Browser Hijack

[Greg]

I installed Windows 2003 (I didn't see newsgroups for Windows 2003, but this
general Windows so it should matter) and before I installed all of the
updates I got hit with a browser hijack. I avoid warez, porn, and other
sites like that so I'm not sure where I got it.

I've installed Ad-Aware, which finds it and removes it but when I reboot
it's back. Here's a snipit from the Ad-Aware log:

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/index.html#37049"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://mshp.dll/index.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainSearch Pagemshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/sp.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "res://mshp.dll/sp.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainStart Pagemshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/index.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://mshp.dll/index.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainDefault_Search_URLmshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/sp.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "res://mshp.dll/sp.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainDefault_Page_URLmshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/index.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://mshp.dll/index.html#37049"

Using ActivePorts I can see that upon boot it transmits some data to their
Web site (which I didn't write down but can get again if I reboot). I've
deleted their mshp.dll, but haven't rebooted since to see if this fixes it
or not.

Anyone know how I can completely remove this? Formatting isn't an option.
Also, wasn't Norton Anti-virus supposed to catch this? It didn't and doing
a virus scan doesn't find anything. I'm using their latest version with the
latest updates.

 

[Ramesh [MVP]]

Greg,

It's a CoolWebSearch spyware variant. And anti-virus software may not catch all the spyware. Use CWShredder [www.majorgeeks.com] which kills all CWS variants including the one in your system.

--
Ramesh - Microsoft MVP
www.mvps.org/sramesh2k
----------------------------------------
Free Online Virus Scanners and Security Tests:
http://www.mvps.org/sramesh2k/Scanners.htm
----------------------------------------


I installed Windows 2003 (I didn't see newsgroups for Windows 2003, but this
general Windows so it should matter) and before I installed all of the
updates I got hit with a browser hijack. I avoid warez, porn, and other
sites like that so I'm not sure where I got it.

I've installed Ad-Aware, which finds it and removes it but when I reboot
it's back. Here's a snipit from the Ad-Aware log:

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/index.html#37049"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://mshp.dll/index.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainSearch Pagemshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/sp.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "res://mshp.dll/sp.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainStart Pagemshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/index.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://mshp.dll/index.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainDefault_Search_URLmshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/sp.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "res://mshp.dll/sp.html#37049"

Possible browser hijack attempt : Software\Microsoft\Internet
Explorer\MainDefault_Page_URLmshp.dll

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/index.html#37049"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://mshp.dll/index.html#37049"

Using ActivePorts I can see that upon boot it transmits some data to their
Web site (which I didn't write down but can get again if I reboot). I've
deleted their mshp.dll, but haven't rebooted since to see if this fixes it
or not.

Anyone know how I can completely remove this? Formatting isn't an option.
Also, wasn't Norton Anti-virus supposed to catch this? It didn't and doing
a virus scan doesn't find anything. I'm using their latest version with the
latest updates.

 

[Malke]

I installed Windows 2003 (I didn't see newsgroups for Windows 2003,
but this general Windows so it should matter) and before I installed
all of the
updates I got hit with a browser hijack. I avoid warez, porn, and
other sites like that so I'm not sure where I got it.

I've installed Ad-Aware, which finds it and removes it but when I
reboot
it's back. Here's a snipit from the Ad-Aware log:

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://mshp.dll/index.html#37049"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://mshp.dll/index.html#37049"
(snippage)
Anyone know how I can completely remove this? Formatting isn't an
option.
Also, wasn't Norton Anti-virus supposed to catch this? It didn't and
doing
a virus scan doesn't find anything. I'm using their latest version
with the latest updates.

Be sure to update Ad-aware before using it. I also suggest downloading
and installing Spybot Search & Destroy and scanning with it. Both
programs are free and they tend to complement each other. However, you
must have the most recent updates for these programs. Try scanning in
Safe Mode. NAV is an antivirus program and does not catch spyware. I
believe NAV 2004 has that function, but have no idea of that is the
version you have or how well it works (since I don't use it). Where is
your firewall? Block the app from accessing the web.

You can also try Hijack this (look for a link on www.spywareinfo.com
because the normal website isn't up) and post results in Spywareinfo's
user forums.

Malke

 

[CZ]

I installed Windows 2003 (I didn't see newsgroups for Windows 2003, but
this
general Windows so it should matter) and before I installed all of the
updates I got hit with a browser hijack. I avoid warez, porn, and other
sites like that so I'm not sure where I got it.

Greg:

Dnload and install the free version of Sysgate PE v5.5:
http://www.sygate.com/

It runs great on Win2k3 server.

 

[Greg]

Greg,

It's a CoolWebSearch spyware variant. And anti-virus software may not catch
all the spyware. Use CWShredder [www.majorgeeks.com] which kills all CWS
variants including the one in your system.


I tried that but it still comes back after I reboot. Any other ideas?

 

[Greg]

Greg wrote:

Be sure to update Ad-aware before using it. I also suggest downloading
and installing Spybot Search & Destroy and scanning with it. Both
programs are free and they tend to complement each other. However, you
must have the most recent updates for these programs. Try scanning in
Safe Mode. NAV is an antivirus program and does not catch spyware. I
believe NAV 2004 has that function, but have no idea of that is the
version you have or how well it works (since I don't use it). Where is
your firewall? Block the app from accessing the web.

You can also try Hijack this (look for a link on www.spywareinfo.com
because the normal website isn't up) and post results in Spywareinfo's
user forums.

Thanks for the reply. Actually It looks like I'm running NAV 2002, so maybe
it doesn't catch browser hijacks.

As far as my firewall, it's hardware (router). I can't control what access
the Web.

I'll look into the Spybot Search & Destroy.

 

[Greg]

Greg wrote:

Be sure to update Ad-aware before using it. I also suggest downloading
and installing Spybot Search & Destroy and scanning with it. Both
programs are free and they tend to complement each other. However, you
must have the most recent updates for these programs. Try scanning in
Safe Mode. NAV is an antivirus program and does not catch spyware. I
believe NAV 2004 has that function, but have no idea of that is the
version you have or how well it works (since I don't use it). Where is
your firewall? Block the app from accessing the web.

You can also try Hijack this (look for a link on www.spywareinfo.com
because the normal website isn't up) and post results in Spywareinfo's
user forums.

Spybot Search & Destroy doesn't find it. I have the latest definitions from
Ad-Aware. Spybot freezes when I try to download updates (I waited 5 minutes
for it to respond).

 

[Malke]

Spybot Search & Destroy doesn't find it. I have the latest
definitions from
Ad-Aware. Spybot freezes when I try to download updates (I waited 5
minutes for it to respond).

Actually, Spybot isn't really freezing - what is happening is that
because there are new reference files available, the servers are
incredibly busy. I see that Ramesh identified it as CoolWebSearch, a
particularly nasty piece of malware. Go to www.spywareinfo.com and
there is a link to download CWShredder. Try that. Again, you want to
run this in Safe Mode.

Malke

 

[Greg]

Greg wrote:
Actually, Spybot isn't really freezing - what is happening is that
because there are new reference files available, the servers are
incredibly busy. I see that Ramesh identified it as CoolWebSearch, a
particularly nasty piece of malware. Go to www.spywareinfo.com and
there is a link to download CWShredder. Try that. Again, you want to
run this in Safe Mode.

Malke

I already tried CWShredder after using Ad-Aware and it found nothing to
remove. But when I reboot CoolWeb is back right away.

 

[Malke]

I already tried CWShredder after using Ad-Aware and it found nothing
to
remove. But when I reboot CoolWeb is back right away.

If you are using the most recent version of CWShredder and running it in
Safe Mode (and you might try disabling System Restore first, too, just
like you do when you have a virus) and *still* can't get rid of
CoolWebSearch, then all I can suggest is for you to seek help on the
Spywareinfo forums. The regulars there are wizards about removing
malware.

Malke

 

[Ramesh [MVP]]

Try running the utility in Safe Mode. Another option is to have the log generated using HijackThis, and post to Spywareinfo or Aumha.org forums for expert advice.

--
Ramesh - Microsoft MVP
www.mvps.org/sramesh2k

Free Online Virus Scanners and Security Tests:
http://www.mvps.org/sramesh2k/Scanners.htm



Greg,

It's a CoolWebSearch spyware variant. And anti-virus software may not catch
all the spyware. Use CWShredder [www.majorgeeks.com] which kills all CWS
variants including the one in your system.


I tried that but it still comes back after I reboot. Any other ideas?

 

[Greg]

I installed Windows 2003 (I didn't see newsgroups for Windows 2003, but this
general Windows so it should matter) and before I installed all of the
updates I got hit with a browser hijack. I avoid warez, porn, and other
sites like that so I'm not sure where I got it.

Thanks for everyones help. I was finally able to fix it by deleting the
mshp.dll. I wonder why the spy removing software didn't do this?

 

[zheenma]

Your can try Browser Hijack Recover
Download from
http://www.download.com/Browser-Hijack-Recover/3000-8022-10317935.html