1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Problems with changed home page, popups

Discussion in 'Virus & Other Malware Removal' started by Roymus, Jan 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Roymus

    Roymus Thread Starter

    Joined:
    Dec 4, 2003
    Messages:
    16
    Our CEO is having a problem where his home page keeps changing to some sort of directory page: res://mshp.dll/index.html. Weird. Also, he keeps getting a popup blocker ad. I suspect he's been hijacked (he had the ehttp problem a couple of months ago). Can anyone suggest a fix? I've attached the log below...thanks!

    Roy

    Logfile of HijackThis v1.97.7
    Scan saved at 2:26:56 PM, on 1/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Treo Mail\vma.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\WINDOWS\System32\wuauclt.exe
    X:\Utilities\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=10213
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agsi.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=10213
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0409&pver=6.0&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
    O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\gfellows\Application Data\iefeatsl\iefeatsl.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\DOCUME~1\gfellows\APPLIC~1\iefeatsl\msiesh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - Startup: Treo Mail Desktop Assistant.lnk = C:\Program Files\Treo Mail\vma.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11111111-1111-1111-1111-115182633866} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.5475694444
    O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - http://192.246.171.15/agsi/Tx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AGSI.local
    O17 - HKLM\Software\..\Telephony: DomainName = AGSI.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17BE3319-2D23-4BBA-9AC8-269CBAB68A4B}: NameServer = 192.168.111.6
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AGSI.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17BE3319-2D23-4BBA-9AC8-269CBAB68A4B}: NameServer = 192.168.111.6
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click on the link below to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    http://www.merijn.org/files/cwshredder.zip

    When it is finished restart your computer.

    To help prevent this from happening again, I strongly recommend you install the folowing patches for the vulnerabilities that this hijacker exploits:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp

    *Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates"


    Go here http://www.lavasoftusa.com/support/download/ and download
    Adaware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on "Check for updates now" and download the latest referencefiles.

    Make sure the following settings are made and on -------"ON=GREEN"

    From main window :Click "Start" then " Activate in-depth scan (recommended)"

    Click "Use custom scanning options" then click "Customize" and have these options selected: Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.

    Now click on the "Tweak" button in that same window. Under "Scanning engine" select "Unload recognized processes during scanning" and under "Cleaning Engine" select "Let windows remove files in use at next reboot"

    Click "proceed" to save your settings.

    Now to scan just click the "Next" button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose "select all" from the drop down menu and click "Next")

    Restart your computer.


    Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot Search & Destroy.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    It's the latest in the long line of CWS hijacks

    Download & Run CWshredder from http://www.merijn.org/cwschronicles.html
    Close all browser windows,UnZip the file, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
    the patches are :
    http://support.microsoft.com/default.aspx?kbid=828026
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp


    then reboot &
    Download Spybot - Search & Destroy from http://security.kolla.de

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &
    download AdAware 6
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    the current ref file should read 01R245 03.01.2004

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  4. killspyware

    killspyware

    Joined:
    Nov 28, 2003
    Messages:
    62
  5. Roymus

    Roymus Thread Starter

    Joined:
    Dec 4, 2003
    Messages:
    16
    Thanks for all the help...yes, his computer is for personal use (we're a small business). He probably is going places on the web that he shouldn't, which is why he's having so many problems!
     
  6. Roymus

    Roymus Thread Starter

    Joined:
    Dec 4, 2003
    Messages:
    16
    Spybot was not able to install its own updates (choked on the update download and had to be terminated). Tried to run it without the updates and it started to slow down to the point where it would not have finished by next Christmas. Any reason why Spybot would be performing so poorly? By the way, Adaware worked great.

    Roy
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    use one of the othr update sites in the drop down list, the australian server seems better at the moment
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Anytime you have trouble updating Spybot try changing the selected download mirror.

    Make sure you have spybot open in Advanced Mode. Go to Start > Programs > Spybot Search & Destroy > Spybot S&D (Advanced Mode). Click on the "Online" tab then click "Search for updates" when the updates are displayed in the window below put a check by each of the updates. Now look beside "Download updates" and you will see the name of the selected download mirror (See pic). Click on the little arrow beside that and select one of the other mirrors, preferrably FXClips (USA) (as in the pic below) or EON (Australia).

    [​IMG]
     

    Attached Files:

  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/192658

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice