another res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm [Archive]

View Full Version : another res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm

trip

01-20-2005, 10:49 AM

Greetings, apologies for redundancy, but when I look at other logs I see that there are some differences in operating systems that make me hesitate to just jump in and start messing around in my registry. Same problem though, home page hijacked and porno popups. However I am sure that there is more in there to add to the mess. Any help would be much appreciated. Here is the logfile from my machine.
Thanks , Trip

Logfile of HijackThis v1.99.0
Scan saved at 10:13:06 AM, on 01/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\CTFMONSS.EXE
C:\WINNT\system32\CSRSSW.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\eleven\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINNT\wtlbass32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [CTFMONSS] C:\WINNT\system32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINNT\system32\CSRSSW.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\WINNT\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ildmkuhn.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

nightowl

01-20-2005, 11:23 AM

http://forums.designtechnica.com/showthread.php?t=5583

Download Spybot, AdAware (Links Above)

Delete what they find, Remove cookies, Temporary Internet files,Empty Recycle Bin, then post a new log, thanks..........Jim

trip

01-20-2005, 05:53 PM

Hello Jim,
Thanks for your help. I downloaded spybot, ran it, then ran AdAware. and followed your other instructions. Here is the new log.
Trip

Logfile of HijackThis v1.99.0
Scan saved at 6:18:04 PM, on 01/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\CTFMONSS.EXE
C:\WINNT\system32\CSRSSW.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\eleven\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINNT\wtlbass32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [CTFMONSS] C:\WINNT\system32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINNT\system32\CSRSSW.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\WINNT\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ildmkuhn.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

nightowl

01-20-2005, 07:51 PM

Reboot To Safe Mode (tap F8 on Startup)

Delete these Files

C:\WINNT\system32\CTFMONSS.EXE
C:\WINNT\system32\CSRSSW.EXE

Still In Safe Mode Place a check next to each of these and click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINNT\wtlbass32.dll
O4 - HKCU\..\Run: [CTFMONSS] C:\WINNT\system32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINNT\system32\CSRSSW.EXE
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ildmkuhn.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

Still In Safe Mode Delete all Temporary Internet Files, Cookies, Do a Defrag on your C Drive, Empty recycle bin.

Start/All Programs/Accessories/System Tools/Disc Defragment

Then Reboot and post a new log..........Jim

trip

01-20-2005, 09:24 PM

Hello again Jim,
Here is the latest log. After following your instructions it seems that things are running normally again. My home page loads properly and the popups have not returned.

One odd thing that I noticed is a message when try to get this site up a dialogue box opens up with the message that Spybot has stopped a "double click button", and then a blank page appears in the IE browser. I have been able to get around it though I guess. Anyway thanks very much for helping me with
solving this problem, I really appreciate it.
Trip

Logfile of HijackThis v1.99.0
Scan saved at 9:42:21 PM, on 01/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\eleven\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.comcast.net/~wedgwood4056/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\WINNT\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

nightowl

01-20-2005, 09:31 PM

Your log looks good. Download SpywareBlaster for prevention Here is the link.

http://www.javacoolsoftware.com/spywareblaster.html

On that problem with Spybot, Ask ECA, He is the expert on that Program. I'll let him know about this and he should post back in a day or so. Otherwise your computer is clean.........Jim :vivi

ECA

01-20-2005, 10:05 PM

I saw that only one time..
Its a bot trying to infect your system. It stops it from rendering the page...But IE, got a call, so it displays the box... BESt to just hit the "X" in the corner if it will go away that way.

trip

01-22-2005, 07:48 AM

Eca and Jim,
My machine and internet connection seem to be running a million miles an hour now. It is great. Any tips on how often to update the spyblaster, spybot, and hijackthis programs? Gads it's a war out there! I have an entirely new subdirectory titled "security" now. Phew. Thanks for sharing your generosity and expertise.
Trip

ECA

01-22-2005, 10:18 AM

Spybot, adaware, spywareblaster, and YOUR AV, should be updated and RAN 1 time aweek, MINNIMUM..
Dont think your AV is Always working..its best to do a FULL(all programs) scan, 1 time aweek.
ALSO make sure spybot has both SDHELPER and teatimer running(advanced mode, tools resident) Also there is a HOSTS file in there, TURN it on also, its a BAN list. And add it EACH time you update.
Teatimer will TELL you when something is TRYING to change the Reg...You KNOW when you are adding programs..so you can STOP it from adding STUFF, if you ARNT...

nightowl

01-22-2005, 12:10 PM

Hi Trip, I'll second that. New Spywares come out all the time. Its best to keep up with them and Updating will do that for you. Scan and Update those programs at least once a week...........Jim :vivi