Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

res://C:\WINDOWS\System32\ shdoclc.dll/navcancl.htm


  • This topic is locked This topic is locked
4 replies to this topic

#1 stinger_be

stinger_be

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 20 March 2005 - 08:26 AM

Hi, I'm new in this forum and this is my first post. I need some help regarding my browser. Whenever I click a link to open in a new browser, there would be nothing on the address bar or the page but when I click the stop button, this address would appear res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm. I had cleaned up my PC of various spywares and viruses using adaware, spyware doctor and some other softwares and online scanning tools earlier. Hope someone can help me please.

Hea is a log from my Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 2:25:01 AM, on 2/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\victor\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CFilter Object - {2A7B720A-7A28-4e99-80A0-2DF985EC93D0} - C:\WINDOWS\System32\font.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] D:\Spyware Doctor\swdoctor.exe /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...bridge-c400.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


//Mod edit: this post moved from " Operating Systems -> Windows XP/NT/2000/2003" forum - KoanYorel

Edited by Grinler, 29 March 2005 - 04:06 PM.


BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 20 March 2005 - 05:24 PM

Hello Victor, Welcome to BleepingComputer. If you still need help, let's do this.

1) Right click on a blank spot on the Desktop and make a NEW FOLDER called HJT. Move the HJT.exe into that folder so HJT will have a place to store backups for safety.

2) HJT indicates you have no Service Pack and no critical updates. You need to navigate to Windows Updates and download all suggested critical stuff for your computer. I do not suggest SP2 while you have this infection. Here is some valuable information to help you with the decision:
What you should know
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx

3) Scan with HijackThis and check the box in front of each of these line items.

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CFilter Object - {2A7B720A-7A28-4e99-80A0-2DF985EC93D0} - C:\WINDOWS\System32\font.dll
Make-deal.com malware
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
(above is SpywareDoctor which is not working, I will remove the 04 also. If you wish to continue using this software you will have to reinstall it once you are clean)
O4 - HKCU\..\Run: [Spyware Doctor] D:\Spyware Doctor\swdoctor.exe /Q
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
(I suggest you remove the above, I would very very careful who you allow into your trusted zone)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...bridge-c400.cab
-Blazefind Windupdates Adware
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
-NProtect Adware

Close all programs but HJT and all browswer windows then click on "Fix Checked"

RIGHT click on Start then click on Explore, locate and delete this folder. SpywareDoctor will replace it IF you download it again.

D:\Spyware Doctor >>> folder

Empty the recycle bin and restart the computer. Surf a bit to see how it's running then stay in this thread and post a new log along with any comments you think I should have.

Thanks...pskelley
BleepingComputer.com

Edited by pskelley, 20 March 2005 - 05:26 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 stinger_be

stinger_be
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 23 March 2005 - 09:57 AM

Thanks pskelley, I did what you said but that did not fix the problem with my browser although I did manage to remove those unwanted searchhook and some vulnerabilities that were in my previous log. I had removed the virus earlier but guess some traces of the changes made by it were still left behind. Done a window installation keeping the existing system and updated the latest security and added zonealarm. All well now. Kept my computer in my friend's place when I went for a 2 months holiday and that's how it got infected!

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 23 March 2005 - 10:34 AM

Hello stinger_be, Glad to hear you did resolve your issues. If you will let me see a new log, I will have some great information that will help you stay safe and clean. Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 29 March 2005 - 04:00 PM

No reply to my request for a last log. Thank you for visiting BleepingComputer. Since this problem as been resolved, I will close this thread. Thank you, pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users