Browser start page hijacked by /index.html#37049 !Help!

My browser start page at earthlink has been hijacked by these guys. "res://mshp.dll/index.html#37049" I've run Ad-aware,SpyBot S&D. Nothing works! Please Help me!

Run "HijackThis" and remove the reference to it from the list

Yes .. you can find the latest verion for "Hijack This "

at http://www.lurkhere.com/~nicefiles/index.html

How do I determine which items to remove? If I run hijackthis and post the results could you give me that info? I have solved a similar prob in the past that way. I just don't wanna mess up anything critical in the registry keys. Also ,does anyone have any suggestion on precautions to take to eliminate this in the future? How does it get into your pc?Any resources out there to block them? There seems to be a connection to CoolWWWebSearch. I've noticed a tremendous increase in the adware in my pc everytime I run AdAware since this culprit got in! Your help is appreciated! Tom Myboy ,Where are you?

Logfile of HijackThis v1.97.7
Scan saved at 11:23:27 AM, on 3/14/2004
Platform: Windows 2000 SP5 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\winnt\System32\pctspk.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\tcpsvcs.exe
C:\winnt\system32\slserv.exe
C:\winnt\System32\snmp.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis1977[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\winnt\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\winnt\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\winnt\secure.html
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user1\Application Data\Mozilla\Profiles\default\pnupqyfd.slt\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\mathies.com\PopThis!\PopThis.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\user1\Application Data\winps\winps32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\user1\Application Data\winps\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\user1\Application Data\winps\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\winnt\image.dll,Install
O4 - HKCU\..\RunServices: [Image] rundll32 C:\winnt\image.dll,Install
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Thanks for your help! teacher4u

I removed the items above that contained the number 37049,when I rebooted,nothing changed! Can someone tell me what needs to be removed inthe Hijack this log posted above? Also, can I remove the following two items from the log,safely?

O1 - Hosts: comments (such as these) may be inserted on individual

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART

If anyone knows how to prevent someone from taking control of your browser I would certainly appreciate that information! Thank you! teacher4u

Hi again teacher4u!

Good to see you again. I have not been available the past few weeks, It's good to be back!

EDIT: You have a Cool Web Search infection. Download CWShredder at http://www.majorgeeks.com/download4086.html Unzip it to a convenient location, run the program and hit FIX (do not just press SCAN). Reboot and continue with the following instructions:

Update Spybot Search and Destroy and scan for problems with it, reboot and do the same with Adaware. Reboot and unzip HijackThis to a permanent folder such as C:\HJT. Then post a new log.

Tom

I don't mean to pile more one you all at once, but after you finish the above items above here's the fixes for your log:

After completing the above tasks, rerun HijackThis, place a checkmark next to the following entries. IMPORTANT! Close all browsers and other windows except HijackThis and hit "Fix"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\winnt\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\winnt\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\winnt\secure.html
O1 - Hosts: comments (such as these) may be inserted on individual

These items should be gone after running CWShredder. If not, delete these too:

O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\user1\Application Data\winps\winps32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\user1\Application Data\winps\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\user1\Application Data\winps\msiesh.dll
O4 - HKLM\..\Run: [Image] rundll32 C:\winnt\image.dll,Install
O4 - HKCU\..\RunServices: [Image] rundll32 C:\winnt\image.dll,Install

This needs to go also:

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART

Please keep in mind you will probably will keep getting infected if you continue to use p2p programs.

Reboot and post another log.

Tom, I'm glad you're back! You're always so helpful. I'm gonna do the procedure later today or tomorrow. I have to be in class in 1-1/2 hours on the teacher side of the desk! 6pm Pacific time! When you said following the steps above I presume you mean the steps mentioned in your two posts. I wanna say thanks to the other hepful people above who assisted me! BTW,How do I avoid using p2p programs? This cool web search is a major pain! Should be taken off the web! Can I block them in internet explorer security blocking? If so what url do I type in for blocking?

Yes, follow the instructions in my last 3 posts in the order they are presented.


Ooops..... almost forgot. After your final reboot. find and delete these files:

C:\winnt\secure.html
C:\Documents and Settings\user1\Application Data\winps\winps32.dll
C:\Documents and Settings\user1\Application Data\winps\mssearch.dll
C:\Documents and Settings\user1\Application Data\winps\msiesh.dll
C:\WINNT\system32\P2P Networking\P2P Networking.exe

You sure are are a night owl!

Tom

We'll tackle the p2p removal when you complete these steps.....
Class Dismissed

I'll do the fixes this weekend . Took Tom's advice about night owling. I need a wide open stretch of time to run the fixes. Right now Earthlink is down all over the west coast of the U.S.A. Hopefully I'll be backin business on Saturday. Thanks Tom!

Sorry to hear about Earthlink. Life without internet access

Good luck on your fixes!

Tom

You've all heard the expression,"Physician,heal thyself!". I don't know how ,or why ,but after running Spybot and AdAware consecutively immediately after rebooting my pc, the problem finally disappeared! Now I've gotta remove CoolSearchBar from my daughter's new Dell Dimension. Oh well, A nerd's job is never done! Thanks to everyone here,partticularly TomMyboy who always comes to my rescue! I could use help on removing the coolsearchbar stuff,I'm gonna look into my archives,but any time saving suggestions are welcome.Thanks again,teacher4u! Also Tom ,please give me your preventive medicine mentioned earlier!