I would have suggested mozilla, or firefox. they are another internet explorer but better. they have javascript blockers and pop-up stoppers built right in. i have had it for a couple years and never had any problems with "stuck homepages" or anything like that.
Hi all I´m new but with the same problem, i have tried all what I have found in the forums and mostly without result, but for now It seems that i have luckily found the cure.... ro something, i´m not sure :S
Aniway this is what i do: I put mi calendar to 2055 and next time I reboteed instead of apearing again the "search for.." page it popup a message that reads: jusched.exe Has performed an unautoriced operation and will sut down, as far as I know jusched is a program used by sunjava and it should be harmless but in the same folder was a file called: jusched.exe-2A8F6C10 with date ecual to the day that mi problems begun, for now I have both files in the trash, and for now mi start page havent changed.... yet...
hope anyone finds this helpfull and aid in finding the solution.
Sign off the Internet and close all IE Windows.
Run CWShredder.
Then copy the contents of the quote box to Notepad. Name the file fix.reg
SAve all type All Files. Double click on fix.reg to remove certain other possible registry entries.
To uninstall the secret reinstaller do this:
Go to start>Run and type regedit. Press enter.
Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.
Look in the right pane for this value:
AppInit_Dlls
You won't see any data there.
But if you right click on that and choose Modify Binary Data you will.
If nothing is there it should just show a few 0's.
But if they are hiding a dll they load to resintall, it will show a path to it.
This is now one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...
Notice on the far right. You want to look there. It looks funny because all of the periods.
Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll
This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
Once you have the filename unzip TheKillBox and run it.
Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:
c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.
Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.
When you get back into Windows reset your Search and Home pages.
Look in the registry and remove the entry which should now be clearly visible and no longer hidden.
This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
Hey all, well I still have the same problem coming back over and again, so I'm coming back here and trying to solve it. I tried to do what you said OrangeBlood but I don't have the following directory since I have Windows XP and not NT: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows , but I did try with another option to find the .dll file causing the problem using a .VBS file and it gave me c:\windows\system32\logighn.dll . I then did the procedure u said with killbox and did everything including running CWShredder and all, but the problem just comes back a few hours or days later. Does anyone have a fix that'll stick? Thanks for the replies thus far.
OOOOOHHh! I was clickin and a surfin last night and WHAM WHAM WHAM WHAM, antivirus was going nuts saying it was blocking backdoor this and Trojan that. I closed IE. Next thing I know I open up IE again and got the dreaded "about:blank" homepage!!
I quickly printed out this thread, and followed OrangeBlood's recommendations.
I had not rebooted at this point, after downloading and running CWShredder (which found something and deleted it) I went to look in my registry and couldn't find the AppInit_Dlls entry that OrangeBlood wrote about.
I changed my homepage back to normal, and it was fine. So I took a chance and rebooted, all was fine. I assume since I acted so quickly and didn't reboot that all is OK, but only time will tell.
if anyone is having a similar problem do me a favor and post your hijackthis log. its just that simple
yea ive been having the same prob and cant get rid of it, i got rid of something similar on my computer but i dunno what the hell to do about this on my aunt's computer
Logfile of HijackThis v1.97.7
Scan saved at 4:11:22 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
yea ive been having the same prob and cant get rid of it, i got rid of something similar on my computer but i dunno what the hell to do about this on my aunt's computer
Logfile of HijackThis v1.97.7
Scan saved at 4:11:22 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
O2 - BHO: (no name) - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\Program Files\Geek Superhero\GeekSuperHeroSlapdown.dll
O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O9 - Extra button: Bug Swatter Options (HKLM)
O9 - Extra button: Popup Slapdown Options (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} (WebBar Class) - http://www.advancedsearchbar.com/searchbarsetup2.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38124.9367824074
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
hey man you don't have to do all that crap
all you have to do is download f-secure anti-virus 2004. go into advance and set the protection level to high. as soon as it comes up again the program will pick it up then you can delete it.
IT IS THAT SIMPLE
hey man you don't have to do all that crap
all you have to do is download f-secure anti-virus 2004. go into advance and set the protection level to high. as soon as it comes up again the program will pick it up then you can delete it.
IT IS THAT SIMPLE
well i tried the anti-virus prog you suggested and it didnt pick it up even on high, is it the anti virus you used or their "internet security" prog
OOOOOHHh! I was clickin and a surfin last night and WHAM WHAM WHAM WHAM, antivirus was going nuts saying it was blocking backdoor this and Trojan that. I closed IE. Next thing I know I open up IE again and got the dreaded "about:blank" homepage!!
I quickly printed out this thread, and followed OrangeBlood's recommendations.
I had not rebooted at this point, after downloading and running CWShredder (which found something and deleted it) I went to look in my registry and couldn't find the AppInit_Dlls entry that OrangeBlood wrote about.
I changed my homepage back to normal, and it was fine. So I took a chance and rebooted, all was fine. I assume since I acted so quickly and didn't reboot that all is OK, but only time will tell.
Still geting gobs of popups when running IE, about blank is still gone though.
I am thinking about starting a class action suit against whoever is behind the website. Does anyone know how to find out who that is, and anyone know a good internet lawyer they could recomend. This website has to be illegal. I have plenty of money, but let me know if it would just be a waste of time.
You can try this (It worked for me & is not as hard as it looks) (You might want to copy and paste this)
1. Download and install Spybot - Search & Destroy.
2. Run the program.
3. GoTo Mode -> Advanced Mode, click 'Yes' at the warning.
4. Click 'Tools'.
5. Select 'BHOs'.
6. Select the bold registry entry.
7. To the right you will see a file (something.dll) ('something' can be any file name) at C:\Windows\System this is the file that regenerates everytime.
8. Select the registry entry and click 'Remove'.
9. Click 'Yes' at the confirmation.
10. Close all open windows and find C:Windows\System\something.dll
11. Right click it select 'Properties' and see that it is 30kb (30,720 bytes) and has only 'General' properties and no 'Version' properties.
12. Delete it. (Try as long as it takes it will eventully go)
13. Now if the main (.dll) file is the same on all computers you may find a file called 'dhcpcsvc.dll' at C:Windows\System\ (Or your equivalent 'System' Folder) it is about 24KB. Right it select 'Properties' and again it should have only 'General' Properties no 'Version' Properties AND you will see that the 'Modified' date is earlier (somewhere in 1999) than the 'Created' date.
14. This is the file that regenerates the other dll file. (we shall call it'anything.dll')
15. Delete it. (You can't ... mostly)
16. If you have found the culprit and reached step 15 skip ahead to step 26.
17. If you don't find the file read on.
18. First make sure 'Hide hidden files' is off.
19. To do this open Explorer -> View -> Folder Options -> View. Make sure 'Show all files' is selected. Start from step 13
20. If you still havn't found the file it means the main dll file's name is different on different computers. Don't worry.
21. Open your Internet Explorer.(You don't need to be connected).
22. Open Spybot - Search & Destroy.
22. In the tools click 'Process List'.
23. Select 'IEXPLORER.EXE'
24. See whichever dlls are being used, open 'Explorer' and check their 'Properties'.
25. Here you will find the dll mentioned in step 13 (it may or may not be named 'dhcpcsvc.dll')follow the instructions from step 13.
26. The damn file is being used by Windows isn't it.
27. If you have two operating systems you can delete one's dll files from one operating system and then vice verca.(NOTE:The dll is store in two or three places 'Search' for them all and delete ALL of them).
28. If you have a single operating system 'Restart in MS-DOS Mode'.
29. When it restarts type'cd \windows\system' (without the quotes)
30. When the directory changes type 'ren anything.dll anything.123'
31. Type 'exit' and restart windows.
32. Open Explorer and 'C:Windows\System' delete 'anything.123'
33. Almost done, now using 'AdAware' or something like it see if it finds a registry value with something like "HomeOldSP".
34. Delete this registry entry.
35. Open your 'Search' or 'Find' program from the Start menu.
36. Search for the two dlls you painstakingly deleted.
37. Don't worry if you find them they are dormant copies and should give you no trouble in deleting them.
38. Make sure you delete all the files even from your 'Recycle Bin'.
39. If you have Microsoft 'RegClean' use it if not don't bother.
40. DONE.
Thnx Mars, For the well thought out & typed reply. I know it took a while to make.
Hope this can help some with this problem. People have brought these kind of hijackers to the attention of the Congress and they are working on laws against it.
Comments
Aniway this is what i do: I put mi calendar to 2055 and next time I reboteed instead of apearing again the "search for.." page it popup a message that reads: jusched.exe Has performed an unautoriced operation and will sut down, as far as I know jusched is a program used by sunjava and it should be harmless but in the same folder was a file called: jusched.exe-2A8F6C10 with date ecual to the day that mi problems begun, for now I have both files in the trash, and for now mi start page havent changed.... yet...
hope anyone finds this helpfull and aid in finding the solution.
I got these instructions from steamwiz on the computer cops site.
Follow these directions step by step in the order written.
First Please download TheKillbox from this link: http://download.broadbandmedic.com/VbStuff/KillBox.zip
Download the newest CWShredder from this page:
http://www.computercops.biz/downloads-cat-14.html
Do not run either yet.
Sign off the Internet and close all IE Windows.
Run CWShredder.
Then copy the contents of the quote box to Notepad. Name the file fix.reg
SAve all type All Files. Double click on fix.reg to remove certain other possible registry entries.
Quote:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
To uninstall the secret reinstaller do this:
Go to start>Run and type regedit. Press enter.
Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.
Look in the right pane for this value:
AppInit_Dlls
You won't see any data there.
But if you right click on that and choose Modify Binary Data you will.
If nothing is there it should just show a few 0's.
But if they are hiding a dll they load to resintall, it will show a path to it.
This is now one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...
Notice on the far right. You want to look there. It looks funny because all of the periods.
Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll
This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
Once you have the filename unzip TheKillBox and run it.
Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:
c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.
Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.
When you get back into Windows reset your Search and Home pages.
Look in the registry and remove the entry which should now be clearly visible and no longer hidden.
This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
I quickly printed out this thread, and followed OrangeBlood's recommendations.
I had not rebooted at this point, after downloading and running CWShredder (which found something and deleted it) I went to look in my registry and couldn't find the AppInit_Dlls entry that OrangeBlood wrote about.
I changed my homepage back to normal, and it was fine. So I took a chance and rebooted, all was fine. I assume since I acted so quickly and didn't reboot that all is OK, but only time will tell.
yea ive been having the same prob and cant get rid of it, i got rid of something similar on my computer but i dunno what the hell to do about this on my aunt's computer
Logfile of HijackThis v1.97.7
Scan saved at 4:11:22 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
O2 - BHO: (no name) - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\Program Files\Geek Superhero\GeekSuperHeroSlapdown.dll
O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O9 - Extra button: Bug Swatter Options (HKLM)
O9 - Extra button: Popup Slapdown Options (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} (WebBar Class) - http://www.advancedsearchbar.com/searchbarsetup2.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38124.9367824074
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
all you have to do is download f-secure anti-virus 2004. go into advance and set the protection level to high. as soon as it comes up again the program will pick it up then you can delete it.
IT IS THAT SIMPLE
well i tried the anti-virus prog you suggested and it didnt pick it up even on high, is it the anti virus you used or their "internet security" prog
Still geting gobs of popups when running IE, about blank is still gone though.
Go here http://www.computercops.biz/print-1-43426.html
let me know if it worked for u.
creamypie
1. Download and install Spybot - Search & Destroy.
2. Run the program.
3. GoTo Mode -> Advanced Mode, click 'Yes' at the warning.
4. Click 'Tools'.
5. Select 'BHOs'.
6. Select the bold registry entry.
7. To the right you will see a file (something.dll) ('something' can be any file name) at C:\Windows\System this is the file that regenerates everytime.
8. Select the registry entry and click 'Remove'.
9. Click 'Yes' at the confirmation.
10. Close all open windows and find C:Windows\System\something.dll
11. Right click it select 'Properties' and see that it is 30kb (30,720 bytes) and has only 'General' properties and no 'Version' properties.
12. Delete it. (Try as long as it takes it will eventully go)
13. Now if the main (.dll) file is the same on all computers you may find a file called 'dhcpcsvc.dll' at C:Windows\System\ (Or your equivalent 'System' Folder) it is about 24KB. Right it select 'Properties' and again it should have only 'General' Properties no 'Version' Properties AND you will see that the 'Modified' date is earlier (somewhere in 1999) than the 'Created' date.
14. This is the file that regenerates the other dll file. (we shall call it'anything.dll')
15. Delete it. (You can't ... mostly)
16. If you have found the culprit and reached step 15 skip ahead to step 26.
17. If you don't find the file read on.
18. First make sure 'Hide hidden files' is off.
19. To do this open Explorer -> View -> Folder Options -> View. Make sure 'Show all files' is selected. Start from step 13
20. If you still havn't found the file it means the main dll file's name is different on different computers. Don't worry.
21. Open your Internet Explorer.(You don't need to be connected).
22. Open Spybot - Search & Destroy.
22. In the tools click 'Process List'.
23. Select 'IEXPLORER.EXE'
24. See whichever dlls are being used, open 'Explorer' and check their 'Properties'.
25. Here you will find the dll mentioned in step 13 (it may or may not be named 'dhcpcsvc.dll')follow the instructions from step 13.
26. The damn file is being used by Windows isn't it.
27. If you have two operating systems you can delete one's dll files from one operating system and then vice verca.(NOTE:The dll is store in two or three places 'Search' for them all and delete ALL of them).
28. If you have a single operating system 'Restart in MS-DOS Mode'.
29. When it restarts type'cd \windows\system' (without the quotes)
30. When the directory changes type 'ren anything.dll anything.123'
31. Type 'exit' and restart windows.
32. Open Explorer and 'C:Windows\System' delete 'anything.123'
33. Almost done, now using 'AdAware' or something like it see if it finds a registry value with something like "HomeOldSP".
34. Delete this registry entry.
35. Open your 'Search' or 'Find' program from the Start menu.
36. Search for the two dlls you painstakingly deleted.
37. Don't worry if you find them they are dormant copies and should give you no trouble in deleting them.
38. Make sure you delete all the files even from your 'Recycle Bin'.
39. If you have Microsoft 'RegClean' use it if not don't bother.
40. DONE.
Hope this can help some with this problem. People have brought these kind of hijackers to the attention of the Congress and they are working on laws against it.
see response number 5
There is a link for an uninstaller and it was the only thing that worked for me.