res://shdocpl.dll/blank.htm

P

Paul

I have run the Microsoft AntiSpyware and Ad Aware several
times, both in regular XP mode & Safe mode, yet my
default web page keeps resetting back
to "res://shdocpl.dll/blank.htm". I have used the
feature in MS AntiSoyware to reset all of my browser
settings, but that also didn't work. Please help.
 
A

AndyManchesta

Hi Paul

You have been infected with a variant of CoolWebSearch


Try using the CWShredder below then download hijack this


CWShredder

http://cwshredder.net/bin/CWShredder.exe


Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip


Save Hijack this to either the desktop or C/drive,extract
and run hijack this,choose to do a scan and save the
logfile


The entries you need to fix are these :


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = res://shdocpl.dll/blank.htm

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://shdocpl.dll/asst.htm

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [FastStart] C:\WINNT\system32
\svcnut.exe home

tick all these entries if you find them,close any other
open windows before fixing then choose 'fix checked'


If you find the 04 entry then also remove this file below

C:\Windows\system32\svcnut.exe


open a internet window,go to tools on the top bar then
internet options,Delete cookies and files(choose delete
all offline content when deleting files)
Then go to the Programs tab and choose 'Reset Web
Settings'

Goto>start>run and type

C:\Windows\Prefetch

delete everything from this folder


Then reboot and see if we've killed this,If not post your
hijack log to my email address or post it on here and i
will check it for any other malicious entries


Good luck Andy
 
P

Paul

Andy, Thanks a million. I'll give it a try this weekend.
I have tried CD Shreader but it didn't pick it up. Also,
I have used Bazooka which initially picked up iSearch as
the problem, but after a few scans with Ad Aware & the MS
program, Bazooka said it was resolved. Yet, the browser
still defaulted to res://shdocpl.dll/blank.htm. I'll give
Hijack a try.

Thanks again.
 
A

AndyManchesta

Hi Again

These can be a pain to remove,I mentioned CWShredder as a
starting point but its useless really unless you have a
old infection.Now its owned by Intermute it doesnt seem
to be getting any updates at all.Thats just my opinion
though ;)

There's a few other removers that can be used to kill
alot of the new variants but Hijack This is always good
to show how bad things really are.

A good start when you save the Hijack This logfile(This
will open the scan results in notepad)

Copy all the logfile then take it to either of these
site's :

http://www.hijackthis.de/en

http://www.help2go.com/modules.php?name=HJTDetective


Then paste the log onto the site and press Submit for
Help2go or Analyse for Hijack.de,It will give some
details on each of the entries and let you know what
needs fixing.Dont really remove things unless they
confirm they are nasty if they say its unknown then best
leaving them for now as they may be genuine. If you need
any advise post the log or email it


With isearch you could also check for that in hijack
this,it would show as :


R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-
80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-
3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-
3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O8 - Extra context menu item: &iSearch The Web -
res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565}
(iSearch Toolbar) - ms-its:mhtml:file://C:\ss.MHT!
http://toolbar.isearch.com/install/00002/chm.chm::/files/i
nitial.cab


Also check Hijack This for any host hijacks

(they're the entries listed in the format O1 - Hosts:
127.0.0.........)

example :

O1 - Hosts: 127.0.0.9 www.symantec.com


Let me know if i can help though

Regards Andy
 
A

AndyManchesta

I forgot to include my email in the last post if you have
any problems let me know

(e-mail address removed)

(e-mail address removed)


Regards Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

res://shdocpl.dll/blank.htm. 1
System32/Blank.htm ???? 2
Home Page 1
res://shdocpe.dll 1
CWS-NS3 Hijacker 1
Comet Systems 2
SearchMiracle.EliteBar Browser Plug-in not removed by tool 4
res://skfqm.dll/index.html#96676 2

Top