January 9th, 2004, 04:06 AM
That was the picture link I had posted earlier, which makes me think "virus/worm". And no, the student doesn't attend or is anywhere near UTK.
I went through the thread he posted on the student forum and he mentions that every time he changed his "internet options" they got changed again. The popup is for a "survey" (to make money at home).
January 9th, 2004, 04:08 AM
My apologies for reposting the picture, when I tried your link it came up as "could not find search".
Hmm, why not have him scan for a virus:
A free, online based ActiveX virus scanner that has never failed me. Better to scan and be sure than wonder if it is in fact a virus.
January 9th, 2004, 04:10 AM
I'll suggest it to him.. If it doesn't pull anything I'm gonna be at a loss of where to search. I've also given the student some registry keys to check (in case something is there).
I'm beginning to wonder if this is a new variant of something.. That picture with the weird-ass name might be worthwhile for someone to poke around in to see if there's something there..
January 9th, 2004, 04:28 AM
go to download.com get a prog thats called hijackthis and run it. what it will do is scan ur registery and show u both legit and **** software keys (spyware). u can tell it to remove all the keys and see if that pop comes back (warning u may need to reinstall programs and special plugins) and have both ad-aware and spybot up to date and if it is an NT machince (2000 or XP) lock the HOSTS file and remove anyother entery in it except localhost.
see if that helps other than that he can always format and reinstall the OS and that should fix all of his/her problems (hehehe)
January 9th, 2004, 04:32 AM
I really don't like the sound of that. If it deletes legit programs then I wonder what else it deletes that we can't detect.
warning u may need to reinstall programs and special plugins
I do recommend, to both the user MsMitten is talking to, and Shepard, to use Spy Bot Search and Destroy as a spyware removal tool.
It's freeware, it's updated very often, and searches for a huge list of specific spyware, ad ware, and worm builds, and snags the deeply registry hiding things that ad-aware tends to miss. Since he hand codes in the search locations the programs looks for, we know it is only snagging real and legitimate spyware rather than taking a crack guess and removing Photoshop 7 Just my advice, because from my experience, like the virus scanner above, it has never failed me or the people I get to run it.
January 9th, 2004, 04:39 AM
hijackthis only deletes registry keys not the actuall programs files
thus the file will be intact but they programs wont work properly because they are not linked
and u can always tell the program not to delete the keys that u dont want to and if u do by accident it keeps a back up of everthing it removes
so its a relitively safe program if your not a total idiot but from the sounds of it, doesnt seem like we have an issue in that department
January 9th, 2004, 04:46 AM
Seeing that it appears usually in email and bbs message headers (where a human wouldn't put it), I would agree with Phish and say that it is a default name of a manufacturer somewhere. Every reference to it seems to be the computer's name, and none seem to be placed there by humans. It could also be a proxy service used by a few ISP's.
I wouldn't worry about it being a sign of something else, though. There just aren't enough refernces to it being related to a virus to draw that conclusion IMHO.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError
January 9th, 2004, 07:33 AM
Hijackthis DOES delete files if you ask it to, thats why it makes backups of every thing. I think Hijackthis is your best bet at the moment, it might well be a BHO
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
January 9th, 2004, 10:23 AM
No funny processes are running on his computer? (I guess he already look for that but who knows)
You can also look for BHO Cop, a great program that I use for checking those nasty BHO.
Oh, and I found a lot of stat pages for web sites that has this computer name as the remote host and they are kind of old, so it's probably not a virus (well for the hostname part).. If it is, well the virus is out since a lot of time without anybody noticing it. So my guess is also a default config or a proxy somewhere (still talking about the host name problem).
For the popups part, you can also look at CVWShredder and also try hijack-this. Maybe it's one variant of CWS spyware.
Also, what happen if he enters a bad url in IE? The "normal" DNS not found or some kind of search page ? And what if he clicks on the Search button of his browser? The left panel is "normal" or is that another look of search than the default IE?
January 9th, 2004, 11:58 AM
Well, I think I found it (and xicepik was the closest on the solution). The student answered my PM about what the page sets itself to. I got an interesting response..
The mshp.dll/index.html was what I used for the Google search (and boy, did I find lots). This is a nasty piece of work. I'm surprised in some ways that AV companies don't consider this malicious enough for AV Software. But I suppose it isn't really a virus, it isn't really a worm, it's not really spyware (or is it?). He'll be busy today I suspect.
My default webpage was set to about
:blank , but no matter how many times i change it, in about 5 minutes or so it will automatically change to a page named "res://mshp.dll/index.html#37049". I dont think it is a web page since it does not begins with http and it looks like it is some file inside my machine that is automatically changing my internet settings. And also i found out that the "res://mshp.dll/index.html#37049" will automatically link to a search page called "http://www.search-aid.com"
Now, I'm not fully familar with XP (I don't have a spare box to run it on) but shouldn't it's registry have the following:
He says he's missing his. I don't think I've ever run across a Windows machine without these...
Many thanks to everyone who helped.