Changing what page IE goes to when it tries to go to invalid address - Tilted Forum Project Discussion Community

Woody182 · 10-11-2004, 07:25 PM

Whenever I make a mistake typing something in (www.yahoo.co) or something like that my browser goes to http://81.201.104.136 and then a bunch of junk after it that suggests going to sites similar to what I tried to type in.
What can I do to change that?
I tried adaware, CWS, spybot, and am experimenting with hijackthis

Thanks in advance

jonjon42 · 10-11-2004, 07:35 PM

I know this doesn't directly answer your question but have you ever thought about switching browsers? firefox is one of the best free browsers. It even transfers all your information from IE http://www.mozilla.org/products/firefox/ much less spyware/security problems

but back to your question. It does look like some sort of hijack thing. I'm suprised that spybody S&D doesn't handle it. Have you updated it recently?

DJMala · 10-11-2004, 07:50 PM

I think this answers your question...

http://windows.about.com/library/tips/bltip568.htm

Basically, run Regedit and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs

The value you're looking for (I think) is NavigationFailure. Whatever it is set to, change it to:

res://shdoclc.dll/navcancl.htm

and IE should go back to behaving normally.

EDIT: It just occurred to me that whatever hijacked you may have overwritten the DLL itself. If the registry value above is already correct, that's probably what happened. You could try Googling for "shdoclc.dll". You might be able to find a place to download a clean copy of the file. Just drop it into C:\Windows\System32\ (rename the existing one first). It may not work if there are multiple versions of this file floating around, but it's worth a shot.

Woody182 · 10-13-2004, 06:41 PM

DJMala, thanks for the tips, I've tried both methods and neither has worked

Any more tips?

DJMala · 10-13-2004, 10:43 PM

Wow, if that didn't work, I'm not sure...

I know a lot of spyware will run in the background, watching to make sure the hijacks and garbage stay in place. If you remove the hijack without killing the app itself, it'll go in and undo any changes you've made. It's kind of odd that Spybot and Adaware didn't catch it, though.

Hit Ctrl-Alt-Del and pop open the Task Manager. Go to the Processes tab and look through the list for anything that looks suspicious. You should be able to Google the name of the process and get a pretty good idea of whether it's supposed to be there or not. Or if you want, post the list here and I can take a look at it.

If you find the culprit, you can kill the process, and then go and delete the file that spawns it. Then you should be able to reclaim your computer.

And seriously, consider using Firefox. It's pretty much 100% immune to this kind of crap.

Woody182 · 10-14-2004, 07:04 PM

Logfile of HijackThis v1.98.2
Scan saved at 10:03:19 PM, on 10/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\Program Files\Common Files\Stardock\TrayServer.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\DIGStream\digstream.exe
F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
F:\WINDOWS\System32\nmjxow.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\The Weather Channel\The Weather Channel.exe
F:\Program Files\Yahoo!\Messenger\ypager.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\SMC\EZ Connect Wireless USB\WlanMonitor.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\WISPTIS.EXE
F:\Program Files\Soulseek\slsk.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "F:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DIGStream] F:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ZingSpooler] F:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LogonStudio] "F:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] F:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "F:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [OCAudioIni] F:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Weather 3] F:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: EZ Connect Wireless USB Utility.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt0_x.cab
O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/so..._1/install.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden/...AutoLaunch.ocx
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/...ol/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: Domain = ilstu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: NameServer = 138.87.4.1,138.87.110.1

DJMala · 10-14-2004, 08:03 PM

Quote:

Originally Posted by Woody182

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL

Bingo, I think we have a winner! Here's what the Symantec website has to say about ClearSearch:

http://sarc.com/avcenter/venc/data/a...earsearch.html

The only other thing that seems a little fishy is this:

Quote:

F:\WINDOWS\System32\nmjxow.exe

I can't seem to find any information on what this file is, and it doesn't seem to exist on my Win2k system. It could be a legit XP component, but I'm not really sure.

bondage007 · 10-14-2004, 09:39 PM

Fix These

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe
O4 - Startup: EZ Connect Wireless USB Utility.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...nts/y/nt0_x.cab
O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/s...2_1/install.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden...eAutoLaunch.ocx
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games...ool/h2hpool.cab

Then find these files on your system and delete them

CSIE.DLL
nmjxow.exe
cdsm32.dll

Also youll have to scan your registry for those files and delete any referances to do them

Also scan with adaware and spybot

Almo · 10-14-2004, 10:22 PM

I got that CSIE.DLL junk in one of my other computers (woman....)
Deleting it fixed the problem.

Woody182 · 10-18-2004, 03:52 AM

Well I took all the advice and everything is back to normal. Thanks so much for all the help, nice to get all that junk off my computer.
Thanks to all that helped

10-11-2004, 07:25 PM	#1 (permalink)
Woody182 Crazy Location: Near Chicago, IL	Changing what page IE goes to when it tries to go to invalid address Whenever I make a mistake typing something in (www.yahoo.co) or something like that my browser goes to http://81.201.104.136 and then a bunch of junk after it that suggests going to sites similar to what I tried to type in. What can I do to change that? I tried adaware, CWS, spybot, and am experimenting with hijackthis Thanks in advance __________________ If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins

10-11-2004, 07:35 PM	#2 (permalink)
jonjon42 Psycho Location: inside my own mind	I know this doesn't directly answer your question but have you ever thought about switching browsers? firefox is one of the best free browsers. It even transfers all your information from IE http://www.mozilla.org/products/firefox/ much less spyware/security problems but back to your question. It does look like some sort of hijack thing. I'm suprised that spybody S&D doesn't handle it. Have you updated it recently? __________________ A damn dirty hippie without the dirty part....

10-11-2004, 07:50 PM	#3 (permalink)
DJMala Crazy Location: MA	I think this answers your question... http://windows.about.com/library/tips/bltip568.htm Basically, run Regedit and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs The value you're looking for (I think) is NavigationFailure. Whatever it is set to, change it to: res://shdoclc.dll/navcancl.htm and IE should go back to behaving normally. EDIT: It just occurred to me that whatever hijacked you may have overwritten the DLL itself. If the registry value above is already correct, that's probably what happened. You could try Googling for "shdoclc.dll". You might be able to find a place to download a clean copy of the file. Just drop it into C:\Windows\System32\ (rename the existing one first). It may not work if there are multiple versions of this file floating around, but it's worth a shot. Last edited by DJMala; 10-11-2004 at 08:10 PM..

10-13-2004, 06:41 PM	#4 (permalink)
Woody182 Crazy Location: Near Chicago, IL	DJMala, thanks for the tips, I've tried both methods and neither has worked Any more tips? __________________ If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins

10-14-2004, 07:04 PM	#6 (permalink)
Woody182 Crazy Location: Near Chicago, IL	My Hi Jack This log Logfile of HijackThis v1.98.2 Scan saved at 10:03:19 PM, on 10/14/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\spoolsv.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS\Explorer.EXE F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe F:\Program Files\Norton AntiVirus\navapsvc.exe F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE F:\Program Files\Common Files\Stardock\TrayServer.exe F:\WINDOWS\Mixer.exe F:\Program Files\DIGStream\digstream.exe F:\Program Files\Microsoft Hardware\Keyboard\type32.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe F:\WINDOWS\System32\nmjxow.exe F:\WINDOWS\System32\ctfmon.exe F:\Program Files\The Weather Channel\The Weather Channel.exe F:\Program Files\Yahoo!\Messenger\ypager.exe F:\Program Files\AIM\aim.exe F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe F:\Program Files\SMC\EZ Connect Wireless USB\WlanMonitor.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\System32\MsPMSPSv.exe F:\WINDOWS\System32\wuauclt.exe F:\WINDOWS\System32\WISPTIS.EXE F:\Program Files\Soulseek\slsk.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "F:\Program Files\Common Files\Stardock\TrayServer.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [DIGStream] F:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [ZingSpooler] F:\Program Files\Common Files\Zing\ZingSpooler.exe O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [LogonStudio] "F:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LXSUPMON] F:\WINDOWS\System32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "F:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [OCAudioIni] F:\Program Files\One-click Audio Converter\OCAudioIni.exe O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Desktop Weather 3] F:\Program Files\The Weather Channel\The Weather Channel.exe O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: EZ Connect Wireless USB Utility.lnk = ? O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt0_x.cab O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/so..._1/install.cab O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden/...AutoLaunch.ocx O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802 O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/...ol/h2hpool.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: Domain = ilstu.edu O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: NameServer = 138.87.4.1,138.87.110.1 __________________ If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins

10-13-2004, 10:43 PM	#5 (permalink)
DJMala Crazy Location: MA	Wow, if that didn't work, I'm not sure... I know a lot of spyware will run in the background, watching to make sure the hijacks and garbage stay in place. If you remove the hijack without killing the app itself, it'll go in and undo any changes you've made. It's kind of odd that Spybot and Adaware didn't catch it, though. Hit Ctrl-Alt-Del and pop open the Task Manager. Go to the Processes tab and look through the list for anything that looks suspicious. You should be able to Google the name of the process and get a pretty good idea of whether it's supposed to be there or not. Or if you want, post the list here and I can take a look at it. If you find the culprit, you can kill the process, and then go and delete the file that spawns it. Then you should be able to reclaim your computer. And seriously, consider using Firefox. It's pretty much 100% immune to this kind of crap.

10-14-2004, 09:39 PM	#8 (permalink)
bondage007 Upright	Fix These R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file) O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe O4 - Startup: EZ Connect Wireless USB Utility.lnk = ? O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...nts/y/nt0_x.cab O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/s...2_1/install.cab O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden...eAutoLaunch.ocx O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802 O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games...ool/h2hpool.cab Then find these files on your system and delete them CSIE.DLL nmjxow.exe cdsm32.dll Also youll have to scan your registry for those files and delete any referances to do them Also scan with adaware and spybot

10-14-2004, 10:22 PM	#9 (permalink)
Almo Tilted	I got that CSIE.DLL junk in one of my other computers (woman....) Deleting it fixed the problem.

10-18-2004, 03:52 AM	#10 (permalink)
Woody182 Crazy Location: Near Chicago, IL	Well I took all the advice and everything is back to normal. Thanks so much for all the help, nice to get all that junk off my computer. Thanks to all that helped __________________ If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins