete. The log is as follows: e of HijackThis v1.97.7 Scan saved at 5:51:02 AM, on 5/5/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.exe C:\Documents and Settings\Jude Walker\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1521 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cfl.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cfl.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1521 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1521 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cfl.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1521 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cfl.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cfl.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1521 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1521 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cfl.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1521 R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1521 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {B6FF2E8A-0494-488D-BA38-23D1C284CD10} - C:\WINDOWS\System32\cfl.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [MicroBrw] C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\MicroBrw.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe O4 - HKLM\..\Run: [AsioReg] REGSVR32.exe /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.exe" O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: 3D!Turbo Experience.lnk = C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe O13 - DefaultPrefix: c:\searchpage.html?page= O13 - WWW Prefix: c:\searchpage.html?page= O13 - Home Prefix: c:\searchpage.html?page= O13 - Mosaic Prefix: c:\searchpage.html?page= O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.5025231481 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab Some are obvious to me, but of some I am not so sure. Jude