10-11-2004, 07:25 PM | #1 (permalink) |
Crazy
Location: Near Chicago, IL
|
Changing what page IE goes to when it tries to go to invalid address
Whenever I make a mistake typing something in (www.yahoo.co) or something like that my browser goes to http://81.201.104.136 and then a bunch of junk after it that suggests going to sites similar to what I tried to type in.
What can I do to change that? I tried adaware, CWS, spybot, and am experimenting with hijackthis Thanks in advance
__________________
If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins |
10-11-2004, 07:35 PM | #2 (permalink) |
Psycho
Location: inside my own mind
|
I know this doesn't directly answer your question but have you ever thought about switching browsers? firefox is one of the best free browsers. It even transfers all your information from IE http://www.mozilla.org/products/firefox/ much less spyware/security problems
but back to your question. It does look like some sort of hijack thing. I'm suprised that spybody S&D doesn't handle it. Have you updated it recently?
__________________
A damn dirty hippie without the dirty part.... |
10-11-2004, 07:50 PM | #3 (permalink) |
Crazy
Location: MA
|
I think this answers your question...
http://windows.about.com/library/tips/bltip568.htm Basically, run Regedit and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs The value you're looking for (I think) is NavigationFailure. Whatever it is set to, change it to: res://shdoclc.dll/navcancl.htm and IE should go back to behaving normally. EDIT: It just occurred to me that whatever hijacked you may have overwritten the DLL itself. If the registry value above is already correct, that's probably what happened. You could try Googling for "shdoclc.dll". You might be able to find a place to download a clean copy of the file. Just drop it into C:\Windows\System32\ (rename the existing one first). It may not work if there are multiple versions of this file floating around, but it's worth a shot. Last edited by DJMala; 10-11-2004 at 08:10 PM.. |
10-13-2004, 06:41 PM | #4 (permalink) |
Crazy
Location: Near Chicago, IL
|
DJMala, thanks for the tips, I've tried both methods and neither has worked
Any more tips?
__________________
If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins |
10-13-2004, 10:43 PM | #5 (permalink) |
Crazy
Location: MA
|
Wow, if that didn't work, I'm not sure...
I know a lot of spyware will run in the background, watching to make sure the hijacks and garbage stay in place. If you remove the hijack without killing the app itself, it'll go in and undo any changes you've made. It's kind of odd that Spybot and Adaware didn't catch it, though. Hit Ctrl-Alt-Del and pop open the Task Manager. Go to the Processes tab and look through the list for anything that looks suspicious. You should be able to Google the name of the process and get a pretty good idea of whether it's supposed to be there or not. Or if you want, post the list here and I can take a look at it. If you find the culprit, you can kill the process, and then go and delete the file that spawns it. Then you should be able to reclaim your computer. And seriously, consider using Firefox. It's pretty much 100% immune to this kind of crap. |
10-14-2004, 07:04 PM | #6 (permalink) |
Crazy
Location: Near Chicago, IL
|
My Hi Jack This log
Logfile of HijackThis v1.98.2
Scan saved at 10:03:19 PM, on 10/14/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\spoolsv.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS\Explorer.EXE F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe F:\Program Files\Norton AntiVirus\navapsvc.exe F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE F:\Program Files\Common Files\Stardock\TrayServer.exe F:\WINDOWS\Mixer.exe F:\Program Files\DIGStream\digstream.exe F:\Program Files\Microsoft Hardware\Keyboard\type32.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe F:\WINDOWS\System32\nmjxow.exe F:\WINDOWS\System32\ctfmon.exe F:\Program Files\The Weather Channel\The Weather Channel.exe F:\Program Files\Yahoo!\Messenger\ypager.exe F:\Program Files\AIM\aim.exe F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe F:\Program Files\SMC\EZ Connect Wireless USB\WlanMonitor.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\System32\MsPMSPSv.exe F:\WINDOWS\System32\wuauclt.exe F:\WINDOWS\System32\WISPTIS.EXE F:\Program Files\Soulseek\slsk.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "F:\Program Files\Common Files\Stardock\TrayServer.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [DIGStream] F:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [ZingSpooler] F:\Program Files\Common Files\Zing\ZingSpooler.exe O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [LogonStudio] "F:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LXSUPMON] F:\WINDOWS\System32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "F:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [OCAudioIni] F:\Program Files\One-click Audio Converter\OCAudioIni.exe O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Desktop Weather 3] F:\Program Files\The Weather Channel\The Weather Channel.exe O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: EZ Connect Wireless USB Utility.lnk = ? O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt0_x.cab O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/so..._1/install.cab O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden/...AutoLaunch.ocx O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802 O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/...ol/h2hpool.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: Domain = ilstu.edu O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: NameServer = 138.87.4.1,138.87.110.1
__________________
If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins |
10-14-2004, 08:03 PM | #7 (permalink) | ||
Crazy
Location: MA
|
Quote:
http://sarc.com/avcenter/venc/data/a...earsearch.html The only other thing that seems a little fishy is this: Quote:
|
||
10-14-2004, 09:39 PM | #8 (permalink) |
Upright
|
Fix These
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file) O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe O4 - Startup: EZ Connect Wireless USB Utility.lnk = ? O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...nts/y/nt0_x.cab O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/s...2_1/install.cab O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden...eAutoLaunch.ocx O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802 O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games...ool/h2hpool.cab Then find these files on your system and delete them CSIE.DLL nmjxow.exe cdsm32.dll Also youll have to scan your registry for those files and delete any referances to do them Also scan with adaware and spybot |
10-18-2004, 03:52 AM | #10 (permalink) |
Crazy
Location: Near Chicago, IL
|
Well I took all the advice and everything is back to normal. Thanks so much for all the help, nice to get all that junk off my computer.
Thanks to all that helped
__________________
If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins |
Tags |
address, changing, invalid, page |
|
|