Browser Hijackers

This is a most insidious website:
res://mshp.dll/index.html#37049
I have spent hours of my time trying to stop this website
from hijacking my homepage. Have downloaded Spybot Search
and Destroy, Spyblaster, NoAdware6 - and nothing seems to
work. Does anybody have any suggestions on how to stop
this website from hijacking my hompage; and also, would
love to find out who is personally responsible for this
website and where it originates. I would pay this person
a visit - in the flesh. If you have any thoughts about
how to get rid of this website, please email Al at
apt@sev.org Thanks.
al

PA
Fri Jun 25 01:09:19 CDT 2004

Check your system for "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow all Removal steps.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

What You Should Know About Spyware
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx

Alan wrote:
> This is a most insidious website:
> res://mshp.dll/index.html#37049
> I have spent hours of my time trying to stop this website
> from hijacking my homepage. Have downloaded Spybot Search
> and Destroy, Spyblaster, NoAdware6 - and nothing seems to
> work. Does anybody have any suggestions on how to stop
> this website from hijacking my hompage; and also, would
> love to find out who is personally responsible for this
> website and where it originates. I would pay this person
> a visit - in the flesh. If you have any thoughts about
> how to get rid of this website, please email Al at
> apt@sev.org Thanks.
> al

LuckyStrike
Fri Jun 25 01:25:58 CDT 2004

Saw this at SpywareInfo Forums:
http://forums.spywareinfo.com/index.php?showtopic=8847

<paste>
In the last few days ... This infection:
res://<random>.dll/<random>.html#<random> has spread like wildfire and we
are inundated with requests to help clear it. Sometimes the fixes that have
been created work, sometimes not - Unfortunately.

There has been some reported fixes by ensuring that you have a firewall
installed like Zonealarm and having it block the calls out to the Internet.
That, with a complete scan using the latest version of Ad-aware seems to
clear it up - Somewhat.

Ad-Aware should be file : v6.0 Build 6.181 and you should have referrence
file: 01R324 22.06.2004 installed. Please update your copy of ad-aware and
boot into safe mode and run it, before posting a request for help. (How do I
boot into "Safe" mode?)

It appears that ad-aware is cleaning the files etc but not deleting the
registry entries associated with the clean so they may still show up in the
HijackThis log. If you still get the entries after booting into normal mode
and are not sure what to delete, post your log in the forum but mention what
version of ad-aware you run as well as the reference file version - This
will help in the resolution.

Also - If you request help, DO NOT reboot your computer until you receive a
response as the files change as soon as you reboot. If you receive no
response and you have rebooted - Post a new HijackThis log into your current
message - DO NOT start a new message again as we cannot keep up with all the
calls.
<paste/>

HTH -
--

LuckyStrike
LS@smokedamagedfurniture.youcandriveitawaytoday.com
--------------------------------------------------------------------

"Alan" <anonymous@discussions.microsoft.com> wrote in message
news:2130601c45a5c$9951c320$a101280a@phx.gbl...
> This is a most insidious website:
> res://mshp.dll/index.html#37049
> I have spent hours of my time trying to stop this website
> from hijacking my homepage. Have downloaded Spybot Search
> and Destroy, Spyblaster, NoAdware6 - and nothing seems to
> work. Does anybody have any suggestions on how to stop
> this website from hijacking my hompage; and also, would
> love to find out who is personally responsible for this
> website and where it originates. I would pay this person
> a visit - in the flesh. If you have any thoughts about
> how to get rid of this website, please email Al at
> apt@sev.org Thanks.
> al