Hijacked Browser

Hey guys, need help. I've been through all the spyware programs as demanded by Major Attitude and I've tried to remove the hijack lines as directed in Chaslang's post: "When all else fails - Generic solution to HSA (Only the Best) & About:Blank hijack" but to no avail. Unfortunately when I boot back into normal mode and click on I.E. it will go to my home page one time but after that it's back to the About:Blank and I also have the "Only the Best" pop-up windows. I've been working on this for 4 days and I give up. I'm forced to ask for help from the pros.
I have run Hijack This twice and tried removing the hijack lines but I must be missing the main one. When you tell me to run another one I will and I will post my log. Thanks, in advance for your help.

 

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Will check back when time permits!

 

Thanks for your response. I went back through the steps again because the first 2 times I did this I couldn't get AboutBuster to work. I learned later that I had to take it and the other files out of the zipped file and put them together in a folder to get it to work properly. Apparently, at the moment my problem is gone. I've opened and closed IE several times and my home page isn't being reset and no "Only the Best" pop ups. I don't know if this helped also but I think it did. This line(which I deleted): O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\javaco.exe (file missing), I also found the funky looking letters in my registry but not in a place that Chaslang's post said to look and when I clicked on that key the javaco.exe/s file was in there so I just deleted the whole key. Those were the only 2 things I did differently this time and when I found the javaco.exe/s I was towards the end of the cleaning in safe mode and was getting ready to reboot and see if I still had the same problem. Unfortunately, I can't remember exactly which key it was in but I think it was in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum and when I expanded Enum it was the very first entry. I thought it looked suspicious and when I opened it and saw that file javaco.exe/s which I thought I had already searched for I figured it was safe to delete it. I searched for the file javaco.exe and left off the /s, maybe that's why it wasn't found. So far so good but if it messes up again I'll re-run HiJack This and post the log. Thanks!!!

 

BJ will definately want you to post a log to make sure.

You should check this out now: How to Protect yourself from malware!

 

You need to attach a current HJT log from normal mode. This infection isnt that easy to remove. If you want this thing gone for good attach a HJT log and we will go from there.

 

Ok, I attached a current Hijack This log. I did notice a different entry that hasn't been there yet and that is a BHO line with spybot, you'll see what I mean. Thanks for the help.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

O16 - DPF: Microsoft WFC Forms Designer - file://F:\VJ6\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://F:\VJ6\VJ98\vstudio6.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a8d77103/enter.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.103/179bdf5336e89aca6117/netzip/RdxIE.cab

O19 - User stylesheet: (file missing)


Again, make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you do all of the above, REBOOT! Scan with HijackThis and attach the new log.

 

Okay, I've done what you asked and I'm attaching the Hijack This log after the reboot. Thanks again!

 

Log looks clean to me!

Are you currently experiencing any further problems?

 

So far, So good. The last lines you had me delete were they also hijack lines or did they just look suspicious to you? Also, I have Norton Anti-virus on this machine and I keep the definitions current and about the same time this started happening Norton detected an adware file called HDPlugin1101.dll--Adware.Gator in my Downloaded Program Files folder. When I navigated to that folder it wouldn't let me open it. I scanned my computer again with Norton today just to see if it would still find the file and it does but the same thing, when I click on that folder there is nothing there and I've checked the option to show all files on windows. Have you ever heard of anything like that and should I be worried about it?

 

The ones I had you remove are baddies. I think we already deleted them but if they exist they will appear in that folder.

You should see this article on How to Protect yourself from malware!

 

Consider it done!!! Thanks again for taking the time to help. I may be doing this again soon on a computer at work that must have the same thing I had. The battle continues....

 

Glad everything is working fine for you

Browse Safely!