Spyware warning background problem, HJT log attached
- Thread starter Wyx
- Start date
Mictlantecuhtli
Posts: 4,049 +13
Disable Active Desktop (or web content on desktop).
These look suspicious to me:
O4 - HKLM\..\Run: [FHAPage] C:\WINDOWS\system32\shdocha.exe home
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk
mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/xxx/html.chm::/html.exe
These look suspicious to me:
O4 - HKLM\..\Run: [FHAPage] C:\WINDOWS\system32\shdocha.exe home
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk
mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/xxx/html.chm::/html.exeThis is a bad one
I have been trying all day to get rid of it with no success
I change it back to active desktop the next minute it web content view again
with that background
I have been trying all day to get rid of it with no success
I change it back to active desktop the next minute it web content view again
with that background
Thanks
Yep thats sure what it looks like I spent over 2 hours trying to fix this
and I'm an onsite computer tech
I did a google for this and it came up with nothing
I will have to go back and do the reg thing, too bad I have to drive 20 miles
Thats the worst part about somebody elses house it can take forever doing multiple spyware scans, not like would could take a bath or mower the lawn
it the waiting that gets me, like Chinese water torture
Yep thats sure what it looks like I spent over 2 hours trying to fix this
and I'm an onsite computer tech
I did a google for this and it came up with nothing
I will have to go back and do the reg thing, too bad I have to drive 20 miles
Thats the worst part about somebody elses house it can take forever doing multiple spyware scans, not like would could take a bath or mower the lawn
it the waiting that gets me, like Chinese water torture
shdocha problem
I noticed others are having the same problem at about the same time that I got it with the same URL mentioned in this thread.
My computer opens up to a spyware warning that I cannot get rid of. IT is red, takes up almost all of the program ICON screen and has a link to security software called "regfreeze".
It also hijacked my Internet explorer start page.
In safe mode I searched for the file, found it, deleted it, and was able to re-start safely. I then must change my internet options to go back to where I want. IF I shut down and turn the computer back on, it goes back to the shdocha hijack. I've done this several times now over the last 24 hours.
I have also been on the phone with Dell and Microsoft and we were unable to resolve it.
If anybody has any ideas about this please let us know.
Derm
I noticed others are having the same problem at about the same time that I got it with the same URL mentioned in this thread.
My computer opens up to a spyware warning that I cannot get rid of. IT is red, takes up almost all of the program ICON screen and has a link to security software called "regfreeze".
It also hijacked my Internet explorer start page.
In safe mode I searched for the file, found it, deleted it, and was able to re-start safely. I then must change my internet options to go back to where I want. IF I shut down and turn the computer back on, it goes back to the shdocha hijack. I've done this several times now over the last 24 hours.
I have also been on the phone with Dell and Microsoft and we were unable to resolve it.
If anybody has any ideas about this please let us know.
Derm
Same here in Holland
I have exactly the same Adware problem as Derm.
That is my brother in law. I spend today 3 hours to fix it. Did not work.
Tried removing shdocha from register, removed the shdocha.exe, ran it in Safe modus step by step starting things, removed all start up items in msconfig, but the black screen with de red ad kept coming back.
Ad-Adware SE definitions 19-12-2005 did not recognize it.
Nor did any viruskiller.
I hope that Ad-aware will kill it in a few days or weeks.
Turning Active desktop off killed it temporarely, but as soon as the explorer was launched the black screen came back.
I have exactly the same Adware problem as Derm.
That is my brother in law. I spend today 3 hours to fix it. Did not work.
Tried removing shdocha from register, removed the shdocha.exe, ran it in Safe modus step by step starting things, removed all start up items in msconfig, but the black screen with de red ad kept coming back.
Ad-Adware SE definitions 19-12-2005 did not recognize it.
Nor did any viruskiller.
I hope that Ad-aware will kill it in a few days or weeks.
Turning Active desktop off killed it temporarely, but as soon as the explorer was launched the black screen came back.
Hey guys, I deal with this thing on a daily basis. I have currently 9 machines in my shop with this gremlin and the most cost effective fix for this is to back up your pics, docs, etc, and reload (formatting the HD before the reload). There currently is no other fix that we are aware of.
shdodcha
For those of us with this problem I did not have the call with Dell yesterday and will be unable to do it today.
This am I started in safe mode, searched for shdocha, and got two files this time instead of one. One was the usual shdochaC:\windows system32 and the other was shdocahexehomzxz016C:\documents&settings mic....
This was the first time for the second one. I deleted both and then re-started. I was surprised again when the default browser came up to my selection instead of being hijacked to the shdocha page.
Has anyone yet tried Tedster's suggestion?
For those of us with this problem I did not have the call with Dell yesterday and will be unable to do it today.
This am I started in safe mode, searched for shdocha, and got two files this time instead of one. One was the usual shdochaC:\windows system32 and the other was shdocahexehomzxz016C:\documents&settings mic....
This was the first time for the second one. I deleted both and then re-started. I was surprised again when the default browser came up to my selection instead of being hijacked to the shdocha page.
Has anyone yet tried Tedster's suggestion?
shdocha/software security ad problem
I am again short on time but I found this interesting. This morning I went to the Control Panel and opened the display Icon. In the settings for the screen saver and what not on the "appearance" tab, I could get nothing to work. Is it possible for this hijack with the almost full screen warning to have attached itself in that location so that it would come up all the time when the computer is on?
All other tabs worked as usual.
Good luck to all.
I am again short on time but I found this interesting. This morning I went to the Control Panel and opened the display Icon. In the settings for the screen saver and what not on the "appearance" tab, I could get nothing to work. Is it possible for this hijack with the almost full screen warning to have attached itself in that location so that it would come up all the time when the computer is on?
All other tabs worked as usual.
Good luck to all.
You are wasting time, and I hope you you are not paying for Dell tech support, there is currently no fix for this Smitfruad virus / hijacker. You may be able to remove the full screen message but you will not be able to repair the display properties. Bite the bullet - format and reload...you would be back in business by now. Dell tech support are a bunch of morons that are reading steps you should take from a pre-prepared list. When none of these steps will work, they will tell you to format your hard drive and reload your machine. Even if you have a warranty with dell, software is not covered by their warranty.
Thanks jettwo and tedster.
I tried the spybot already and will try ewido.
Alas I think jettwo may be right. I had a computer consultant I've used for years here yesterday and while he started confidently and did a million things I did not know how to do, to his surprise he did not get rid of it.
He went to webshots and downloaded a background that covered it up. I still know it's there though.
HE says that it is on in the background and is not disturbing anything. I can tell you it is disturbing me.
The display properties are frozen in place still also.
Oh well
MERRY CHRISTMAS ALL!
I tried the spybot already and will try ewido.
Alas I think jettwo may be right. I had a computer consultant I've used for years here yesterday and while he started confidently and did a million things I did not know how to do, to his surprise he did not get rid of it.
He went to webshots and downloaded a background that covered it up. I still know it's there though.
HE says that it is on in the background and is not disturbing anything. I can tell you it is disturbing me.
The display properties are frozen in place still also.
Oh well
MERRY CHRISTMAS ALL!
My son infected his machine with this one the other day. To find it/fix it I did the following.
Boot to Safe Mode
Make sure System Restore is OFF
Using Notepad I created two files in another directory called shdocha.dll and shdocha.exe. I marked these files read only and copied them over top of the offending .exe and .dll. Reboot the machine. This will take care of the immediate problem of the hijacked web page. It should also cause an error to be thrown by the app that actually creates shdocha.exe and shdocha.dll. In my sons case it was C:\windows\system32\temp\OSA.exe (note there is a valid osa.exe as well but it lives elsewhere). When the error is thrown and before you click OK to acknowledge the error look in taskmanger and make note of all running processes (In your case I would suspect that it is html.exe.). Click OK and see what process goes away this is very likely the offending app. Go delete the .exe that is causing the problem. If you are worried just rename it to something else. Also make sure it isn't running.
Now go to regedit and do a search for shdocha and cleanup the entries. You are also going to have an entry in /HKLM/Software/Microsoft/Windows/CurrentVersion/Run that starts up the executable that creates the shdocha files the name should match the name of the file you found in task manager.
Scott
Boot to Safe Mode
Make sure System Restore is OFF
Using Notepad I created two files in another directory called shdocha.dll and shdocha.exe. I marked these files read only and copied them over top of the offending .exe and .dll. Reboot the machine. This will take care of the immediate problem of the hijacked web page. It should also cause an error to be thrown by the app that actually creates shdocha.exe and shdocha.dll. In my sons case it was C:\windows\system32\temp\OSA.exe (note there is a valid osa.exe as well but it lives elsewhere). When the error is thrown and before you click OK to acknowledge the error look in taskmanger and make note of all running processes (In your case I would suspect that it is html.exe.). Click OK and see what process goes away this is very likely the offending app. Go delete the .exe that is causing the problem. If you are worried just rename it to something else. Also make sure it isn't running.
Now go to regedit and do a search for shdocha and cleanup the entries. You are also going to have an entry in /HKLM/Software/Microsoft/Windows/CurrentVersion/Run that starts up the executable that creates the shdocha files the name should match the name of the file you found in task manager.
Scott
Yes, it did. It took some detective work to find it all but I believe I got all of it.
I was told on another board today that the latest version of AVG 12/27 (free version) http://www.grisoft.com/ will detect and remove this although I don't have any proof. My son ran it this evening and it didn't find anything on his box but that may just mean that I got it all.
This page has a description of how these trojans work and it applies to what I found http://www.authentium.com/support/AVmatrix/VirusDetail.aspx?RefNo=732&VN=W32/Startpage.XL
Also it might pay to spend some time at www.sysinternals.com they have some killer free apps to help sort these things out. I find Autoruns , RegMon, and ProcessExplorer to be very useful.
Scott
I was told on another board today that the latest version of AVG 12/27 (free version) http://www.grisoft.com/ will detect and remove this although I don't have any proof. My son ran it this evening and it didn't find anything on his box but that may just mean that I got it all.
This page has a description of how these trojans work and it applies to what I found http://www.authentium.com/support/AVmatrix/VirusDetail.aspx?RefNo=732&VN=W32/Startpage.XL
Also it might pay to spend some time at www.sysinternals.com they have some killer free apps to help sort these things out. I find Autoruns , RegMon, and ProcessExplorer to be very useful.
Scott
jettwo it's fixed on my sons machine. He had the big background popup window and it had replaced his startpage in IE. Don't get me wrong this wasn't easy it took a fair amount of work and spelunking through both the disk and the registry to clean this puppy up. I am certain there are other versions of this one that may not be quite so easy to get rid of. Honestly if your time has any value it is probably easier to reinstall the OS. I also had the advantage of having a clean XP box to do some comparisons, I spent some time bouncing around the web doing reading. I took the time to go through the registry with a fairly fine toothed comb using some of the tools above as well as regedit. In my son's case I was lucky that it had not replaced any key OS files and did mostly simple tricks to hide itself. I was also lucky that my programming/QA/SysAdmin background has afforded me the opportunity to work with the registry and all of the issues/problems that can occur there. I would agree with you that if I had to deal with this on a daily basis I would backup the important files and just reinstall the OS.
[SoapBox] This not directed at anyone in particular so please no one take offense. The easiest way to fix these probelms is to prevent them in the first place. My son got his machine infected by clicking on an email attachment without thinking. He was running updated Virus Protection (Norton) but that won't always protect you from your own mistakes. Spend some time researching how to protect your machine and what to do when an infection strikes. Keep your machine updated with the latest virus and spyware definitions, don't depend upon one application to do it all for you. Apply the latest security patches if you are running Windows and don't forget to patch up MS Office as well. If you are using MS Outlook consider using another email program, it's not that Outlook is particularly bad but it is the one most often targetted, same thing goes for browsers not many virus writers are targetting FireFox for example. Get in the habit of doing periodic cleanup of the harddrive using at the minimum /Progam Files/Accessories/System Tools/Disk Cleanup. Become familiar with the Registry and some of the key areas that cause problems and where virus's/trojans get installed. Understand what system restore does on your machine and learn how to disable it. Don't be afraid to use the available tools to study your machines registry, but be sure of what you are doing if you change/remove something. Don't depend upon Windows Explorer to show you everything on the disk as it will never will. For example it's fairly easy to hide a file in C:\Windows\Downloaded Program Files or to do an exploit similar to the Sony Rootkit fiasco. Did I mention periodic backups ? Yes they are a pain but with a decent strategy not that difficult. Sooner or later you WILL get hit with some malware that does irrepairable damage to your machine and the better prepared you are the lower the impact. For example I recently lost a hard drive at work and within a couple of hours of getting a new harddrive/os install I was up and running with very minimal loss of data.
[/SoapBox]
Scott
[SoapBox] This not directed at anyone in particular so please no one take offense. The easiest way to fix these probelms is to prevent them in the first place. My son got his machine infected by clicking on an email attachment without thinking. He was running updated Virus Protection (Norton) but that won't always protect you from your own mistakes. Spend some time researching how to protect your machine and what to do when an infection strikes. Keep your machine updated with the latest virus and spyware definitions, don't depend upon one application to do it all for you. Apply the latest security patches if you are running Windows and don't forget to patch up MS Office as well. If you are using MS Outlook consider using another email program, it's not that Outlook is particularly bad but it is the one most often targetted, same thing goes for browsers not many virus writers are targetting FireFox for example. Get in the habit of doing periodic cleanup of the harddrive using at the minimum /Progam Files/Accessories/System Tools/Disk Cleanup. Become familiar with the Registry and some of the key areas that cause problems and where virus's/trojans get installed. Understand what system restore does on your machine and learn how to disable it. Don't be afraid to use the available tools to study your machines registry, but be sure of what you are doing if you change/remove something. Don't depend upon Windows Explorer to show you everything on the disk as it will never will. For example it's fairly easy to hide a file in C:\Windows\Downloaded Program Files or to do an exploit similar to the Sony Rootkit fiasco. Did I mention periodic backups ? Yes they are a pain but with a decent strategy not that difficult. Sooner or later you WILL get hit with some malware that does irrepairable damage to your machine and the better prepared you are the lower the impact. For example I recently lost a hard drive at work and within a couple of hours of getting a new harddrive/os install I was up and running with very minimal loss of data.
[/SoapBox]
Scott
After reading my own post and taking some of my own advice I would also reccomend reading all of the stickies at the top of this forum. It states a lot of what I said way better than I said it ;-)
I think in this case this particular sticky applies here
https://www.techspot.com/vb/topic17297.html
Scott
I think in this case this particular sticky applies here
https://www.techspot.com/vb/topic17297.html
Scott
Similar threads
Latest posts
-
CERN researchers create gold from lead in breakthrough nuclear experiment- GodisanAtheist replied