Windows XP Puzzlement? *solved* - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Windows XP Puzzlement? *solved*

  1. #11
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    That was the picture link I had posted earlier, which makes me think "virus/worm". And no, the student doesn't attend or is anywhere near UTK.

    I went through the thread he posted on the student forum and he mentions that every time he changed his "internet options" they got changed again. The popup is for a "survey" (to make money at home).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #12
    My apologies for reposting the picture, when I tried your link it came up as "could not find search".

    Hmm, why not have him scan for a virus:

    http://housecall.antivirus.com

    A free, online based ActiveX virus scanner that has never failed me. Better to scan and be sure than wonder if it is in fact a virus.

  3. #13
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I'll suggest it to him.. If it doesn't pull anything I'm gonna be at a loss of where to search. I've also given the student some registry keys to check (in case something is there).

    I'm beginning to wonder if this is a new variant of something.. That picture with the weird-ass name might be worthwhile for someone to poke around in to see if there's something there..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #14
    Junior Member
    Join Date
    Dec 2003
    Posts
    2

    possible

    go to download.com get a prog thats called hijackthis and run it. what it will do is scan ur registery and show u both legit and **** software keys (spyware). u can tell it to remove all the keys and see if that pop comes back (warning u may need to reinstall programs and special plugins) and have both ad-aware and spybot up to date and if it is an NT machince (2000 or XP) lock the HOSTS file and remove anyother entery in it except localhost.

    see if that helps other than that he can always format and reinstall the OS and that should fix all of his/her problems (hehehe)

  5. #15
    warning u may need to reinstall programs and special plugins
    I really don't like the sound of that. If it deletes legit programs then I wonder what else it deletes that we can't detect.

    I do recommend, to both the user MsMitten is talking to, and Shepard, to use Spy Bot Search and Destroy as a spyware removal tool.

    http://www.safer-networking.org/

    It's freeware, it's updated very often, and searches for a huge list of specific spyware, ad ware, and worm builds, and snags the deeply registry hiding things that ad-aware tends to miss. Since he hand codes in the search locations the programs looks for, we know it is only snagging real and legitimate spyware rather than taking a crack guess and removing Photoshop 7 Just my advice, because from my experience, like the virus scanner above, it has never failed me or the people I get to run it.

  6. #16
    Junior Member
    Join Date
    Dec 2003
    Posts
    2
    hijackthis only deletes registry keys not the actuall programs files
    thus the file will be intact but they programs wont work properly because they are not linked

    and u can always tell the program not to delete the keys that u dont want to and if u do by accident it keeps a back up of everthing it removes

    so its a relitively safe program if your not a total idiot but from the sounds of it, doesnt seem like we have an issue in that department

  7. #17
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Seeing that it appears usually in email and bbs message headers (where a human wouldn't put it), I would agree with Phish and say that it is a default name of a manufacturer somewhere. Every reference to it seems to be the computer's name, and none seem to be placed there by humans. It could also be a proxy service used by a few ISP's.

    I wouldn't worry about it being a sign of something else, though. There just aren't enough refernces to it being related to a virus to draw that conclusion IMHO.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  8. #18
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Hijackthis DOES delete files if you ask it to, thats why it makes backups of every thing. I think Hijackthis is your best bet at the moment, it might well be a BHO
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  9. #19
    Member
    Join Date
    Dec 2003
    Posts
    31
    No funny processes are running on his computer? (I guess he already look for that but who knows)

    You can also look for BHO Cop, a great program that I use for checking those nasty BHO.

    Oh, and I found a lot of stat pages for web sites that has this computer name as the remote host and they are kind of old, so it's probably not a virus (well for the hostname part).. If it is, well the virus is out since a lot of time without anybody noticing it. So my guess is also a default config or a proxy somewhere (still talking about the host name problem).

    For the popups part, you can also look at CVWShredder and also try hijack-this. Maybe it's one variant of CWS spyware.
    (http://www.spywareinfo.com/~merijn/downloads.html)
    (http://www.spywareinfo.com/~merijn/cwschronicles.html)
    (http://www.spywareguide.com/product_show.php?SPY=599)

    Also, what happen if he enters a bad url in IE? The "normal" DNS not found or some kind of search page ? And what if he clicks on the Search button of his browser? The left panel is "normal" or is that another look of search than the default IE?

  10. #20
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Well, I think I found it (and xicepik was the closest on the solution). The student answered my PM about what the page sets itself to. I got an interesting response..

    My default webpage was set to about:blank , but no matter how many times i change it, in about 5 minutes or so it will automatically change to a page named "res://mshp.dll/index.html#37049". I dont think it is a web page since it does not begins with http and it looks like it is some file inside my machine that is automatically changing my internet settings. And also i found out that the "res://mshp.dll/index.html#37049" will automatically link to a search page called "http://www.search-aid.com"
    The mshp.dll/index.html was what I used for the Google search (and boy, did I find lots). This is a nasty piece of work. I'm surprised in some ways that AV companies don't consider this malicious enough for AV Software. But I suppose it isn't really a virus, it isn't really a worm, it's not really spyware (or is it?). He'll be busy today I suspect.

    Now, I'm not fully familar with XP (I don't have a spare box to run it on) but shouldn't it's registry have the following:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    He says he's missing his. I don't think I've ever run across a Windows machine without these...

    Many thanks to everyone who helped.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •