Help with res://mshp.dll/index.html#37049 and "C:\windows\system\INETP60 hijack log

k this is my log k i keep getting this "res://mshp.dll/index.html#37049" as my homepage whenever i load and i also have one more problem maybe u guys can help me with that problem alsolike right after my windows loads up i get this error message that says Error loading "C:\windows\system\INETP60.DLL" the system cannot find the file specified


Logfile of HijackThis v1.97.7
Scan saved at 11:25:35 PM, on 6/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\LTDAEMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\TQ.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX00.511\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.111-deleon.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\MSHN\MSHN.DLL
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSHN\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSHN\APIAN32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.111-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [InstallAurealDemos] C:\windows\temp\InstallAurealDemos.js //b
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [LT DAEMON] "C:\WINDOWS\SYSTEM\ltdaemon.exe"
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [Tq.exe] C:\WINDOWS\TEMP\TQ.EXE
O4 - HKLM\..\Run: [atRootC] C:\WINDOWS\SYSTEM\atRootC.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\Cxe0n.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\SDKQH32.DLL,Install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\SDKQH32.DLL,Install
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - URL
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - URL
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - URL

Here is how to read the hijackthis logfile .
Compare it with yours .
http://homepage.ntlworld.com/dvk01uk/tutorial.htm
http://www.spywareinfo.com/~merijn/htlogtutorial.html
http://www.help2go.com/article153.html
http://hjt.wizardsofwebsites.com/
http://www.spywareinfo.com/bhos/
http://www.spychecker.com/program/bholist.html
http://www.spywareinfo.com/~merijn/htlogtutorial.html#r
http://www.computercops.biz/postt6393.html
http://www.google.com/search?q=spyware+list
Beginners Guides: Browser Hijacking & How to Stop It
http://www.pcstats.com/articleview.cfm?articleID=1579

I deleted these

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

i even changed it on the regedit and mywebpage keeps going back to the samething can someone pleaseee help me

thanks

More here .

http://www.pchell.com/support/lookfor.shtml

==============================================

Run a virus check from 1 or all of these .
Online Virus check ( free )
http://housecall.antivirus.com/
http://housecall.trendmicro.com/
http://www.cybertechhelp.com/html/misc/av.php
http://www.pandasoftware.es/actives...ivescan-com.asp
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php
http://security.symantec.com/sscv6/...YNBRFNJSVSTIVVB

System Restore option in Windows Me/XP
http://www.augustana.ab.ca/other/cns/virus/
http://www.adamtj.org/repository/ho...2.Blaster.Worm/
Users of Windows Me and Windows XP should temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file onto your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
How to disable or enable Windows ME System Restore
http://service1.symantec.com/SUPPOR...src=sec_doc_nam
How to turn off or turn on Windows XP System Restore
http://service1.symantec.com/SUPPOR...src=sec_doc_nam

Opp's , forgot you were W98 , ignore System Restore .

I got rid of this simply by using CWShredder. It seems to fix alot of these by simply running it without much thought. It doesn't take good files. In this case, it keep respawning on reboot and once I ran it, I searched for the mshp.dll file and deleted that.

Took care of things right quick.

I am having the same problem for the past few days.
I ran the latest version of CWShredder (v1.59) and it seems to delete all the corrupt files and registry entries.
But it is good only for a moment.
The moment I launch the browser, the machine gets infected again. MSHP.DLL appears in the C:\Winnt folder again. I was told that the problem might be a 'hole' in the MS Java Virtual Machine. So I disabled MS JVM. A better alternative is Sun Java I am told but there seems to be no information on how to uninstall MS JVM.

If someone knows something about this, I would really appreciate your help. I am running Win2000 SP4.
My Internet Explorer (ver 6) default start page gets set to

res://mshp.dll/index.html#37049

and I have begun getting popups and strange things like automatic activation of the 'search' button etc.

HELP please. I am willing to spend a few bucks to get this nuisance out of the way.

thank you

jdude

Remove Microsoft Java Virtual Machine and Install Sun Java
http://www.infinisource.com/WindowsXP/howto-21.html

thank you jmatt for replying.

I get the following Error message when I try that.

'could not locate INF file java.inf

I believe that info was for WinXP. I wonder if you know
of anything available for Win2000.

thank you

jdude

Test if Java is working on your machine .
http://www.pocoso.de/pocoso052.html
http://www.clan.lib.ri.us/clan/javatest.html
http://www.javatester.org
http://www.bodo.com/javame.htm

Find if MS VM installed and which version .
http://www.visualware.com/support/javasupport.html

jmatt,

okay.
I successfully uninstalled MS JVM and then installed Sun JAVA 1.4....on Windows2000. Tested it using your link and it gives that version number. [In case anyone wants to know, I used the command regsvr32 /u msjava.dll to remove MS JVM from Win 2000. It was done after rebooting in safe mode. My Win2000 was running sp4. I then followed the procedures outlined in jmatt's earlier posting in deleting the remaining java folders etc. before installing Sun JAVA]

But the bad news is ... the problem persists. The moment I launch the browser, I see mshp.dll appear in C:\WINNT folder along with all the other related corrupting files at other locations. I have updated Norton AntiVirus and all (just plain useless !! what else can you say. For anyone listening, if you have a router with firewall and if you are careful in opening your emails, please don't waste your money on these anti-virus software. They are no good when it comes to a real problem.).

At the moment, jmatt ...you are my lifeline.

jdude

Make sure you have the latest MS critical Updates .
Make sure all windows are closed .

Bazooka is good at finding files others don't .
Bazooka
http://www.webgrid.co.uk/security_2.html
http://www.winsite.com/bin/Info?17000000037943
http://www.kephyr.com/
Bazooka is freeware and Windows 95/98/ME/NT/2000/XP compatible
Click on the files found & you will be taken to a site that will show you how to remove , either with a program or manually .
It reports on all drives & partitions , so remember to check all these , when doing manual remove .
After the Download - It is important to remember that once the installation of Bazooka is completed , that you should update the File Signatures by clicking on the Update tab and check for an update .
Make sure you Update after installing & then regularly .

More here .
http://forums.techguy.org/t227664.html
http://forums.techguy.org/showthrea...dcee411ebe49a02
http://forums.techguy.org/t228502.html
http://forums.techguy.org/showthrea...02&page=2&pp=15
http://forums.techguy.org/showthrea...02&page=3&pp=15
http://www.tek-tips.com/gviewthread.../453/qid/739547

I too have this nasty "res://mshp.dll/index.html#37049" despite using Spy Sweeper, CWS Shredder, Ad-Aware, SpyBot, Spyware Blaster, Hijackthis, Browser Hijack Blaster (old) and Pest Patrol (purchase). I have changed to Sun Java. Turned off System Restore (I am using WinXP) during these processes.

I have tried fixes from this site:
URL

and others:
URL URL)

all to no avail. I will be watching this thread and others closely. Thanks for any help.

I think I may have solved this problem on my machine.

Let me wait and see for a day before I post something.