Um, what is this - help please!

Matt_Cowan · #1 (**permalink**) 30-06-2005, 10:27 PM

So there I am sitting on my PC, logged into a couple of forums as usual. Close all IE windows and go downstairs for a smoke.

5 mins later come back upstairs and open IE and instead of it opening to my normal home page I get this;

res://C:\WINNT\system32\shdocsv.dll/API32.htm#ID=347;065D

I think what the hell? Go to Internet Options, change my homepage back. Open another IE window and get it again - it won't let me save what I want as my hompage and keeps reverting to this!

So I rebooted, when it booted up to desktop top I got a window open saying the computer could not find the "OSA" file and did I want to look for it?!?!?!

What the hell is going on?!?!

Here's a Hi Jack this log if anyone can help me please!

---------

Logfile of HijackThis v1.99.1
Scan saved at 22:25:37, on 30/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\svcnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matt Cowan\My Documents\Programme and exe files\Anit Virus, Firewall and Spyware Programmes\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\shdocsv.dll/API32.htm#ID=347;065D
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINNT\system32\svcnt.exe home
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Gmail - {3CD12856-7A7B-4e4c-B53E-92DFDD44AFDE} - https://gmail.google.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: http://by103fd.bay103.hotmail.msn.com
O15 - Trusted Zone: http://www.passionford.com
O15 - Trusted Zone: http://www.pearldrummersforum.com
O15 - Trusted IP range: http://209.25.203.234
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.co...x/HMAtchmt.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Matt_Cowan · #2 (**permalink**) 30-06-2005, 10:36 PM

Hmm, now for some reason that link doesn't work if you paste it into a browser...

HJThis · #3 (**permalink**) 01-07-2005, 12:18 AM

Hi,Matt_Cowan

First some info on the file

Process File: osa or osa.exe
Process Name: Microsoft Office Startup Assistant

& here http://support.microsoft.com/default...b;EN-US;290144

now for the items i see in the logfile are

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
svcnt.exe<---This file not this one here -->C:\WINNT\system32\svchost.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\shdocsv.dll/API32.htm#ID=347;065D
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm

O4 - HKLM\..\Run: [Fast Start] C:\WINNT\system32\svcnt.exe

O9 - Extra button: Gmail - {3CD12856-7A7B-4e4c-B53E-92DFDD44AFDE} - https://gmail.google.com (file missing)

These items here look to be legit did you add them if no fix them
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: http://by103fd.bay103.hotmail.msn.com
O15 - Trusted Zone: http://www.passionford.com
O15 - Trusted Zone: http://www.pearldrummersforum.com
O15 - Trusted IP range: http://209.25.203.234

now i am just having you stop the file i found
if all is good after that we can delete it

so fix the above items reset your pages how you like them
tell me how it is & post new logfile.

HGD

Matt_Cowan · #4 (**permalink**) 01-07-2005, 11:30 AM

Hi HJT, thanks for the reply

Right, I found the svcnt.exe in the running processes in Task Manager, and stopped it. I did get a pop up box, but only to warn me it is a process and could result in blah blah if I stopped it, but it stopped okay when I told it too.

I then re-ran HiJack This, marked and fixed the ones you told me to.

Reopened IE and the home page was set to about:blank (scared me half to death as I lost the battle with the about:blank virus one time!!) but all seems fine. I tried to apply my own homepage to it and it seems to have worked.

Here is the new logfile;

-------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:27:49, on 01/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matt Cowan\My Documents\Programme and exe files\Anit Virus, Firewall and Spyware Programmes\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pearldrummersforum.com./search.php?
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: http://by103fd.bay103.hotmail.msn.com
O15 - Trusted Zone: http://www.passionford.com
O15 - Trusted Zone: http://www.pearldrummersforum.com
O15 - Trusted IP range: http://209.25.203.234
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.co...x/HMAtchmt.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Is everything okay there?

HJThis · #5 (**permalink**) 01-07-2005, 12:20 PM

Hi,Matt_Cowan

Yes good work it looks fine now i like you to do this here
if i did not have you do it yet.

next get this out of the way

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

& i have some software for you to download install & update

SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
http://www.javacoolsoftware.com/spywareguard.html

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

and this prog here will help keep your PC clean.

popular programs for doing this, is a freeware program Called Crap Cleaner. Crap Cleaner is a single utility that lets you clear your Cookies, Internet Explorer History, Empty the Recycle Bin, Uninstall Programs, Clear Usage Tracks and much more. As well as this, it has an Advanced Registry Scanner. Using a program like this is one of the easiest methods.

You should also think about using Firefox & Mozilla & us IE for updates

Get your Firefox here

Mo who

HGD

Matt_Cowan · #6 (**permalink**) 02-07-2005, 12:27 AM

HJT, thank you so much for your help on this! Everything seems to be back to normal now and working fine!

I went through IE Options and everything is as you said it should be (only needed to change the "desktop items installation one) and also downloaded and installed the programmes you listed (except the IE-Spyad and the last one, hosts thingy, as I wasn't sure exactly what I was doing there lol!

But thank you again, it is very much appreciated!

HJThis · #7 (**permalink**) 02-07-2005, 01:21 AM

Hey,Matt_Cowan

No problem that's why we are here to try & help
i thank you for having us @ D-A-L help you with
this logfile

as for the HOSTS thing it will just replace the old one
with the one i had you download but you need to know
once you use it you have to add the Trusted sites back

i will look up some info so you can get to it on this
great tool

HGD

regrettingit · #8 (**permalink**) 04-07-2005, 12:46 AM

I got this bug today too. Somebody had inserted a mischeivious link into an email that was sent to a open source software listserve for its users. That link led to a porn site and then I had the ol antivirus gold trick pulled on me. Some investigating led to HijackThis and I found similar results.

I deleted the svcnt.exe file in C:\Windows\system32 and also the shdocsv.dll that was added there at the same time (see date modified field in windows explorer). Deleting these files from my computer didn't seem to cause any harm, but proceed are your own risk.