Hi-jacker

  Winchman 12:14 07 Jun 04
Locked

My Home page (about:blank) has been highjacked by an unknown search page. The search page displays even though the address shown in IE is "about:blank". If go into IE internet options and select "Use blank" for my home page the rogue search page still displays. Even if I select the Microsoft default as the home page, when I start Internet Explorer the home page is changed back to about:blank and the rogue search page displays again. Whether I am working on-line or off-line, this search page is always displayed. Spybot and NoAdware software both detect nothing. I have looked in the System Registry and local and home page references still refer to blank.htm or about:blank. Search Page references appear as a series of numbers with % between, and if I amend these to the normal microsoft serach references these are then changed back to the number and %. There is clearly some code being run when either the system or IE is started and it would also appear that the about:blank URL has been hi-jacked. Can anyone advise what may be going on, and hoe to correct it?

Thanks

  Nellie2 12:52 07 Jun 04

Please download hijackthis and send me the log by clicking on the little envelope by my name. You can also post it here if you wish. I will get back to you tonight.

Instructions on downloading and using HJT click here

  Nellie2 19:45 07 Jun 04

Hi

Download 'Dllfix.exe' from:

click here or click here

And save it to your desktop

It is a self-extracting archive; double click on it.

IMPORTANT!: Before you run this tool please close ALL running programs and ALL Windows except dllfix.

Open the DLLFIX folder and double click on Start.bat.

*Note: If your Antivirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter.

Let the program run.

When finished, Press 'E' to exit.


Open the DLLFix folder.
1. Post the contents of Output.txt in this thread.

I shall reply to the email you sent me so that you have my email address.
Can you email me back and attach the Attach file Windows.txt to the email. Don't post it here.

Thanks

  Winchman 10:03 08 Jun 04

Hi,

Output.txt file as below:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Tue 08/06/2004
9:55

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (07D1:0117) - FS:FAT clusters:32k
Total: 39 981 481 984 [37G] - Free: 26 469 466 112 [25G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.0.2140.1 C:\WINNT\system32\notepad.exe
5.0.2140.1 C:\WINNT\notepad.exe
*Media Player version :

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings



Locked or 'Suspect' file(s) found...


Scanning for main Hijacker:
File found was C:\WINNT\System32\ANJH.DLL
Md5 tested As 027F60F048B78ABF3E49E75D6447024B


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86747151-AF95-4D1F-AF5E-B18C3A64098A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D90F47BA-CE22-4084-BFD7-BE2A176580A8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D90F47BA-CE22-4084-BFD7-BE2A176580A8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (click here)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

Thanks again

  Nellie2 18:38 08 Jun 04

Hi Winchman

There are a couple of things we need to do before we get down to the serious fix.

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

Then run hijackthis again, make sure all browsers and windows are closed except for hijackthis, put a check against the following and click fix checked.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: 198.65.164.171 ehttp.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 click here
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 click here

O4 - HKLM\..\Run: [CFJMP] C:\WINNT\CFJMP.exe

If you haven't set the policy to lock your home page then have hijackthis fix these as well.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

If you have set the policy could you please disable it for the time being.

NOTE: In case anyone wants to jump in here, I have left the Coolweb infection alone on purpose!!!

Now I wan't you to download Coolweb Shredder from click here

Extract it to your desktop but DO NOT USE IT YET.. we will need it later.

If you haven't already got it then download Adaware and set it up as described below, but again, do not use it yet.

(please ensure you have version 6 build 6. 181)

Downloads - Support - Lavasoft#free: click here

The following explains how to set Ad-aware's settings to perform a "Full Scan."
And some settings that should be made prior to using the first time.

In Ad-aware click the Gear to go to the Settings area.
The following items should be on a green check, not on a red X.
Under the Scanning button:
Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Tweak button...
Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot

UNCHECK Automatically try to unregister objects prior to deletion

Click Proceed to save these settings.

Now press "check for updates Now" Always check before scanning.

I shall post another set of instructions shortly

  Nellie2 18:50 08 Jun 04

Now, open the DLLFIX folder and double click on Start.bat.

At the main menu, press '2' (Run Fix) and enter.

At the second menu, press '1' (Enter DLL Name Manually) and enter.

At the prompt, enter: ANJH.DLL

Your system will reboot in 15 seconds and begin the fix.

When finished, there will be a log (log.txt) in the dllfix folder.

Now you can run Coolweb Shredder and click the 'fix' button. It will fix all the CWS remnants.

Then run Adaware, select 'custom scan' and let it fix all it finds.

Reboot

Run HiJackThis again and post a new log in this thread.

Run Start.bat from the dllfix folder again.

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter.

Let the program run.

When finished, Press 'E' to exit.

Post the output.txt, logs.txt and the saved HiJackThis log in this thread.

  Fruit Bat 18:54 08 Jun 04

If your home page has reverted to about : blank you have been hijacked by coolweb search.

to get rid of it download and run CW Shredder click here

/\0/\

  Winchman 13:35 11 Jun 04

Hi Nellie2

Re my last message I continued with fix and Adaware 6 successfully identified and removed the bad entries in the hosts file. Have completed fix all looks OK. Very many thanks. Am posting file contents as requested
output.txt
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Fri 11/06/2004
13:12

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (07D1:0117) - FS:FAT clusters:32k
Total: 39 981 481 984 [37G] - Free: 26 326 532 096 [25G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.0.2140.1 C:\WINNT\system32\notepad.exe
5.0.2140.1 C:\WINNT\notepad.exe
*Media Player version :

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings



Locked or 'Suspect' file(s) found...


Scanning for main Hijacker:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (click here)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Winchman

  Winchman 13:38 11 Jun 04

Nellie2
Next file
logs.txt
CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.01 060504
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Fri 11/06/2004
11:56

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Running from C:\Documents and Settings\Nigel Cheetham\Desktop\dllfix
Scanning for Locked File
Processing File Manually
C:\WINNT\system32\ANJH.DLL
Md5 Check of C:\WINNT\system32\ANJH.DLL

Md5 tested As 027F60F048B78ABF3E49E75D6447024B
File was found but md5 didnt match
MD5 was: 027F60F048B78ABF3E49E75D6447024B
Resetting file attributes
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Nigel Cheetham\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Hijackthis Log

  Winchman 13:41 11 Jun 04

Nellie2
Hijackthis log
Logfile of HijackThis v1.97.7
Scan saved at 13:08:46, on 11/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\SYSTEM32\tbctray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Solution Center\Service.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Nigel Cheetham\My Documents\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CFJMP] C:\WINNT\CFJMP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\winspool.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [System Update2] c:\docume~1\nigelc~1\applic~1\winspool.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk.disabled
O4 - Global Startup: Dell Service.lnk = C:\Program Files\Dell\Solution Center\Service.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C31BFBF-8F52-41B5-AE99-4F4427FA9E69}: NameServer = 135.196.0.6,135.196.0.14

  Nellie2 15:39 11 Jun 04

Hi Winchman.

Looks like we got it!! Well done. There are a couple of things that need cleaning up from your log, the R1 items are left overs from the about:blank hijack and the O4 items are Coolweb that doesn't seem to have been picked up by CW Shredder.

So,run hijackthis again and make sure all browsers and windows are closed except for hijackthis. Put a tick against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKCU\..\Run: [System Update] C:\WINNT\System\winspool.exe

O4 - HKCU\..\Run: [System Update2] c:\docume~1\nigelc~1\applic~1\winspool.exe

Boot into save mode and find and delete the following;

C:\WINNT\System\winspool.exe <--- file

c:\docume~1\nigelc~1\applic~1\winspool.exe <--- file

I also suggest you purge your temp files too.

Make sure you go to windows update and download any critical updates you are missing. If you are up to date with your updates then you should be protected from this sort of thing.

One last thing, you need to upgrade or patch your version of Adobe.. there are security vulnerabilities in version 5 click here

Happy Surfing!! :)

This thread is now locked and can not be replied to.

Best phone camera 2016/2017: Galaxy S7 vs iPhone 7 vs Google Pixel vs HTC 10 Evo vs OnePlus 3T vs…

1995-2015: How technology has changed the world in 20 years

These are the Best Christmas Ads and Studio Projects of 2016

Super Mario Run preview | Hands-on first impressions of Super Mario Run: Mario's iPhone & iPad…