1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Homesearch hijacking/Win32.Winshow trojan

Discussion in 'Windows XP' started by sun devil88, Jan 29, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. sun devil88

    sun devil88 Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    3
    Help! I'm running Windows 2K with SP3. My home page has been hijacked. I've got kids so I've had this happen before but this time it's got me baffled.
    During the startup of my home page, a text box opens to tell me that "Windows has detected spyware software sspMydoom.cih". Once I acknowledge that, my etrust EZ Antivirus popup opens up to tell me that I've got some variant of the Win32.Winshow trojan. Each time I open the home page, a different variant is identified by EZ Antivirus.

    I've run HiJackThis and Adaware personal se. I've run CWShredder. I've rebooted at the appropriate times. Nothing works. So, here's my log file. Please tell me how to eliminate this pesky little varmint.

    Logfile of HijackThis v1.99.0
    Scan saved at 5:28:55 PM, on 1/29/2005
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\support.com\bin\tgcmd.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
    C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    C:\WINNT\System32\??plorer.exe
    C:\Documents and Settings\TJBurke\Application Data\aitu.exe
    C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\InterMute\PopSubtract\PopSub.exe
    C:\Cleanup Software\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1045
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5A95BE2A-4F9F-7AED-6BE3-46D56174F791} - C:\WINNT\system32\atlvj32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
    O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    O4 - HKLM\..\Run: [23vi] C:\documents and settings\tjburke\local settings\temp\23vi.exe
    O4 - HKCU\..\Run: [Bijhll] C:\WINNT\System32\??plorer.exe
    O4 - HKCU\..\Run: [Stcr] C:\Documents and Settings\TJBurke\Application Data\aitu.exe
    O4 - Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/8a61b91d/enter.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

    Hopefully soon to be forever in your debt.

    Tom
     
  2. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
  3. sun devil88

    sun devil88 Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    3
    Thanks for your prompt reply and the suggestions. I've been using Spybot following each foray onto the internet. I failed to run it after my kids were on it last night, though. It doesn't help.
    The link to housecall generates an error in Internet Explorer and shuts it down. Three times so far. The pandasoftware link tells me to wait a few minutes. I figure after about 15 on a cable modem there's something wrong. So that doesn't work either. Thanks for your help, though.
     
  4. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    Ok put a tick by EACH of the following and have hijack FIX them after closing any open windows

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xrrqn.dll/sp.html#44768
    R3 - Default URLSearchHook is missing

    Also suggest you go here to see how you can get rid of that problem http://www.pestpatrol.com/pestinfo/w/win32_winshow_q_trojan.asp[/url[/B]]
     
  5. sun devil88

    sun devil88 Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    3
    Telecom69,

    I must have the nastiest version of this monster around. I've done as you suggested with regard to having HiJackThis fix the entries. I've also gone to the pestpatrol website. I then downloaded and ran the application. It still does not remove the trojan. Immediately after rebooting and starting IE, I get the same message identifying the detection of Win32.Winshow trojan.

    I also still get a message saying that sspMydoom.cih version 2.0108 has been detected and that someone is trying to access me through port 245. It offers up a location for "help". They're all apps for spyware removal.

    I'm trying everything but nothing, short of a reformat of my hard drive, appears to be working.

    Again, thanks for all of your help.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324767

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice