Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 10-11-2004, 07:25 PM   #1 (permalink)
Crazy
 
Location: Near Chicago, IL
Changing what page IE goes to when it tries to go to invalid address

Whenever I make a mistake typing something in (www.yahoo.co) or something like that my browser goes to http://81.201.104.136 and then a bunch of junk after it that suggests going to sites similar to what I tried to type in.
What can I do to change that?
I tried adaware, CWS, spybot, and am experimenting with hijackthis

Thanks in advance
__________________
If I fall in love, will you forgive me?
If I lose my way, will you choose me?
If I change my mind, will you change me?
-Smashing Pumpkins
Woody182 is offline  
Old 10-11-2004, 07:35 PM   #2 (permalink)
Psycho
 
jonjon42's Avatar
 
Location: inside my own mind
I know this doesn't directly answer your question but have you ever thought about switching browsers? firefox is one of the best free browsers. It even transfers all your information from IE http://www.mozilla.org/products/firefox/ much less spyware/security problems

but back to your question. It does look like some sort of hijack thing. I'm suprised that spybody S&D doesn't handle it. Have you updated it recently?
__________________
A damn dirty hippie without the dirty part....
jonjon42 is offline  
Old 10-11-2004, 07:50 PM   #3 (permalink)
Crazy
 
Location: MA
I think this answers your question...

http://windows.about.com/library/tips/bltip568.htm

Basically, run Regedit and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs

The value you're looking for (I think) is NavigationFailure. Whatever it is set to, change it to:

res://shdoclc.dll/navcancl.htm

and IE should go back to behaving normally.

EDIT: It just occurred to me that whatever hijacked you may have overwritten the DLL itself. If the registry value above is already correct, that's probably what happened. You could try Googling for "shdoclc.dll". You might be able to find a place to download a clean copy of the file. Just drop it into C:\Windows\System32\ (rename the existing one first). It may not work if there are multiple versions of this file floating around, but it's worth a shot.

Last edited by DJMala; 10-11-2004 at 08:10 PM..
DJMala is offline  
Old 10-13-2004, 06:41 PM   #4 (permalink)
Crazy
 
Location: Near Chicago, IL
DJMala, thanks for the tips, I've tried both methods and neither has worked
Any more tips?
__________________
If I fall in love, will you forgive me?
If I lose my way, will you choose me?
If I change my mind, will you change me?
-Smashing Pumpkins
Woody182 is offline  
Old 10-13-2004, 10:43 PM   #5 (permalink)
Crazy
 
Location: MA
Wow, if that didn't work, I'm not sure...

I know a lot of spyware will run in the background, watching to make sure the hijacks and garbage stay in place. If you remove the hijack without killing the app itself, it'll go in and undo any changes you've made. It's kind of odd that Spybot and Adaware didn't catch it, though.

Hit Ctrl-Alt-Del and pop open the Task Manager. Go to the Processes tab and look through the list for anything that looks suspicious. You should be able to Google the name of the process and get a pretty good idea of whether it's supposed to be there or not. Or if you want, post the list here and I can take a look at it.

If you find the culprit, you can kill the process, and then go and delete the file that spawns it. Then you should be able to reclaim your computer.

And seriously, consider using Firefox. It's pretty much 100% immune to this kind of crap.
DJMala is offline  
Old 10-14-2004, 07:04 PM   #6 (permalink)
Crazy
 
Location: Near Chicago, IL
My Hi Jack This log

Logfile of HijackThis v1.98.2
Scan saved at 10:03:19 PM, on 10/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\Program Files\Common Files\Stardock\TrayServer.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\DIGStream\digstream.exe
F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
F:\WINDOWS\System32\nmjxow.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\The Weather Channel\The Weather Channel.exe
F:\Program Files\Yahoo!\Messenger\ypager.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\SMC\EZ Connect Wireless USB\WlanMonitor.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\WISPTIS.EXE
F:\Program Files\Soulseek\slsk.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "F:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DIGStream] F:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ZingSpooler] F:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LogonStudio] "F:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] F:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "F:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [OCAudioIni] F:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Weather 3] F:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: EZ Connect Wireless USB Utility.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt0_x.cab
O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/so..._1/install.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden/...AutoLaunch.ocx
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/...ol/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: Domain = ilstu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{F319B201-19F3-4689-A018-E9F33CC988A8}: NameServer = 138.87.4.1,138.87.110.1
__________________
If I fall in love, will you forgive me?
If I lose my way, will you choose me?
If I change my mind, will you change me?
-Smashing Pumpkins
Woody182 is offline  
Old 10-14-2004, 08:03 PM   #7 (permalink)
Crazy
 
Location: MA
Quote:
Originally Posted by Woody182
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL
Bingo, I think we have a winner! Here's what the Symantec website has to say about ClearSearch:

http://sarc.com/avcenter/venc/data/a...earsearch.html


The only other thing that seems a little fishy is this:

Quote:
F:\WINDOWS\System32\nmjxow.exe
I can't seem to find any information on what this file is, and it doesn't seem to exist on my Win2k system. It could be a legit XP component, but I'm not really sure.
DJMala is offline  
Old 10-14-2004, 09:39 PM   #8 (permalink)
Upright
 
Fix These

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - F:\WINDOWS\System32\cdsm32.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O4 - HKLM\..\Run: [aqvmbp] F:\WINDOWS\System32\nmjxow.exe
O4 - Startup: EZ Connect Wireless USB Utility.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...nts/y/nt0_x.cab
O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/s...2_1/install.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden...eAutoLaunch.ocx
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games...ool/h2hpool.cab


Then find these files on your system and delete them

CSIE.DLL
nmjxow.exe
cdsm32.dll

Also youll have to scan your registry for those files and delete any referances to do them

Also scan with adaware and spybot
bondage007 is offline  
Old 10-14-2004, 10:22 PM   #9 (permalink)
Tilted
 
I got that CSIE.DLL junk in one of my other computers (woman....)
Deleting it fixed the problem.
Almo is offline  
Old 10-18-2004, 03:52 AM   #10 (permalink)
Crazy
 
Location: Near Chicago, IL
Well I took all the advice and everything is back to normal. Thanks so much for all the help, nice to get all that junk off my computer.
Thanks to all that helped
__________________
If I fall in love, will you forgive me?
If I lose my way, will you choose me?
If I change my mind, will you change me?
-Smashing Pumpkins
Woody182 is offline  
 

Tags
address, changing, invalid, page


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 10:43 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360