res:shdoclc.dll/dnserror.htm virus? log inside
-
res:shdoclc.dll/dnserror.htm virus? log inside
this has been driving me mad, i have sp2 and all i get is this error in the address bar occaisionaly the internet will owrk but after a little while it screws up
any help is greatly appreciated
thankyou
Logfile of HijackThis v1.99.1
Scan saved at 5:41:07 PM, on 16/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\WINDOWS\system32\navprotect.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\system32\mssams.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\msa.exe
C:\WINDOWS\system32\rundll.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\samuel\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Win32 USB Driver] rundll.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [Security Agent Manager] mssams.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitebsu32.exe
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\Run: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunServices: [Win32 USB Driver] rundll.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\RunServices: [blah service] msnmsgrr.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [Security Agent Manager] mssams.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [Windows Task System] tasksys.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunOnce: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunOnce: [Win32 USB Driver] rundll.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [Security Agent Manager] mssams.exe
O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [Win32 USB Driver] rundll.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [Security Agent Manager] mssams.exe
O4 - HKCU\..\RunOnce: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\RunOnce: [Win32 USB Driver] rundll.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c18.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...0006_adult.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
-
Hello,vector101 & Welcome
Well after one look at this i just want to run 
no just being funny here we can get them.
The first thing we need to do is move HijackThis from where it is
& place it in a folder in C:\Drive like so C:\HJT
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
WinStat.exe
navprotect.exe
AdManCtl.exe
mssams.exe
msa.exe
WinStatKeep.exe
elitebsu32.exe
crsrs.exe
rundll.exe
msnmsgrr.exe
tasksys.exe
msmsgs.exe
hwclock.exe
rundll.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
Windows AdStatus
Admanager Controller
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [Win32 USB Driver] rundll.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [Security Agent Manager] mssams.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitebsu32.exe
O4 - HKLM\..\Run: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [Win32 USB Driver] rundll.exe
O4 - HKLM\..\RunServices: [blah service] msnmsgrr.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [Security Agent Manager] mssams.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [Windows Task System] tasksys.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunOnce: [Win32 USB Driver] rundll.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [Security Agent Manager] mssams.exe
O4 - HKCU\..\Run: [Win32 USB Driver] rundll.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\RunServices: [Security Agent Manager] mssams.exe
O4 - HKCU\..\RunOnce: [Win32 USB Driver] rundll.exe
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunOnce: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\RunOnce: [Windows Messenger] msmsgs.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
Make sure you can view hidden and system files: Instructions here
Then Boot to safe mode: Instructions here
Delete the following files\folders IF still present:
C:\WINDOWS\System32\hwclock.exe<---This file
C:\Program Files\Windows AdStatus\<---This folder
C:\Program Files\Admanager Controller\<---This folder
C:\windows\system32\elitebsu32.exe<---This file
C:\WINDOWS\system32\rundll.exe<---This file
Stell in Safe Mode do a file Search for these if found delete them
navprotect.exe
msa.exe
mssams.exe
crsrs.exe
msnmsgrr.exe
tasksys.exe
i need for you to do all of this at once what i am saying is don't
start on it then say i will get to it later that can't work so do
this when you have time
after doing all of the above reboot & get this out of the way.
Go for free online Virus scans here:
http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan/
Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
& see how it is doing let us know & show new logfile.
HGD 
Last edited by HJThis; 17-06-2005 at 07:09 AM.
-
Hi,vector101
Ok please don't tell me you are not running an Anti-Virus scanner
with all the free ones out here.
if so this is one big bad idea well we can get you
one after we have you all clean not before
HGD 
-
thanksalot for your help it appears its fixed thankyou sooooo much
no i wasnt using one but only because i couldnt download one 
, as soon as i put on xp and installed everything i needed it got all the spyware and i couldnt acsess the net atm im using the windows sp2 firewall but no antivirus what would you recomend as a new firewall and antivirus programs? preferabley freeware
this is my latest log
Logfile of HijackThis v1.99.1
Scan saved at 3:45:23 PM, on 06/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iMesh\iMesh5\iMesh.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\RunOnce: [Register C:\WINDOWS\system32\msbe.dll] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\msbe.dll",DllRegisterServ er
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
-
Hi,vector101
Hmm after we had you all clean looks like you started downloading
all that junk again not good you have to stop before you have
big problems.
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
iMesh.exe
bargains.exe
hwclock.exe
zeta.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
iMesh Or iMesh5
BullsEye Network
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\RunOnce: [Register C:\WINDOWS\system32\msbe.dll] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\msbe.dll",DllRegisterServ er
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
Make sure you can view hidden and system files: Instructions here
Then Boot to safe mode: Instructions here
Delete the following files\folders IF still present:
C:\WINDOWS\system32\msbe.dll<---This file
C:\Program Files\BullsEye Network\[/b]<---This folder
C:\WINDOWS\System32\hwclock.exe<---This file
C:\WINDOWS\zeta.exe<---This file
C:\Program Files\iMesh\<---This folder
& once done with all of the above have a look here
tons of info on some free software
http://www.d-a-l.com/help/forumdisplay.php?f=48
& i would get ZoneAlarm free & for a Virus scanner maybe
some thing like AVG well have a look at the link
HGD
-
Hey,vector101
Just so you know how bad it is was that you had it
one of the Trojans you just cleaned was logging all
the key's you where clicking in other words
any passwords you are using or had used should
be changed as soon as we have you all clean
once that happens make sure to change all passwords
right away.
HGD
-
this is my latest log, i cant get rid of hwclock 
its not in the system32 folder
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-
Hi,vector101
First let me say hat's off to you it's hard to sit there
& have someone tell you delete this & delete that
& do it without one word you have done great job
now let's give this here one try if it stell don't find
it then i would say it's gone
Download Pocket Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe
If you already have Killbox first ensure it is this version !.
If you have the one in zipped form it MUST be unzipped/extracted first.
Start Killbox place a tick next to [x]delete on reboot.
Copy this whole list into the windows clipboard, all the Bolded below.
C:\WINDOWS\System32\hwclock.exe
Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the first prompt and no to the second.
Exit Killbox and immediately restart your PC.
Once back at the forums make and post a hijackthis
now i also want you to take care of this here
click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS
That will change everything back to defaults (M$)......
Change your homepage and search engines to whatever you wish and reset your pc.
When it boots back up, open IE and see if the page stays the way that you set it.
& this here get out of the way
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
now i hope all we need is one more logfile so we can start
downloading the progs i have for you.
HGD
-
ok when i use kill box im getting a penndingfilerenameoperations registry data has been removed by an external process! msg box come up the only option was ok.
Logfile of HijackThis v1.99.1
Scan saved at 10:30:42 AM, on 06/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
thanks again for all your help and time
-
Hi,vector101
Great work on your end now i think the file is gone
but to be on the safe side just keep an eye on ZA
see if anything try to call home.
now i have some progs for you to download install
update them keep them updated
SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
http://www.javacoolsoftware.com/spywareguard.html
IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
https://netfiles.uiuc.edu/ehowes/www/resource.htm
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm
and this prog here will help keep your PC clean.
popular programs for doing this, is a freeware program Called Crap Cleaner. Crap Cleaner is a single utility that lets you clear your Cookies, Internet Explorer History, Empty the Recycle Bin, Uninstall Programs, Clear Usage Tracks and much more. As well as this, it has an Advanced Registry Scanner. Using a program like this is one of the easiest methods.
You should also think about using Firefox & Mozilla & us IE for updates
Get your Firefox here
Mo who
& the last thing i need for you to do is right away change
all passwords you had been using before this happen & yes
that's all passwords.
HGD
Newbie
