I'm running WinXP on a Toshiba Pentium 4 notebook with 512MB RAM. I'll encountered a browser hijacker which spybot identified as CmsMin. I'll rebooted to safe mode, disabled system restore and run spybot. Spybot detects the spyware and fixed the problem. I've changed the homepage and remvoed the uncessary favourites. I've also run CWShredder. When I reboot my PC, my homepage gets hijacked again and was redirected to a porn site. Below is my log. Please help to solve this problem. Thanks. Logfile of HijackThis v1.97.7 Scan saved at 12:34:29, on 2/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\InetPub\cws.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe C:\Program Files\IBM\Client Access\CWBPROVD.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\conime.exe C:\Program Files\ltmoh\Ltmoh.exe C:\PROGRA~1\EzButton\CPLBTS88.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\toshiba\ivp\ISM\pinger.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\Ahead\InCD\InCD.exe C:\OfficeScan NT\pccntmon.exe C:\Program Files\IBM\Client Access\cwbuitsk.exe C:\Program Files\IBM\Client Access\CWBSVD.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe C:\OfficeScan NT\tmlisten.exe C:\OfficeScan NT\ntrtscan.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\HATANO\デスクトップ\HijackThis.exe F0 - syst>m.ini: Shell= F0 - R >ystem.ini: Shel>= F0 - R >ystem.ini: UserInit= O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.exe" O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe" O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe O4 - Startup: NTUSER.DAT O4 - Startup: ntuser.dat.LOG O4 - Startup: ntuser.ini O4 - Startup: USB001 O4 - Global Startup: ntuser.pol O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8035.7798263889 O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BICS.COM.SG O17 - HKLM\Software\..\Telephony: DomainName = BICS.COM.SG O17 - HKLM\System\CCS\Services\Tcpip\..\{43BF835C-F465-4B57-B0A1-2DE5A76DA8B6}: NameServer = 192.168.0.10,210.193.2.34,210.193.2.36 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BICS.COM.SG O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BICS.COM.SG O17 - HKLM\System\CS2\Services\Tcpip\..\{43BF835C-F465-4B57-B0A1-2DE5A76DA8B6}: NameServer = 192.168.0.10,210.193.2.34,210.193.2.36 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = BICS.COM.SG O17 - HKLM\System\CS3\Services\Tcpip\..\{43BF835C-F465-4B57-B0A1-2DE5A76DA8B6}: NameServer = 192.168.0.10,210.193.2.34,210.193.2.36

Just a little info, that might be useful. CWS.Alfasearch

When did we permit postings with NO NAME?? I would be VERY wary of clicking on this link!!!

Ray: My thought exactly, until I touched the link with my arrow and received the following in the browser's status bar: www.spywareinfo.com/~merijn/cwschronicles I know it's harmless, but I still won't click on it. It's the lack of a name on the post that bugs me. 8-) Solarian

PS Curiosity got the better of me. The link is for Cool Web Search Chronicles at www.spywareinfo.com. CWS Chronicles Solarian

You are a brave man, Solarian!!! But nevertheless, thanks for the heads up. Lack of posters name concerns me!?

Just a little info, that might be useful. That link, will take you to, http://www.spywareinfo.com/~merijn/cwschronicles.html#alfasearch CWS.Alfasearch Sorry Ray Peate, better. :-) CrazyOne