psu014

One of the computer workstations at my job will not allow the homepage to be changed. It is giving us the following address:

res://c:\WINNT\system32\shodoclc.dll/navcancl.htm

I have found many fixes listed but they all seem to be for HiJackThis. We do not have that software program. There were several different SpyWare software programs on the system (downloaded from the Internet) but all have been removed through the Add/Remove Programs in Control Panel.

SpywareKiller which was purchased on a CD and installed was on the computer but now I can't seem to find it anywhere. The workstation in question is running Windows 2000 Professional and is networked to 3 other computers and a server.

I am at a complete lost as to how to try and get this fixed.

Also we seem to be having printer problems. There is a laser printer directly connected to this workstation and it serves as the print server for the other 3 machines, none of which can print. We have an inkjet printer which is connected to a different computer in the network and all 4 computers can print to that printer without a problem.

Any help or suggestions would be greatly appreciated. I'm ready to throw in the towel and run screaming from the building...

Thanks!
Maria

Thraïn

Hi Maria,

Can you check if you have internet access? Can you browse to other internet pages?
HijackThis is a free and handy tool: download it here: http://www.spychecker.com/program/hijackthis.html

Save it in a folder under c:\program files\HijackThis and run the program. Save the log file and post it here, maybe someone can take a look and help you out.

psu014

I was able to download the HijackThis program from another workstation on the network and run the program on the workstation with the problem.

Thanks for the help.
Maria


Here is the log that was produced:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:36 AM, on 3/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\WINNT\system32\ALG32.EXE
C:\WINNT\system32\SPOOLSVU.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\My Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HTDP Class - {9E6EC32A-7C19-4409-99E8-FC980BCDAF26} - C:\WINNT\htass.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\stlbd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\SpyWare Killer\SpyWareKiller.exe /BOOT
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [ALG32] C:\WINNT\system32\ALG32.EXE
O4 - HKCU\..\Run: [SPOOLSVU] C:\WINNT\system32\SPOOLSVU.EXE
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {59894B41-30F2-497A-A523-F9772135EC20} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59894B41-30F2-497A-A523-F9772135EC20} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://capemay.fnismls.com/Paragon/C...intControl.cab
O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://T:\Win2000\CONTENT\cabs\alaWeb.CAB
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Thraïn

Your spyware killer is in: C:\Program Files\SpyWare Killer\SpyWareKiller.exe. You could run it first and see what it says. You should also run a viruscheck because ALG32.EXE and SPOOLSVU.EXE are probably the spybot worm.

See: http://securityresponse.symantec.com...ybot.worm.html
For a free online virusscan: http://nl.trendmicro-europe.com/ente...all_launch.php, but looking into your log I see that you have a symantec virus scanner

If the scanner gives you the spybot worm, you should check the other workstations and server also and see if someone is using kazaa or something. If nobody uses kazaa you should check your network on security leaks. Read very carefully the securityresponse from symantec

Then, check again with hijackthis and select (if still in the list):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
C:\WINNT\system32\ALG32.EXE
C:\WINNT\system32\SPOOLSVU.EXE
O4 - HKCU\..\Run: [ALG32] C:\WINNT\system32\ALG32.EXE
O4 - HKCU\..\Run: [SPOOLSVU] C:\WINNT\system32\SPOOLSVU.EXE

and if you want:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (probably you just go to the alexa website for related links; it's a button in IE explorer).

Click 'Fix checked' in HijackThis.

Restart the computer in safe mode (Push F8 when windows start) and locate the files C:\WINNT\system32\ALG32.EXE and C:\WINNT\system32\SPOOLSVU.EXE. if they are still there, delete them and restart the computer normal mode.

The problem should be solved then. Let me know if it's solved.
Good Luck!

psu014

Thanks for the suggestion but it didn't work. I was able to set the homepage to the correct one but when I went into IE a second time the same error came back up.

We are going to be upgrading to Windows XP Professional. If I reformat the hard drive and install the new OS will that take care of the problem? I was not sure if there would be anything left on the hard drive that may cause a problem with the installation of the new OS.

Thanks again.
Maria

Thraïn

Thinking: "Tiens, that should have solved the problem", I saw that I forgot to mention the following line (should also be fixed in Hijack):
O2 - BHO: HTDP Class - {9E6EC32A-7C19-4409-99E8-FC980BCDAF26} - C:\WINNT\htass.dll and delete c:\winnt\htass.dll when you're in safe mode.

I'm really sorry, this file probably recopies the others back to their location.

But if you upgrade to Windows XP and reformat the harddisk, the problem will also be solved.

Keep your CD of service pack 2 by the hand, because according to an experiment of StillSecure, an unguarded pc with windows XP sp 1 will be attacked after 18 minutes by Sasser and blaster. (Note: the pc with windows xp was attacked 4.857 times within the hour). With sp2 only 16 times and those attempt where unsuccesfull.

http://www.denverpost.com/cda/articl...735094,00.html

I don't want to scare you, just a warning.

Good luck!

psu014

Thanks!!! That worked.

Thanks for the heads up about Windows XP. I use XP Home for all my computers at home so I'm aware of some of the problems. We are a very small company and tend to be slower in upgrading to the most recent version of things.

I'm also the designated "computer expert" but that's far from the truth. I'm the only one that is comfortable with computers so I get to make all those tech decisions. But I need all the help I can get!

Thanks again for all the help.
Maria