Problem [CLOSED]

Nevermind what homepage i set, it will always stay res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm.
Nevermind what site I want to go to it always shows me site blocked and res://sehlp.dll/HTTP_Blocked.htm on the adress bar.
Please help.

Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 16:07:57, on 29/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Prevx Home\SAGUI.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\bsw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Documents and Settings\igor\שולחן העבודה\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - C:\WINDOWS\sehlpw.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\he-il\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\he-il\msntb.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RSPC Driver] rspc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {1FEA4136-A107-4521-84AB-F66D83AF8FDE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1FEA4136-A107-4521-84AB-F66D83AF8FDE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {23EF35B2-C7A4-4653-9417-B982086EC703} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {23EF35B2-C7A4-4653-9417-B982086EC703} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BA0E1DEF-26D8-4D33-9104-433AE0651588} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BA0E1DEF-26D8-4D33-9104-433AE0651588} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C5E0B563-0A70-4063-A661-65C9FAE47926} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C5E0B563-0A70-4063-A661-65C9FAE47926} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FB0B20FF-B398-4BC3-ABC9-B5BBE0F053A4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FB0B20FF-B398-4BC3-ABC9-B5BBE0F053A4} - (no file) (HKCU)
O16 - DPF: {62102246-B919-6B28-91BF-637B45D79037} - http://69.50.182.94/1/rdgUS1996.exe
O16 - DPF: {7221CA34-0AA6-67DE-DB50-5380032BB960} - http://69.50.182.94/1/rdgUS1996.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://irc.tapuz.co....ew/launcher.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.i.../launcher39.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9C17724-CEFA-4E77-B544-6AECD2C96E2B}: NameServer = 192.115.106.35 62.219.186.7
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PrevxAgent) - Prevx Ltd. - C:\Program Files\Prevx Home\PXAgent.exe

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\hhk.dll
C:\WINDOWS\System32\helper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\System32\ole32vbs.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\msmsgs.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

A registry file to undo most of the changes is available here:
http://metallica.gee...m/smitfraud.reg
Doubleclick that file and confirm you want to merge it with the registry.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - C:\WINDOWS\sehlpw.dll

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll

O4 - HKLM\..\RunServices: [RSPC Driver] rspc.exe

O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Microsoft AntiSpyware helper - {1FEA4136-A107-4521-84AB-F66D83AF8FDE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1FEA4136-A107-4521-84AB-F66D83AF8FDE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {23EF35B2-C7A4-4653-9417-B982086EC703} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {23EF35B2-C7A4-4653-9417-B982086EC703} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BA0E1DEF-26D8-4D33-9104-433AE0651588} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BA0E1DEF-26D8-4D33-9104-433AE0651588} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C5E0B563-0A70-4063-A661-65C9FAE47926} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C5E0B563-0A70-4063-A661-65C9FAE47926} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FB0B20FF-B398-4BC3-ABC9-B5BBE0F053A4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FB0B20FF-B398-4BC3-ABC9-B5BBE0F053A4} - (no file) (HKCU)
O16 - DPF: {62102246-B919-6B28-91BF-637B45D79037} - http://69.50.182.94/1/rdgUS1996.exe
O16 - DPF: {7221CA34-0AA6-67DE-DB50-5380032BB960} - http://69.50.182.94/1/rdgUS1996.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

3.) Download, install, and run CleanUp!

Post back with a new HijackThis log.

Regards,

#1
Hebrew-Warhammer

Posted 29 May 2005 - 08:10 AM

Advertisements

#2
Metallica

Posted 29 May 2005 - 08:44 AM

#3
Kat

Posted 26 August 2005 - 12:46 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us