IE 6 shdoclc.dll Problem?

By mstpaintball
Dec 2, 2003
Topic Status:
Not open for further replies.
  1. Whenever I log onto the internet and then get on a P2P everything works fine until I exit the P2P and log off the internet. When I try to re-log the computer connects fine and everything, but when I try to go to a webpage, check my e-mail, get on AIM, or get back on the P2P, all of them act like the computer isnt connected to the internet.

    For webpages I recieve the following error in the address bar....
    res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm#http://www.google.com/
    And the webpage reads, "The Page Cannot Be Displayed", doesnt matter which site I try to go to, none of them work.

    And the only way that I know of to fix this, is to restart my computer. Then everything works fine until I get on the net, P2P, exit, log off the net and try to log back on the net.

    Any ideas?

    The only solutions I see is to somehow reinstall IE, or to reinstall Windows:(

    Thanks


    P4 2.66ghz
    512mb DDR Ram
    120gig Total HD Space

    IE 6
    AOL 9.0 (ive experienced this problem with older versions too)
    Windows XP Home

    This computer is about 5 months old, and I've been having this problem for probably 2 or 3 months now.

    I've tried using the repair guides on Microsofts website, but they didnt work, I even did the one when I have to edit my registry....didnt work.
    And where can I download a full version of IE 6? The version that I downloaded somewhere, after trying Microsofts guides still tell me that IE is installed.
  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    In \windows\system32\drivers\etc make a copy of the file "hosts" and rename that e.g. "hosts.org".

    Now edit the file "hosts" and empty everything in it except

    127.0.0.1 localhost


    Reboot, should solve it.
  3. mstpaintball

    mstpaintball Newcomer, in training Topic Starter Posts: 88

    Nope, it didnt work :-(. Just in case I messed something up I copied the whole folder as a backup.

    Well I took screenshots of the Before and After of the Folder and File to show what I did, but Geocities doesnt allow Hot-linking (i think thats what its called), so if someone knows a good place to host pics, I'll be greatful....
    Thanks:)
  4. NoisySilence

    NoisySilence Newcomer, in training Posts: 184

  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Try and do a repair of your IE6 (control panel, add/remove programs, add/remove Windows components).
    Apply SP1 if you have not done so.

    Lots of (UK-based) mags have IE6 on the enclosed CD's, as do a lot of ISP's that hand out their free installation CD's (like Tiscali).
    Those may be branded, but you can change that afterwards.
  6. mstpaintball

    mstpaintball Newcomer, in training Topic Starter Posts: 88

    I tried the repair, there were multible components selected at first so I un-checked them all but the internet explorer. And clicked next, it peformed the process quickly but I saw it also list the programs that I deselected, after it was done it told me to reboot so I did....
    And now my Start menu is totally re-arranged for some reason, and Paint isnt listed anymore.
    I'll look through some CD's and see if I can find one that has IE on it.
    Thanks :)
  7. ouloubay

    ouloubay Newcomer, in training

    I get the same IE screen on occasion, but with a difference. The URL showing on mine is res://c:\windows\system32\shdoclc.dll/navcancl.htm#http://www.innocentange. The top blue portion of the fake IE screen says "Buy Meds Online Pharmacy". It cannot be moved or removed without shutting down or restarting my computer AND it is there only to hide the fact that behind the unmovable screen, it automatically opens an e-mail to send my screen name and password to an e-mail address with domain based on a little island in the Indian Ocean. On the bright side, I sign on with a screen name from which I allow no e-mail to be sent so it doesn't go anywhere. Very frustrating. :(
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Welcome to Techspot

    Your browser has been Hijacked.
    Go here and D/L HijackThis from:
    http://www.tomcoyote.org/hjt/
    Install it in its own, permanent directory, before you run it.
    Follow the instructions given on the website.
  9. gapgyrl03

    gapgyrl03 Newcomer, in training

    Problems

    Hi I have serious problems with my computer. I run Adware and Spyware and Spyblaster everyday Usually more than once a day. I read through some of these posts and I think based on what you have said I have been hijacked. I already took the steps and this is my log. Thanks for your help.

    Logfile of HijackThis v1.99.0
    Scan saved at 10:10:24 PM, on 4/17/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\TASKMGRU.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Blubster\Blubster.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\MSIMN32.EXE
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\TASKMGRU.EXE
    C:\WINDOWS\System32\MSIMN32.EXE
    C:\WINDOWS\System32\BCACHEW.exe
    C:\WINDOWS\System32\Llzrgzf.exe
    C:\WINDOWS\System32\VwgeT7A.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\usrfaxa.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.osu.edu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.osu.edu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.osu.edu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SRLE32M] C:\WINDOWS\System32\SRLE32M.exe
    O4 - HKLM\..\Run: [SAFDM] C:\WINDOWS\System32\SAFDM.exe
    O4 - HKLM\..\Run: [edl] C:\WINDOWS\System32\edl.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Gsdqx6.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [BCACHEW] C:\WINDOWS\System32\BCACHEW.exe
    O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll,DllInstall
    O4 - HKCU\..\Run: [xolehlp] C:\WINDOWS\System32\xolehlp.exe
    O4 - HKCU\..\Run: [usrfaxa] C:\WINDOWS\system32\usrfaxa.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
    O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    If you can, update your HJT program first. If some obnoxious program won't let you, use the current version, and update afterwards.

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    TASKMGRU.EXE
    Blubster.exe
    MSIMN32.EXE
    BCACHEW.exe
    Llzrgzf.exe
    VwgeT7A.exe
    usrfaxa.exe
    SRLE32M.exe
    SAFDM.exe
    edl.exe
    Gsdqx6.exe
    xolehlp.exe

    Next, try to UNinstall anything to do with:
    C:\Program Files\Blubster\Blubster.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    C:\WINDOWS\System32\TASKMGRU.EXE
    C:\Program Files\Blubster\Blubster.exe
    C:\WINDOWS\System32\MSIMN32.EXE
    C:\WINDOWS\System32\TASKMGRU.EXE
    C:\WINDOWS\System32\MSIMN32.EXE
    C:\WINDOWS\System32\BCACHEW.exe
    C:\WINDOWS\System32\Llzrgzf.exe
    C:\WINDOWS\System32\VwgeT7A.exe
    C:\WINDOWS\system32\usrfaxa.exe
    ==>> www.osu.edu is probably your home-page, but 'fix' it for now anyway. <<==
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.osu.edu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.osu.edu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.osu.edu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
    O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
    O4 - HKLM\..\Run: [SRLE32M] C:\WINDOWS\System32\SRLE32M.exe
    O4 - HKLM\..\Run: [SAFDM] C:\WINDOWS\System32\SAFDM.exe
    O4 - HKLM\..\Run: [edl] C:\WINDOWS\System32\edl.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Gsdqx6.exe
    O4 - HKLM\..\Run: [BCACHEW] C:\WINDOWS\System32\BCACHEW.exe
    O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll,DllInstall
    O4 - HKCU\..\Run: [xolehlp] C:\WINDOWS\System32\xolehlp.exe
    O4 - HKCU\..\Run: [usrfaxa] C:\WINDOWS\system32\usrfaxa.exe
    O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
    O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    Now click on the Fix Checked button in HJT.
    When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp
    Boot normal. When all OK, switch System Restore back on.
  11. R Jones

    R Jones Newcomer, in training

    When I open a browser, a window with this URL appears:


    res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm


    In \windows\system32\drivers\etc host file the only text is:

    127.0.0.1 localhost


    When I press 'home' on the browser I just get more and more pop up windows.

    From the previous posts in this string I see that I have a virus or spyware.

    I would be very greatful for some advice to help me get rid of it.

    I've followed some of the above instructions, ran my computer in safe mode and used the hijackthis software.

    I did run it in the 'program files' folder but I still got the message that I was running it in a temp folder?

    Neverthless, this is the readout.

    I'm unqualified to understand what all this means hence I would be very thankful for some help.




    Logfile of HijackThis v1.99.1
    Scan saved at 3:13:53 PM, on 4/23/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\TASKMGRU.EXE
    C:\WINDOWS\System32\MSIMN32.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>
    O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
    O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
    O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Start Green eKeySetup....lnk = C:\Program Files\eKeys\eKeySetup.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {11111111-1111-1111-1111-111111111111} -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110512722488
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  12. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Start with moving HijackThis from:
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    to a permanent directory like:
    C:\Program Files\HJT

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    TASKMGRU.EXE
    MSIMN32.EXE

    Unless this is software for your PDA, UNinstall anything to do with this:
    C:\Program Files\eKeys\eKeySetup.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    C:\WINDOWS\System32\TASKMGRU.EXE
    C:\WINDOWS\System32\MSIMN32.EXE
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = sas.se1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.se1.attbb.net;<local>
    O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
    O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
    O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
    O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
    Unless this 'O4 - Global' is software for your PDA, 'fix' eKey:
    O4 - Global Startup: Start Green eKeySetup....lnk = C:\Program Files\eKeys\eKeySetup.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111111} -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1110512722488

    Now click on the Fix Checked button in HJT.

    When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
  13. R Jones

    R Jones Newcomer, in training

    Thanks for the reply.

    I followed your instructions but the problem still persists.

    When I tried to:

    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
    TASKMGRU.EXE
    MSIMN32.EXE

    I noticed that both files immediately reappeared at the top of the menu.

    I did the fix using HJT as instructed. It cleared a lot of files but as you can see from the log below some fixed files are still there.

    I definitely checked and fixed these files.

    I deleted the temp files as you instructed. I went to ‘find’ as asked it to search for all files with “temp” in the C: drive.

    By the way, the computer’s D: drive is labeled SYSTEM and has a lot of program files within it.

    I would be very grateful if you could further instruct me.

    My log now looks like this:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:58:45 PM, on 4/24/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\MSIMN32.EXE
    C:\WINDOWS\System32\TASKMGRU.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\HJT\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
    O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
     
  14. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  15. R Jones

    R Jones Newcomer, in training

    Side affect

    Thanks for directing me there. I followed the instructions and it looks like the problem files have gone; but there is a side affect. When I boot up, there is no taskbar, or icons on my desktop.

    This is what I did:

    In safe mode I used the Mwav.exe files to locate virus and Trojans. It identified a bunch of files. I deleted each of these files using KillBox.

    The files included:

    C:\WINNT\bhoass.dll
    C:\WINNT\system32\MSIMN32.EXE
    C:\WINNT\system32\TASKMGRU.EXE
    C:\WINNT\system32\iexplore_dbg.exe
    C:\WINNT\system32\expolrer32dbg.exe

    I told KillBox to delete on reboot.

    Then when I rebooted (I have XP), I used my password to access, but the taskbar and desktop icons were missing. I still have a cursor.

    It looks like the

    C:\WINDOWS\system32\MSIMN32.EXE
    C:\WINDOWS\system32\TASKMGRU.EXE

    files have gone since when I press ATL CTRL DEL they are not present as processes.

    Would you by any chance know how I can restore my taskbar and icons to my desktop?

    Thank you for your help.
  16. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.