hijacked computer

Hi...

I've seen a lot of posts about being hijacked by res://mshp.dll/index.html - I've run CWShredder, HijackThis and deleted all the logs I saw other posts telling people to delete, I've run Ad Aware, SpyBot S&D, and it still keeps coming back. Here's my log:

Logfile of HijackThis v1.97.7
Scan saved at 5:19:03 PM, on 3/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Greg\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab

Please help! Thanks!

I also have been having trouble with www.lookfor.cc popping up a lot. And getting added to my favorites - along with a few other miscellaneous sex-related popups. Help!

You look clean.But to clear the trojan go here.
http://www.pchell.com/support/lookfor.shtml

Run this as a seperate posting so as not to get things confused.

Hi...

Thanks for your help -

I did everything I saw on that page you linked, and my home page is still returning to res://mshp.dll/index.html#37049 every time I reboot. I've run every program I can think of, I started in Safe and cleared everything I could find, and it STILL isn't working. What else can I do? Help! Thanks!

Hi annaht,

Could you move HijackThis to a permanent location such as C:\HJT and post a new log?

Tom

OK, I did that, here's the log!

Logfile of HijackThis v1.97.7
Scan saved at 8:25:14 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Greg\Application Data\iect\mssearch.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab



Thanks!

Hi annaht,

You have a coolwebsearch infection. Please download CWShredder from Here

Close ALL browser windows or it may not work. Unzip it to a convenient location and select "Fix" (do not just Scan). It will automatically remove the infections.

Reboot and post a new log.

Tom

OK, I did that - here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 1:55:21 PM, on 4/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab



Thanks for your help!

Hi again!

You log is clean. Thanks for checking back.

Tom

Thanks so much!

-Ann.

Thanks for saying thanks!

Tom

I'm tired of a-holes putting their spyware crap in my computer. It's like a monthly thing now where I am digging through the registry trying to clean it and yesterday this last one took me 2 hrs and I gave up. I have better things to do. I uninstalled IE and installed Mozilla. After I did this I realized I should have done that a long time ago. The registry changes are still their sure, but my computer is now not popping up anymore...unless I let it.

Zpook why are you answering to this thread? Please don't bring up a OLD thread without a reason (if you are annaht then it's fine)