Results 1 to 8 of 8
  1. #1
    Join Date
    January 17th, 2005
    I don't know if this is a old hijack or new. If it is old then this is for the newbies.

    A hijack virus took control of my browser. It removed my front page. And replace my front page with "res://mshp.dll/index.html#37049" . Which is another search engine. When I click on internet option on my browser to replace it with my front page. It kept showing up.

    Every time I would go to google, yahoo or altavista search engine it will tell me It is doesn't exist.

    So I read up on it and find out that it is a hijack that take over your browser. It will not go into any search engine but theirs and you can't change it to your front page.
    I tried alot of virus scanner but it didn't see it or removed it.

    But I did found hijackthis which scanned my system and found this
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\winnt\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

    I removed these item and also
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART

    O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\user1\Application Data\winps\winps32.dll
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\user1\Application Data\winps\mssearch.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\user1\Application Data\winps\msiesh.dll
    O4 - HKLM\..\Run: [Image] rundll32 C:\winnt\image.dll,Install
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\winnt\image.dll,Install

    I havent had any problem since then

    I found hijackthis on this site
    and click on BTN.

    PS. Please be careful on what you remove. once you scan with hijackthis. You will see file that are not virus but are important for your computer. Be careful

  2. #2
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    The Swamp
    Hi dlgns,

    Looks like you got CoolWebSearch browser hijacker.

    HijackThis is great for sniffing out what may have gotten on your computer or if something got left after running a spware removal program. But you are right in that you can seriously muck up your computer by removing registry files the HijackThis finds if you don't know what you are doing.

    I think it's best to run spyware removal first such as spybot or adaware. If you are still having problems, then run HijackThis and post the results in one of the many forums were knowledgable people will tell you what should and can be removed safely. Many of the spyware/adware programs are hooking themselves up with legit system files.

  3. #3
    Join Date
    January 17th, 2005
    Thanks alot blfh. That site was very helpful. I just got cable connection 2 weeks ago and that is when stuff started happening. I have norton but some how it didn't find the problem.
    Thank Thank Thank you.
    You are the best

  4. #4
    Join Date
    January 17th, 2005
    I have something very similar, did follow the instructins for the removal of CoolWebSearch, but nothing, that doesn't seem to be my problem. But it is very similar.

    I get a weird search engine type page, dark green underlined words, popup pages, and banners are redirected all over the place. I get alot of the type words in the links of these redirected pages like, messageboards, prescriptions. Any ideas? I asked earlier in another thread, but to no avail. Had a worm, but that was removed, and pc is over that one.
    Recently installed ZoneAlarm Firewall, and a new router with better protection too.

    Looking for any clue as to what this could be, can you direct me in the direction of where to search and find? Is there a searchable site for clues, and the parasite/BHO/malware etc can be found other than running software?

    I ran Adaware, search and destroy, cwshredder, hijack this, and nothing. Virus scan shows nothing....

  5. #5
    Join Date
    January 17th, 2005
    What is a router or what does it do?

  6. #6
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    The Swamp
    @fredollars: First make sure your definitions for Adaware and spybot are up to date when you run those apps. If you are still having the problem, then run hijack this and post the log to one of the many forums set up for that. Many of these programs are using files now that will look like regular system files, but the guys who monitor those forums can spot suspicious files pretty dang good. Many times when something looks amiss, they will ask you to forward a copy of a particular file so they can look at it more closely.

    @dlgns: In layman's terms a router is just hardware the "routes" or "directs" multiple computer connections. Most routers however have a built in firewall. If you are now on a cable connection, you need to be running some type of firewall since you have a continously open connection to the Internet and there are folks who do nothing but scan for such open connections to sneak stuff onto your computer. You can get a hardware firewall (like what comes with a router) which will block unwanted incoming traffic to your computer. Hardware firewalls will not block outgoing traffic from your computer though. You can also install a software firewall such as ZoneAlarm (what I use) which will block incoming and outgoing unwanted traffic. What is nice about products like ZA is you can set them on prompt. Each time a program tries to access the Internet, it will prompt you what program is trying to access the Internet with a file name. A great way to catch the .exe file name of spyware/adware. For programs you want to have Internet access for like IE, your email client, etc you can grant them automatic access all the time so you aren't bothered with the prompts.

    Don't rely on just your AV software to detect spywrae/adware though. Even though most AV programs will detect these to some degree, what they detect is not as extensive as what the sypware detection/removal programs detect.

    Your best line of defense in getting these types of programs on your program is doing ALL of the following:

    1. In Internet Options, set your ActiveX setting to Prompt. When you get a prompt DO NOT click "yes" unless you are 100% what is setting off the prompt is something harmless like something in flash.

    2. In Internet Options, set Downloads to Prompt. Never click yes to a download unless you are 100% sure what that download is and it's something your want.

    3. Whenever installing any type free software (no matter how 'safe' the program may seem), always take the time to read the EULA and see if mention is made to 3rd party software being installed with it. Many times now they will list the exact adware being installed. If there are 3rd party software bundled, then go search around some more and find an equivalent program that doesn't come bundled with adware. 99% of the time there are clean software programs out there.

    4. Have your AV software running all the time

    5. Run at least a software firewall. Personally, I'd stay away from Norton's Internet Security for this one. Never run your computer without your firewall running.

    6. Regularly scan your computer with at least 2 spyware/adware detection/removal programs.

    7. Utilize the protection function in many spyware removal programs (spybot has this called immunization) and/or a program like Spywareblaster. These actually block attempts of installations on your computer.

    If you do all those things, you should be safe. Personally, I have a router firewall, ZA, IE settings at prompt. I've never gotten any spyware/adware on my computer that I didn't put there on purpose. I have a couple spyware removal programs on my computer, but I don't scan regularly because I never get the stuff unwanted on my computer. I just use them to remove the adware when I've finished testing.

  7. #7
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Opposite the Slough of Despond
    I had a PC with CoolWebSearch installed and neither Spybot S&D not AdAware could shift it.

    However, there's a special utility called CWShredder which you can download from here which clears most known variants (about 40 of them).

    CWS tends to install using a browser vulnerability, so you won't get a dialogue box or anything. In the UK that constitutes unauthorised access to a system which is a serious criminal offence.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  8. #8
    ABW Founder Haiko de Poel, Jr.'s Avatar
    Join Date
    January 18th, 2005
    New York
    [Moved to Suspicious Activity Forum]
    Continued Success,

    The secret of success is constancy of purpose ~ Disraeli

  9. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Is this an example of a hijack?
    By womanht in forum Midnight Cafe'
    Replies: 9
    Last Post: September 26th, 2005, 07:34 AM
  2. How to hijack affiliates?
    By affiliate4all in forum Midnight Cafe'
    Replies: 16
    Last Post: August 25th, 2005, 12:51 PM
  3. browser hijack
    By jackson992 in forum Midnight Cafe'
    Replies: 8
    Last Post: May 19th, 2004, 09:43 PM
  4. Browser Hijack Blaster
    By Trust in forum Midnight Cafe'
    Replies: 2
    Last Post: July 26th, 2003, 09:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts