Hi all,

Symptons: Homepage is automatically always set to: hxxp:// %68%6F%6D%65%70%61%67%65%2E%63%6F%6D
%00@%77%77%77%2e%65%2d%66%
69%6e%64%65%72%2e%63%63/%68%70/

if i change it to anything else, it resets itself back. i can now access other sites, but it is just the homepage not working, i do not want to leave it like this because i know the computer is still infected.

This trojan is this file: msmsgsui.exe

NOD will pick it up, remove it, but refresh, it comes back.


Running XP Pro /SP2
I have also ran updated:

- Ad-Aware SE - this will clean many items, remove ok, clean again and they are back aswell.

- Service Pack 2 - all updates after SP2.

- SpyBot S & D - this picked up many items aswell, but these ones havnt returned.

- CWShredder - This removes 16 infected IE registries. These return aswell.

- Hijackthis - i have follow instructions from here http://forums.thatcomputerguy.us/index.php?showtopic=1959

I can only clean the dpe.dll file, but this keeps returning aswell.
The shdoclc.dll file is also involved in this mess.
As so is the Trojandownloader.Agent.BC trojan as this pops up aswell every so often in the system volume information, SYSTEM RESTORE IS NOW TURNED OFF.

Here is the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 1:16:42 PM, on 10/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

~~snip ~~ Hijack This log removed - Blackspear.

How can i get NOD to remove this virus once and for all?
If anyone has any idea's on what to do next, a big thankyou.

{QUOTE-> How can i get NOD to remove this virus once and for all? If anyone has any idea's on what to do next, a big thankyou. <-QUOTE}
Have you tried booting into Safe Mode and running a scan that way?

More info here on what works very well: http://www.wilderssecurity.com/showthread.php?t=47830

You could also "Slave" the drive of a Clean system and have Nod scan it that way.

Hope this helps...

Let us know how you go...

Cheers ;D

Hello and welcome Arrowsmithmidwest.

First off Wilders does not support posting of hijack this logs as stated in this thread http://www.wilderssecurity.com/showthread.php?goto=newpost&t=42148 so I am pretty sure the mods will edit and delete your HJT log :(
Now on to cleaning your infected machine. Have you tried NOD in safemode? If not I would try to use the following the instructions provided by Blackspear one of the very nice helpers here at Wilders located at http://www.wilderssecurity.com/showthread.php?t=50662.
If you have already used NOD in safemode and followed those steps and your problem still exists, I would come back and let us know if anything changed.

[EDIT: Looks like I was typing while Blackspear was posting. :)]

Good luck and I hope this helps,

Chris

Have you downloaded MSN plus? , it contains the LOP hijacker.

You can copy your HJT log HERE (http://hijackthis.de/index.php?langselect=english) it's an automated analyzer.

MSMSGSVC.exe is a BHO

Just seeing the title of this thread set off warning in McAfee 9.0 - impressive.

I would do as the others have mentioned. I would also download Ewido Security Suite, update it, reboot to safe mode and scan. Ewido is an easy and highly thought of anti-trojan.

thanks for the quick response, i spose it doesnt matter if someone edits out the log.

And thanks for the link of the analyzer sweetie :)

anyway i have tried running it in a slave computer, that was the 1st thing i tried.

Havn't tried safe mode at this stage.

but thanks to sweetie, the analyzer picked up 21 Nasties. I will see what i can do from here and post the results.

cheers

{QUOTE-> Havn't tried safe mode at this stage. <-QUOTE}
Hi Arrowsmith, the link I posted has pretty extensive steps for persistant infections.

Cheers ;D

Thanks everyone,

The problem is now fixed.

Before following this sequence please make sure Windows restore is OFF, and delete recycle bin, temp files and temp. internet files with the cleanmgr.

This is exactly how i fixed it for anyone reading this thread with same issue:

1) Booted up in safe mode.

2) Removed the known virus manually by deleting it. "Msmsgsui.exe"

3) Ran NOD32 full system scan to make sure there was nothing else.

4) Ran Ad-Aware SE, picked up 872 new items. (Where as in normal mode it only picked up about 20.)

5) Ran Spy Bot S&D, *apprantly my system is clean*, yeah right.

6) Ran CWSweeper, picked up about 20 IE infections in registry.

7) Ran HiJackThis, exported the log to my work computer and analyzed it with the link that sweetie show me. (See above, post #4 i think).

8) With a list of 21 nasties, removed them all with HiJackThis except the MSMSGSVC.exe i had to manually delete.

9) Performed another Virus scan to double check.

10) Rebooted the computer back into normal mode.

11) Went into IE options, Reset IE. Goto programs, "Reset Web Settings", ensured that the tick was on for reset default hompage aswell. Close out of IE options and IE if you were in it.


*** The internet now worked flawlessly.***


cheers

Glad to hear it is fixed.

Thanks,

Chris