Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Res://c:\windows\system32\shdoclc.dll/navcancl.htm


  • This topic is locked This topic is locked
17 replies to this topic

#1 catsrulenky

catsrulenky

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 July 2008 - 04:00 PM

I'm new to this forum (my 1st post!) and I'm really hoping to find a solution to the issue I'm having with my computer. I've seen other forums which seem tooffer solutions, but so far nothing seems to be working. I've attached (I hope)my HijackThis logfile in hopes of finding the right solution.

Attached Files



BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:46 AM

Posted 07 August 2008 - 12:00 PM

Hio and welcome,

Sorry for the delay. We have been backlogged.

Is it only the insightbb page you have trouble getting to? Any others?

If you still need help please do the following:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts. (On Vista; right click dss.exe and choose run as administrator)
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

-- If dss.exe hangs up anywhere during scan, please note where in scan it hung up and let me know.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 catsrulenky

catsrulenky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 10 August 2008 - 03:43 PM

After perusing through the bleepingcomputer.com site, I can tell y'all are busy. I really appreciate the help this site provides. Here are the 2 files you requested. I look forward to your response.

Attached Files



#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:46 AM

Posted 12 August 2008 - 09:55 PM

Hello :thumbsup:

Sorry for delay getting back to you.
We are looking over your logs & should get back ASAP!

Can you give a brief outline of the issues you are having please?

Also -- are you aware of the commercial keylogger/monitor tool present?

http://www.symantec.com/security_response/...-99&tabid=2
http://research.sunbelt-software.com/threa...;threatid=44200
http://www.software.com/view/8794/14/webwatcher/
http://www.webwatchernow.com/Monitoring-So...aff.html?sid=99

Did you install this? Some may install it to watch what their children, employees, etc are doing on the computer.
Let me know if you installed it so it won't be targeted in cleanup.
Else we may ask you to uninstall it for cleanup then you can re-install when done.

Besides that tool -- there are a few issues that need to be addressed but would like to know about the above program before we continue.
It may not be me that gets back to you but another helper should be along shortly.

Thanks for your patience!

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:46 AM

Posted 13 August 2008 - 10:29 PM

Hello, catsrulenky.
You may have a SmitFraud variant. I need to gather some more information. Please follow these instructions:
  • Please download SmitfraudFix, and save it to your desktop.
  • Double-click SmitfraudFix.exe, on your desktop.
  • Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Look here for more details.

In your next reply, please include the following:
  • SmitFraudFix's Rapport.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 catsrulenky

catsrulenky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 August 2008 - 02:06 PM

Hi.

My wife just called and said she could not access our e-mail account from home, so I logged in via my work computer to send a quick reply. I am aware of the keylogger program but I have no qulams about removing it if it helps alleviate the issues I'm having.

I will attempt to access our e-mail when I get home and if I do, will send the SmitFraudFix's Rapport.txt at that time.

The first issue noticed was the inability to log in to our homepage (insightbb.com). For the insightbb.com website, the following URL address appeared: res:\\C:\Windows\System32\shdoclc.dll\navcancl.htm

Since then, we have discovered that kohls.com does the same thing.

We are now experiencing problems accessing our banking website and e-mail page, although these just return an error message, not the URL address mentioned above.

Any other help you can provide would be great. I was considering re-installing Windows XP this weekend. Your thoughts?

#7 catsrulenky

catsrulenky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 August 2008 - 05:23 PM

Billy3--

Here is the SmitFraudFix's rapport.txt file.

Attached Files



#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:46 AM

Posted 15 August 2008 - 07:35 PM

Hello, catsrulenky.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:46 AM

Posted 17 August 2008 - 12:41 PM

Mistake on my part :thumbsup:

Topic reopened.

Edited by Billy O'Neal, 17 August 2008 - 07:27 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 catsrulenky

catsrulenky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 20 August 2008 - 07:07 PM

Billy3--

Here is the ComboFix Report.

catsrulenky

Attached Files



#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:46 AM

Posted 20 August 2008 - 10:38 PM

Hello, catsrulenky.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/159134/rescwindowssystem32shdoclcdllnavcanclhtm/?p=918735
    
    EXTRA::
    
    suspect::[54]
    C:\hp\bin\CLOAKER.EXE
    C:\WINDOWS\system32\btajffm\Director_lzvhba.dll
    C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys
    
    DirLook::
    C:\WINDOWS\system32\btajffm
    
    registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DMAScheduler"=-
    "HPBootOp"=-
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    
    O16 -: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file:///F:/CDVIEWER/CdViewer.cab
    
    file::
    C:\WINDOWS\Downloaded Program Files\cdviewer.inf
    C:\WINDOWS\Downloaded Program Files\IR87.txt
    C:\WINDOWS\Downloaded Program Files\IR6.txt
    C:\WINDOWS\Downloaded Program Files\IR159.txt
    C:\WINDOWS\Downloaded Program Files\IR149.txt
    C:\WINDOWS\Downloaded Program Files\IR148.txt
    C:\WINDOWS\Downloaded Program Files\IR144.txt
    C:\WINDOWS\Downloaded Program Files\IR14.txt
    C:\WINDOWS\Downloaded Program Files\IR138.txt
    C:\WINDOWS\Downloaded Program Files\IR13.txt
    C:\WINDOWS\Downloaded Program Files\IR127.txt
    C:\WINDOWS\Downloaded Program Files\IR126.txt
    C:\WINDOWS\Downloaded Program Files\IR110.txt
    C:\WINDOWS\Downloaded Program Files\IR109.txt
    C:\WINDOWS\Downloaded Program Files\IR101.txt
    C:\WINDOWS\Downloaded Program Files\IR100.txt
    C:\WINDOWS\Downloaded Program Files\dict.dat
    C:\WINDOWS\Downloaded Program Files\unicows.dll
    C:\WINDOWS\Downloaded Program Files\iiscomplib2.dll
    C:\WINDOWS\Downloaded Program Files\picn6320.dll
    C:\WINDOWS\Downloaded Program Files\picn9120.dll
    C:\WINDOWS\Downloaded Program Files\picn9020.dll
    C:\WINDOWS\Downloaded Program Files\picn20.dll
    C:\WINDOWS\Downloaded Program Files\AmiDicomDirTreeView21.ocx
    C:\WINDOWS\Downloaded Program Files\AmiViewerLite21.ocx
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:46 AM

Posted 24 August 2008 - 12:22 AM

Hello, catsrulenky.

Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 catsrulenky

catsrulenky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 24 August 2008 - 07:52 AM

Hi Billy3--

I never got your reply from 8/20. I should be able to re-run ComboFix today.

--catsrulenky

#14 catsrulenky

catsrulenky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 24 August 2008 - 08:12 PM

Billy3--

Here's the ComboFix file you requested. I named it 'ComboFix2' in case we need to refer back to the original.

Thanks for all your help.

--catsrulenky

Attached Files



#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:46 AM

Posted 24 August 2008 - 11:25 PM

Hello, catsrulenky.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users