IE Hijacking mwelch's post

I am experiencing a cool web search hijack also and cannot remove it even with CWS 1.97. Please help with this issue. I have copied the logfile below.CWShredder v1.52.2 scan only report

Windows 2000 (5.00.2195 SP2)
Windows dir: C:\WINNT
Windows system dir: C:\WINNT\system32
AppData folder: C:\Documents and Settings\mwelch\Application Data
Username: mwelch
- END OF REPORT -

Im moving this post for you, best to have started a new topic

 

Im confused why did you post a scan only report ?
You need to make sure its the lastest version 1.57 run it and hit the fix button
then let it complete, and restart the pc
http://radiosplace.com/ download cwsredder.exe

then make sure you have the latest version Ver-1.97.7of hijackthis and post its log to

Instrutions are here for hijackthis
How to post a Hijackthis log:
http://www.windowsbbs.com/showpost.php?p=159220&postcount=4

 

IE Hijacking

I ran CWS and also Hojack this. The log for Hijack this is below. Thanks.Logfile of HijackThis v1.97.7
Scan saved at 1:21:22 PM, on 5/26/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mwelch\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=35
O1 - Hosts: 205.177.124.66 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll (file missing)
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\Administrator\Application Data\iefeatsl\iefeatsl.dll (file missing)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\DOCUME~1\ADMINI~1\APPLIC~1\iefeatsl\msiesh.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {5A1C774A-9E4F-11D1-9831-0000F67788C1} (NetManage Express Client Display) - http://www.q-serv.com/w2hlegacy/express/hostexpress.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bistate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{10D974B6-F247-4925-A1A0-8BD7365E379B}: NameServer = 207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bistate.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bistate.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bistate.com
O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

 

Hello

Lets try this
Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm
In the upper window select explorer.exe
In the lower window find and rightclick mshp.dll
Select Unload DLL and click OK on the prompts that follow.

Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even Folders) that show in the taskbar. Then Hit fix selected

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=35
O1 - Hosts: 205.177.124.66 auto.search.msn.com
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll (file missing)
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\Administrator\Application Data\iefeatsl\iefeatsl.dll (file missing)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\DOCUME~1\ADMINI~1\APPLIC~1\iefeatsl\msiesh.dll (file missing)
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)
===========
Restart the PC and delete these files and folders
C:\DOCUME~1\ADMINI~1\APPLIC~1\iefeatsl
C:\Program Files\Submit
"sys.reg" << do a file search for and delete it if found
You might have to have windows show hidden file's and folder's in order to see them.
How to Show hidden files and folders. << hyper link

Run cwsredder again and reboot
Scan with both SpyBot and Adaware: antispyware programs (they are free)
http://windowsbbs.com/showpost.php?p=159029&postcount=3


Then Please go to windows update and get everything they offer you. it might take several trip's.

when don then make and post another log

 

IE Hijacking

Lonny,

I have downloaded APM and installed it. I am confused where to go and find the your instruction that I have copied and pasted below here. Where do I find these files? I can do everything below these instructions, I just couldn't find these. Sorry for the ignorance on this. Also, I am unable to update my Windows files as it says I need administrator priveleges. I think I can get that resolved though unless you have an easier way. Thanks.


In the upper window select explorer.exe?
In the lower window find and rightclick mshp.dll?
Select Unload DLL and click OK on the prompts that follow.?

 

IE Hijack

Lonny,

I had a temporary lapse of common sense. I did as you instructed and MSHP.DLL is not in the lower window list. Please advise.

 

You need to get it resolved and update things.

 

If You have trouble with that step just disregard it and continue .
especialy with what Newt recommended.