Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Home Page HiJacked to 'mshp.dll' - HiJackThis Log attached 1

Status
Not open for further replies.
MeGustaXL

MeGustaXL

Technical User
Aug 6, 2003
1,055
GB
Hi Guys,

My IE6 home page keeps coming up as...

res://mshp.dll/index.html#37049

with a Windows-esque flag in the top left and a load of search links. Click one of these links, and the screen fills with pop-ups! If I try to reset my home page in Tools>Internet Options>General, IE6 hangs.

I've run NAV, SSD and HiJackThis to no avail.
Here's my HJT Logfile from the latest scan...

Logfile of HijackThis v1.97.7
Scan saved at 19:50:13, on 04/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\AMI SCROLL\4DMAIN.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEUK\IEUK.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEUK\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\IEUK\MSSEARCH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Ami Scroll\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [zzzCamInSuiteIII] D:\SETUP.EXE 4************
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone:
I've tried removing the ones I've bolded, and that fixes it until I connect to the web, then they're back [mad]

Any advice muchly appreciated.


Chris

Varium et mutabile semper Excel
 
Sort by date Sort by votes
Chris

Take out these three in addition to your bold items:
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEUK\IEUK.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEUK\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\IEUK\MSSEARCH.DLL

I'm also a bit suspicious about this d:\setup.exe file that is set to run at each startup, so I'd untick this as well:
O4 - HKLM\..\Run: [zzzCamInSuiteIII] D:\SETUP.EXE 4************

I'd also run a good up to date virus checker and spyware scanner over your machine and run WindowsUpdate to bring down the latest patches, as you are not yet on IE6 SP1.
Your NAV is not running at the time this is running. I would certainly have it running all the time for future use. It may slow down the computer somewhat, but it is worth it for the protection it gives your PC.

John
 
Upvote 0 Downvote
I believe this is one of the coolwebsearch variants
You could try cwshredder, current version is 1.57.0.
Run it in fix mode, and you may need to try it with booting win98 to safe mode. Some of the latest coolweb versions are getting very hard to get rid of.

Also, although there are not a lot of them, you ought to go ahead and get the critical updates for explorer.
 
Upvote 0 Downvote
Thanks for the help Guys, I think it's fixed! [flip]

John:
O4 - HKLM\..\Run: [zzzCamInSuiteIII] D:\SETUP.EXE 4************
belongs to my Digi Camera driver, but removing it doesn't seem to have affected operation of the program.

Both/Either:

How do you know I haven't updated IE6? (I haven't, but HDYK??)

TVM 4 YR HLP


Chris

Varium et mutabile semper Excel
 
Upvote 0 Downvote
Chris

The line
"MSIE: Internet Explorer v6.00 (6.00.2600.0000)"

tells us it is the original version of Internet explorer 6.
Version 6 SP1 is 6.00.2800.1106.

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
111
riobogmedacaliaires
riobogmedacaliaires
JordanWitthoft
  • Locked
  • Question
Software to check suspicious links
Replies
2
Views
136
MakeItSo
MakeItSo
LonnieJohnson
  • Locked
  • Question
Apps/Tools for seeing potential threats
Replies
1
Views
124
ChrisHirst
ChrisHirst
geeknerd
  • Locked
  • Question
Hijacked by Virus/Worm 1
Replies
17
Views
222
goombawaho
goombawaho
electricpete
  • Locked
  • Question
ComboFix log 2
Replies
15
Views
396
electricpete
electricpete

Part and Inventory Search

Sponsor

Back
Top