C:\windowns\System32\shdoclc.dll

[jmo07]

If anyone can please help figure out how to get rid of a security warning that keeps poping up alot. Mainly when I go to certain websites like yahoo, I get the security warning the shows;

Current Site: (get different one everytime, mainly view.atdmt.com)
Trusted Site: C:\windows\system32\shdoclc.dll

I've ran my McAfee and Spysweeper and it comes out clean.

Thanks in advance for any help regarding this.

Jmo

 

[Bobbye]

First, remove any Domain that has put itself in the Trusted Zone:

Control Panel> Internet Options> Security tab> Trusted Zone> Sites> highlight and delete ANY site in the Trusted zone.

Follow with the steps in the Preliminary Virus And Malware Removal

Attach the 3 logs for review. Helpers will help find the malware causing this.

 

[jmo07]

Hi Bobbye,

I did as you asked. I first started by going to trusted Zone, Sites and there was nothing there. I then did *Preliminary Virus And Malware Removal* and that seemed to fixed the problem!!! I ran everything 3 times because the first 2 times it it seemed to find something new each time until the 3rd time the programs seemed to finally clean everything without anything new showing up. So far I have not had the security warning pop ups that seemed I wasn't able to stop show up anymore. I am attaching the 3 logs as you suggested incase there's anything else there that I may not be aware of. Again,THANK YOU SO MUCH!!!

Jmo07

 

[jmo07]

Ok, the security pop ups that I mention seem to happen again. Just not as much. for example when I open my yahoo e-mail, each time I opened a new e-mail or deleted one the pop up would show up each time. It doesn'tdo it anymore when i check or delete messages. It still however does show up but very few times. My computer is still running better because of the preliminary removal process and those security pop ups do not show up as annoyingly as it used to.

 

[Bobbye]

First thing I want you to do is clean up the temp files> there is malware in them:

This can be done by running TFC> Temp File Cleaner. TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies.

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

The view.atdmt.com site is hosted by Atlas Solutions, a company which provides services to other companies for running online marketing campaigns. You can restrict the Domain:

Control Panel> Internet Options> Security tab> Restricted Zone> Sites> type in view.atdmt.com> Block.

Please reopen HijackThis to 'do system scan only'.
Check the fol;lowing entries if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
- HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSYYYYYYYYUS
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe
O24 - Desktop Component 0: (no name) - http://www.msnbc.com/c/0/87/585/8x6/twip_2002_0613_08.jpg

Close all Windows except HijackThis and click on "Fix Checked."

Remove 024 Desktop from HijackThis:

• 
  [o] Click on Start> Control Panel> Display> Desktop tab
  [o] Click on Customize Desktop> Web tab
  [o] Uncheck and delete everything you find in there (except for "My current home page")
  [o] Uncheck "Lock Desktop Items" box if it is checked
  [o] Apply> OK> Close.

Remove all of MyWebSearch:
My WebSearch Toolbar example:

Credit: www.benedelman.org

• 
  [o] Start> Control Panel> Add/Remove Programs> look for Mywebsearch.
  [o] Uninstall the program and anything else associated with the suite of Fun Web Products which [o] Entries such as My Way Speedbar or Search Assistant should also be uninstalled. Anything from Smiley Central or other odd entries should be researched and eliminated to keep your computer free of Mywebsearch.
  [o]If you do not uninstall all components, the toolbar will still be installed on your computer and running in the background whether you see it or not.

Please check the status of the McAfee AV. There is a file missing that is essential:
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)

Are you using just the Webroot Spysweeper spyware/adware program or the one that combines an antivirus with it?

When finished the above:
Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Rescan with HijackThis and attach new log.