[welshboy]

Hello all,
I am having a problem with the internet i can connect fine but when i click on IE i get a page saying "the page cannot be displayed" and under properties it says "res://c:\windows\system32\shdoclc.dll/dnserror.htm please can someone help because i cant live without the net my log for hijack this is

Logfile of HijackThis v1.99.0
Scan saved at 20:42:31, on 02/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\system32\msvc32.exe
C:\WINDOWS\System32\mcafeshield.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msnms.exe
C:\Documents and Settings\Dylan\Desktop\hijackthis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows TM] rundlI32.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\sjbzxsa.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\system32\msvc32.exe
O4 - HKLM\..\Run: [MSN Updater] msnms.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [Windows TM] rundlI32.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - HKLM\..\RunOnce: [MSN Updater] msnms.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [MSN Updater] msnms.exe
O4 - HKCU\..\RunOnce: [MSN Updater] msnms.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra button: BT - {040BEAF8-E808-4BAA-93C0-C6C0F03F3BBC} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {86076693-51C6-4659-87A5-C71BDC2B07BC} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1107265959481
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

[Calpolaholic]

almost impossible to say what caused it. Doesnt look like you got much spyware on there. I had this a few weeks ago and it was a combination of things but mostly spyware. I used CounterSpy to get rid of all the crap but also restored the system to the point I knew everything worked. You might want to try those things

[Derek22]

hi,

if you choose start -- run and type in cmd you should get a command window. type in ipconfig /all <press return>.

amoung the output it should tell you an ip address for your dns server, if not that is your problem and contact isp. if you have an ip address for the dns server then try a ping command. if you get a response then let us know if not your dns server is down or unreachable. post some results and i will take a look.

ipconfig /all should have a line that looks like, aaa.bbb.ccc.ddd is the adress you are looking for.

DNS Servers . . . . . . . . . . . : aaa.bbb.ccc.ddd

ping aaa.bbb.ccc.ddd should get a response like below, if you get response timed out that is bad.


ping aaa.bbb.ccc.ddd

Pinging aaa.bbb.ccc.ddd with 32 bytes of data:

Reply from aaa.bbb.ccc.ddd: bytes=32 time<1ms TTL=128
Reply from aaa.bbb.ccc.ddd: bytes=32 time<1ms TTL=128
Reply from aaa.bbb.ccc.ddd: bytes=32 time<1ms TTL=128
Reply from aaa.bbb.ccc.ddd: bytes=32 time<1ms TTL=128

Ping statistics for aaa.bbb.ccc.ddd:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

[Berwhale]

You may have a virus...

"When first run, W32/Rbot-UH copies itself to the Windows system folder as MCAFESHIELD.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs in, W32/Rbot-UH will set the following registry entries: "

See the Advanced tab: http://www.sophos.com/virusinfo/analyses/w32rbotuh.html

I noticed this in your trace because McAfee AV normally uses 'mcshield.exe'.

[jameson_uk]

Quote:

Originally Posted by welshboy

res://c:\windows\system32\shdoclc.dll/dnserror.htm

This nearly always means that it can not find the site. Does your home page actually exist ?? if you type in a URL does it work ??

[mjn]

Quote:

Originally Posted by jameson_uk

This nearly always means that it can not find the site. Does your home page actually exist ?? if you type in a URL does it work ??

i would say this is the most common resolution

[welshboy]

No it comes up on every page i type in.

[jameson_uk]

Quote:

Originally Posted by welshboy

No it comes up on every page i type in.

The problem is that your machine can not figure out where a site is on the net. This normally occurs when you are not actually connected.

Are you sure you are connected ?? Have you tried to ping a site as shown above ?? Try and ping www.bbc.co.uk and see what happens.

If that is ok, I would hazard a guess that a firewall might be blocking IE from connecting to the net. Do you have a firewall installed and if so, is it set to allow IE to connect ??

[welshboy]

I have pinged sites and they show no losses and of course im connected like the title of this thread says under properties it says res://c:\windows\system32\shdoclc.dll/dnserror.htm

[jameson_uk]

Quote:

Originally Posted by welshboy

I have pinged sites and they show no losses and of course im connected like the title of this thread says under properties it says res://c:\windows\system32\shdoclc.dll/dnserror.htm

I would not wory about the file. This is simply the file windows uses to display those error messages in IE. (If you are not connected to the net you would get the same message).

Anyway, it would appear that there is some dodgy spyware on your machine. Having a quick look

Quote:

O4 - HKLM\..\Run: [Windows TM] rundlI32.exe

does not look good and is often linked to the LADE worm (googling should give details of this)

Quote:

O4 - HKLM\..\Run: [Spool] C:\WINDOWS\system32\msvc32.exe

does not look too healthy either.

... there are quite a few others starting ms... which appear dodgy

I see you have Spybot installed, is it updated ?? I am not sure but I guess you are using McAfee or AVG but are they up to date ?? most of this appears to be worm related and I would have thought up to date virus checkers would pick this up.

Also do you have a firewall installed ??