Jump to content


Photo

Internet Explorer


  • This topic is locked This topic is locked
7 replies to this topic

#1 Hoff

Hoff

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 May 2004 - 09:57 PM

I am unable to use Internet Explorer. After I log on the internet with my ISP and click on IE, it comes up with Page Cannot be Displayed". At the bottom is says Opening Page res://C:\WINDOWS\system32\shdoclc.dll/dnserror.htm
I am able to use my email and also use Netscape Navigator, so I know I am connected to my ISP ok. PLease let me know if you can help.

#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 22 May 2004 - 11:12 PM

Let's have a look - could be malware.
Please do this.
Download 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 Hoff

Hoff

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 May 2004 - 07:23 AM

OK, Here is my hijackthis log. thanks

Logfile of HijackThis v1.97.7
Scan saved at 8:20:00 AM, on 5/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enter.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enter.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://trexler.allen...:8080/proxy.pac
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.enter.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lookup_Sys] C:\WINDOWS\lookupsys.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7938.6389930556
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...swflash5r42.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60647BD4-7E3B-4339-978C-24901804ADC6}: NameServer = 63.65.0.2 63.65.0.3

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 23 May 2004 - 09:19 AM

You have what looks like just a small remnant of a trojan.
See http://securityrespo...ojan.norio.html
and http://www.pestpatro...rojan_norio.asp for info about it.

You just need to do another scan, tick the box next to this, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

O4 - HKLM\..\Run: [Lookup_Sys] C:\WINDOWS\lookupsys.exe

After fix and reboot, delete C:\WINDOWS\lookupsys.exe

And it wouldn't hurt to do an online virus scan in case there are any other remnants we don't see. http://www.pandasoft...n_principal.htm
or http://housecall.trendmicro.com/

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 Hoff

Hoff

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 May 2004 - 01:47 PM

I fixed that file, but IE still will not work. I can't get either of those online virus scans to work. Anything else I can try?? HEre is an updated hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 2:44:39 PM, on 5/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Palm\Hotsync.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enter.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enter.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://trexler.allen...:8080/proxy.pac
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.enter.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Brian Hoffman\Application Data\Mozilla\Profiles\default\epedhvpp.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7938.6389930556
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...swflash5r42.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60647BD4-7E3B-4339-978C-24901804ADC6}: NameServer = 63.65.0.2 63.65.0.3

#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 23 May 2004 - 01:59 PM

Try this.
Do Start->Run, enter cmd
then sfc /scannow
That will attempt to replace possibly corrupt system file(s)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 Hoff

Hoff

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 May 2004 - 02:20 PM

Looks like that fixed it.

Thanks!!!! I really appreciate all your help!!

#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 23 May 2004 - 02:39 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button