Web Site keeps displaying and IE Home Page changes to

Posted on 2004-04-08
Last Modified: 2013-12-04
It appears I have an IE Browser Hijack which I am finding extremely difficult to get rid of. Several related items are occuring on my PC.
1)   Every few minutes while dialed-in to the net, web site keeps displaying in a new IE window. This sites says I have accessed an illegal Pedo Site and the FBI are tracking my net activities. I know this to be untrue, so I suspect Spyware is doing this.
2)  My home web page is changed to  In my attempts to fix this, home page changed to page.
3)  The following Shortcuts appear on the desktop, Debt Solutions, Party and Party Poker which all take you to site and there is also a Shortcut for "You have visited an illegal Pedo site" which takes you to

I have run SpyBot S&D 1.2, Ad-aware 6.181 and SpyHunter and Nortons Internet Security 2004 and all of them have not been able to fix this problem.

I would appreciate it very much if someone could please help me solve this annoying issue. I have run HiJack This and fixed the usual "Search' reg entries, but they came back. I didn't dare fix anything else I was not sure about.

Brian, Melbourne Australia
Question by:bsligar
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 20 total points
ID: 10789204
A). I recommend running some spyware/adware software first:

Spybot @


Ad-aware @


PestPatrol @


Hijack This -

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10789206
Also check your machine for viruses. Make sure your virus definitions are up to date.

Author Comment

ID: 10789243
Thank you for your quick response.
I have already run Spybot, Ad-Aware and Notons Anti-virus today. Anti-virus defs are dated 7 April 2004 and I have auto update on. None of these solved the problem.
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Accepted Solution

Joseph_Moore earned 110 total points
ID: 10789447
This is a CoolWebSearch variant, variant# 35, techinically. Here is the write-up from's CWS page on this version:
Variant 35: CWS.Aboutblank - It's just a fad
Approx date first sighted: March 2, 2004
Log reference: Reconstruction
Symptoms: IE pages changed to and (, hijack returning on system restart
Cleverness: 5/10
Manual removal difficulty: Involves some Registry editing and deleting a randomly named file
Identifying lines in HijackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt  

This variant does everything in its powers to redirect you to a domain owned by IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to, and a randomly named stylesheet is dropped that redirects to when certain keywords appear in webpages.
Restoring the IE pages by searching the Registry for, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.  
You need CWShredder from Merijn to get rid of this. It's the only thing that will do it:

Author Comment

ID: 10789979

I have followed your instructions and downloaded CWShredder and ran it.
The output report reads;

Removed from your system:
- CWS.Googlems
- CWS.Aboutblank
- 17 infected IE registry values

Windows XP (5.01.2600 SP1)
CWShredder v1.56.1
Written by Merijn -

I also ran HiJack This, and this is what it is now showing;   Does it all look OK???  I have been connected to the net for 10mins now and no web pages are poping up. This is a good sign.  

 Logfile of HijackThis v1.97.7
Scan saved at 7:32:13 PM, on 9/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\e1189.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -


Expert Comment

ID: 10790833
Well, I am not the best person at recognizing every running process and startup application that the HijackThis log generates, but to me, it looks good. I had a question on one of the BHO objects (browser helper objects):  
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

I looked that one up here:
and it was listed as not being spyware, technically. It is for an HP and/or Veritas object. Is this an HP/Compaq machine?

So, CWShredder got rid of  17 objects, so you "should" be fine now, but remember, you can get re-spywared later on. You need to be careful with your browsing. Run Ad-Aware every couple of days. Run a popup blocker (they really do help keeping the junk off). Get and stay up-to-date on Windows and IE patches from Microsoft.

Glad it's working.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10791168
Its part of the HP CD burning software I believe for an HP CD burner.

Expert Comment

by:Dale May
ID: 10792379
Also you may want to install the sun Java program.  Microsoft ended thier support of Java January 1st 2004.  Uninstall the Microsoft version first then go to for the lastest version.  d_may

Author Comment

ID: 10794294
Joseph,  Everything is now running as normal. Thank you very much for your help in solving my problem. I have an external HP CD Burner attached to my DELL 8300 PC using RecordNow burning software. diggisaur, you are correct with your comment.   Thanks d_may for your tip on how to replace my Java MV. This item can be closed now and Joseph will be awarded the most points. Thanks everyone for your time and help.

Expert Comment

ID: 10795541
Cool! Good luck in the future on staying clean.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question