Hijacked homepage - Help please

My friend's homepage is hijacked. She would be appreciated if anyone can help her out of this problem.

Her homepage has been changed to an on-line shopping page and she can't manage to change it. the address of the homepage reads as:about:blank

She has ran ad-aware and spybot and have fixed all what the found. Still that unknown homepage is sitting there as soon as we launch IE.
This is the logfile of Hijackthis. I hope somebody can help us.

Any kind of help is much appreciated.

with Regards
Kazu



Logfile of HijackThis v1.98.0
Scan saved at 17:09:25, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmdexe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\amir\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cs.nott.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wwwcache.nottingham.ac.uk/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.nottingham.ac.uk:3128
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AtBHOObj Class - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D0AC7F7-B628-4581-A8B2-14D97F24AA76} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto
O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/cabs/GNInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

 

Get CWShedder and run it with all browsers closed using the Fix Option. Reboot and then post a new HJT log. The link is below.

 

thank you very much for your quick response.

I'm at work now and will be at her PC in 3 hours. I'll follow your instruction and will be back with a new logfile.

Million thanks

 

This is her logfile after running CWShredder and rebooting.

Our thanks, once more.




Logfile of HijackThis v1.98.0
Scan saved at 05:37:40, on 30/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\amir\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cs.nott.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\amir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wwwcache.nottingham.ac.uk/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.nottingham.ac.uk:3128
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AtBHOObj Class - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D0AC7F7-B628-4581-A8B2-14D97F24AA76} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto
O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/cabs/GNInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

 

Hi

is this perhaps the "Hidden DLL about:blank" variant of CWS which Merijn speaks of here

if so, unfortunately he also says that this variant is beyond the scope of CWShredder:

>I'm sorry to say CWShredder will not include the 'hidden dll about:blank' variant, since removing it goes beyond what I can accomplish with Visual Basic. The PV.ZIP fix Shadowwar created can be used for that.<

hope you get it fixed, and best wishes... HJ

 

Thanks for trying to help

 

Temp\sp.html

Hi MnInShdw

Open cwsredder and tell us what version you are using please.
It will get the sp.html in the temp, but like Hugh says not if there is an hidden dll in the apininit involved, my guess is you arent using the current version


So if its not Vesion 1.59.1 go get and run it,, be aware though if you do not unzip it it will not fix the problems, if it can, might appears to but wont..
and reboot than post a new log.

 

there are far better log readers than me! - but I checked it against the other about:blank CWS variants and it looks significantly different...

plus, if the pesky thing is returning after an attempt to fix with CWShredder, the "hidden dll about:blank" version has to be at least a possibility.

good luck, HJ.

 

Download this zip.

http://tools.zerosrealm.com/pv.zip

Unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this post.

 

Sorry for the delay in replying.

I checked and the version was 1.59.0. I downloaded the latest 1.59.1 version and run it. the problem is over. and her homepage is back.

thanks for all who helped us to get ride of it.

Though the problem is over, I just thought you may want to take a look at it and give us more advices if you find unnecessary items. here is the log file:
(it's too long and I will devide it into two or three parts)

thanks for your help and assist.


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2800.1221 (xpsp2.030511-1403) Windows Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8359936 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1348 (xpsp2.040109-1800) Windows Shell Common Dll
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
iphlpapi.dll 76d60000 90112 C:\WINDOWS\System32\iphlpapi.dll 5.1.2600.1240 (xpsp2.030618-0119) IP Helper API
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1331_x-ww_7abf6d02\comctl32.dll 6.0 (xpsp2.040109-1800) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library

 

CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 559e0000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
msutb.dll 5fc10000 196608 C:\WINDOWS\System32\msutb.dll 5.1.2600.1106 (xpsp1.020828-1920) MSUTB Server DLL
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
wmpband.dll 7610000 94208 C:\PROGRA~1\WINDOW~2\wmpband.dll 9.00.00.2980 Windows Media Player
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
NETSHELL.dll 75cf0000 1642496 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1254 (xpsp2.030801-1834) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
NalExpEx.dll 10000000 131072 C:\WINDOWS\SYSTEM32\NalExpEx.dll 2001, 6, 29, 0 ZENworks Application Explorer Execution Hook
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\SYSTEM32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
RASAPI32.dll 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
wininet.dll 63000000 614400 C:\WINDOWS\system32\wininet.dll 6.00.2800.1405 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1152 (xpsp2.021217-1051) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
msi.dll 1a60000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
CTHook.dll 930000 57344 C:\Program Files\Creative\Shared Files\CTHook.dll 1.0.1.0 CTHook.dll
NOVNPNT.DLL 58200000 806912 C:\WINDOWS\System32\NOVNPNT.DLL v4.83 Novell NetWare Provider
CALWIN32.DLL 50d20000 163840 C:\WINDOWS\System32\CALWIN32.DLL 5.5.8 NetWare® Calls Library
CLNWIN32.DLL 50d00000 86016 C:\WINDOWS\System32\CLNWIN32.DLL 5.5.8 NetWare® Client Library
LOCWIN32.DLL 50df0000 131072 C:\WINDOWS\System32\LOCWIN32.DLL 5.4.20 NetWare® Localization Library
NCPWIN32.dll 50db0000 167936 C:\WINDOWS\System32\NCPWIN32.dll 5.5.8 NetWare® Core Protocol Library
NETWIN32.DLL 50d50000 282624 C:\WINDOWS\System32\NETWIN32.DLL 5.5.8 NetWare® Net Library
WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
CLXWIN32.DLL 50da0000 45056 C:\WINDOWS\System32\CLXWIN32.DLL 5.5.8 NetWare® Connection Library
MAPBASE.dll 58300000 229376 C:\WINDOWS\System32\MAPBASE.dll v4.83 Novell NetWare Provider
NWSHLXNT.dll 58380000 200704 C:\WINDOWS\System32\NWSHLXNT.dll
MAPBASER.DLL 6a400000 110592 C:\WINDOWS\System32\NLS\ENGLISH\MAPBASER.DLL v4.83 Novell NetWare Provider
NWSHLXNR.DLL 2780000 69632 C:\WINDOWS\System32\NLS\ENGLISH\NWSHLXNR.DLL
NOVNPNTR.DLL 2fb0000 466944 C:\WINDOWS\System32\NLS\ENGLISH\NOVNPNTR.DLL v4.83 Novell NetWare Provider
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
shmedia.dll 5cad0000 135168 C:\WINDOWS\System32\shmedia.dll 6.00.2800.1157 (xpsp2.021217-1051) Media File Property Extractor Shell Extension
MSVFW32.dll 73bd0000 131072 C:\WINDOWS\System32\MSVFW32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Video for Windows DLL
AVIFIL32.dll 73b50000 86016 C:\WINDOWS\System32\AVIFIL32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft AVI File support library

 

WMVCore.DLL 8530000 2084864 C:\WINDOWS\System32\WMVCore.DLL 9.00.00.2980 built by: lab03_dev(bld4act) Windows Media Playback/Authoring DLL
WMASF.DLL 7260000 233472 C:\WINDOWS\System32\WMASF.DLL 9.00.00.2980 built by: lab03_dev(bld4act) Windows Media ASF DLL
SXS.DLL 75e90000 688128 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1336 (xpsp2.040109-1800) Fusion 2.5
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
zipfldr.dll 73380000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2800.1164 (xpsp2.021217-1051) Compressed (zipped) Folders
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
DUSER.dll 6c1b0000 278528 C:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
mswsock.dll 71a50000 241664 C:\WINDOWS\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
jsproxy.dll 65af0000 28672 C:\WINDOWS\system32\jsproxy.dll 6.00.2600.0000 (xpclient.010817-1148) JScript Proxy Auto-Configuration
scrauth.dll 56d0000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
ScrBlock.dll 5800000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
dadkeyb.dll ee0000 77824 C:\Program Files\Dell\QuickSet\dadkeyb.dll
ymmapi.dll 64000000 184320 C:\PROGRA~1\Yahoo!\Common\ymmapi.dll 2003, 10, 31, 1 YMMAPI Module
NavShExt.dll 16a0000 114688 C:\Program Files\Norton AntiVirus\NavShExt.dll 9.05.15 Norton AntiVirusNAVShellExt Module
ccTrust.dll 3140000 106496 C:\WINDOWS\System32\ccTrust.dll 1.0.10.002 Common Client ccTrust
MSVCP60.dll 55900000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
MYBAR.DLL 2460000 249856 C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL 1, 1, 0, 2 My Way Speedbar
ycomp5_3_12_0.dll 68000000 315392 C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll 2004, 1, 7, 1 Yahoo! Companion 5.3 for Internet Explorer
AcroIEHelper.dll 3ee0000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
SDHelper.dll 3ef0000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
IEHelp.dll 3fc0000 409600 C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll

 

Good to hear it's gone. Keep a check on it. Should it return, post back to this thread.

Get rid of this one by deleting the MyWay folder.
MYBAR.DLL 2460000 249856 C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL 1, 1, 0, 2 My Way Speedbar

 

::NOTE::

in the source of the sp.html page is the site you can go to and get the uninstaller for the "hijack ". its linked to the javascript at the bottom.

hxxp://oz.msie.tv

kinda old, took me while to read this far, but maybe it will be an easier fix for somebody else.

 

Thanks for your input. It would be useful for future problems.


MnInShdw

 

stealth2
Please do not post links to sites such as that , dont you think if there were a SAFE uninstall we here and at other forums would have found and be using it ?

To any here, If you are able to get there,(ive edited the http) then you need a good hosts file that would have prevent it !!!

 

Lonny Jones

Thanks for your warning. I hadn't enough time to check the URL and had added it to MyFavorites.


MnInShdw