Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stupid Spyware


  • Please log in to reply
10 replies to this topic

#1 Christoph182

Christoph182

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 07 June 2005 - 09:45 AM

Hey I know my computer is full of spyware because my homepage keeps changing and sometimes when I want to go to a site it just brings me to a page where I can remove spyware for a "low low" price. I dont want any of this and Ive been using ad-aware and spy doctor to scan all the time and nothing gets rid of it. and sometimes when I try to go to some webpage this will popup in the link bar res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm

BC AdBot (Login to Remove)

 


#2 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:05:41 PM

Posted 07 June 2005 - 10:23 AM

Hi, and welcome to Bleeping Computer.

Sounds to me like you need to post a HijackThis! log.

But first, it would probably be a good idea to run one of the following online trojan scanners:

Trend Micro House Call

Panda Active Scan

Then post your log here

Make sure to read the pinned thread "How to Submit a Hijackthis log," before you post.

#3 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:41 PM

Posted 07 June 2005 - 02:35 PM

If your browser is being Hijacked the following program will help you disable browser hijackers:

This program lists all of the BHOs residing in Internet Explorer and advise you as to whether each listed is to be considered dangerous or not while giving you the ability to disable any that are dangerous or that you do not want or need.

BHODemon:
http://www.definitivesolutions.com/bhodemon.htm

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:41 PM

Posted 07 June 2005 - 03:03 PM

Just to clarify, BHODemon is a tool for managing Browser Helper Objects. Browser helper objects are .DLLs that allow developers to customize and control Internet Explorer.

A browser hijacker can come in any number of forms, and often has nothing at all to do with BHO. So before you go downloading something you don't really need at this point (although it is a useful tool), follow Herk's advice.

So, in summation:
BHO != browser hijacker

#5 Christoph182

Christoph182
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 08 June 2005 - 06:31 AM

Sometimes I cant even get on the internet, it gives me a message "res://xmllib.dll/HTTP_Blocked.htm"

EDIT: so this mean I have no way to go to the links you guys gave me

EDIT2: I can actually go to the links just cant do scans, its just keeps saying res://xmllib.dll/HTTP_Blocked.htm.

Please use the edit button~g

Edited by groovicus, 08 June 2005 - 09:24 AM.


#6 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:04:41 PM

Posted 08 June 2005 - 08:21 AM

Have you done any scans with an anti-virus program? Have you used Ad-Aware or Spybot Search and Destroy?

Do you have, and can you run HiJack This?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#7 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:41 PM

Posted 08 June 2005 - 11:27 AM

Just to clarify, BHODemon is a tool for managing Browser Helper Objects. Browser helper objects are .DLLs that allow developers to customize and control Internet Explorer.

A browser hijacker can come in any number of forms, and often has nothing at all to do with BHO. So before you go downloading something you don't really need at this point (although it is a useful tool), follow Herk's advice.

So, in summation:
BHO != browser hijacker

According to CASTLECOPS, the xmllib.dll referenced in one of Christoph182's posts is associated with a BHO installed by spyware/malware.

Sometimes I cant even get on the internet, it gives me a message "res://xmllib.dll/HTTP_Blocked.htm"


From CASTLECOPS:
GUID {60371670-81B9-4d06-9C42-4DEC1AABE62B}
Filename xmllib.dll
BHO Name XMLDP Class
Status X BHO
Description Trojan.StartPage.O

KEY:
# "X" - Certified spyware/foistware, or other malware
# "L" - Legitimate items
# "O" - Open to debate
# "?" - Unknown Status
# "BHO" - Browser Helper Object
# "TB" - Toolbar
http://castlecops.com/tk1850-xmllib_dll.html


If you can't get on the internet how are you posting here?

If possible, download the BHODemon tool and of course, run the web based scans as well.

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:41 PM

Posted 08 June 2005 - 11:34 AM

According to CASTLECOPS, the xmllib.dll referenced in one of Christoph182's posts is associated with a BHO installed by spyware/malware.


That's true, but BHODemon will not remove the cause of the infection, which will be a random named .exe found in the 04 section of the HJT log, so removing the BHO as you are instructing will not actually fix anything, but rather mask the symptoms so that when someone who actually knows what they are doing goes to help, they will be handicapped. :thumbsup:

#9 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:41 PM

Posted 08 June 2005 - 11:44 AM

It will not remove it, because they feel that disabling it allows you to fix an error should you pick the wrong one, but BHODemon does indeed identify the BHO for what it is and allow you to disable it which should provide at least a temporary resolution for the problem.

After that is accomplished it would then be appropriate to post a HJT log and remove it permanently.

#10 Christoph182

Christoph182
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 08 June 2005 - 04:21 PM

ok, sometimes it gives me the message and sometimes it doesn't. When I cant even go to MSN.com or some simple site like that I use the Ares program because it has a internet browser and it works for some reason. So let me get this straight from all the previous posts you guys have been trying to tell me. I have a bunch of spyware or whatever and I cant remove it with spybot or ad-aware because I already tried. So Im going to run a Panda active scan and then see what's up then download (but not fool around with Hijackthis, because I dont know what Im doing with HJT) HJT and post a log on here for you guys to see what the problem is right?? Does anyone have a better solution??

Edited by Christoph182, 08 June 2005 - 05:15 PM.


#11 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:41 PM

Posted 08 June 2005 - 07:47 PM

Yes - Do the Hijack This download and follow the instructions given you by HJT board members here.

Do not attempt to use Hijack This to fix the problem yourself.

Wait until you get instructions from a HJT team member after you post your HJT log in the appropriate part of this forum.

Edited by Enthusiast, 08 June 2005 - 07:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users