Can't get rid of it >xrenoder<

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cumulus

Thread Starter
Joined
Sep 20, 2003
Messages
4
I have seen others with similar problems. SPYBOT didn't work, nor did Adaware. I have done the hijackthis scan and I am posting it in hopes that someone can tell me what to get rid of. Thanks so much.

keith

Logfile of HijackThis v1.97.2
Scan saved at 1:19:57 PM, on 9/20/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\FPPDIS1A.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SMART PROTECTOR PRO\SMARTPROTECTORPRO.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\SMARTDSK\FLASH\FLSHSTAT.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\ONTRACK\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\PKWARE\PKZIPW4\PKZIPW.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1211.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\SYSTEM\fppdis1a.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\ONTRACK\FIX-IT\MEMCHECK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPSTEALT] "C:\PROGRAM FILES\SMART PROTECTOR PRO\SMARTPROTECTORPRO.EXE" /stealt
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: QUICKE~1.LNK = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: BILLMI~1.LNK = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Flashpath Status.lnk = C:\SMARTDSK\FLASH\FLSHSTAT.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: Fix-It.lnk = C:\Program Files\Ontrack\Fix-It\mxtask.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .psd: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - DefaultPrefix: http://193.125.201.50/?trk=
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.17.21/071517ee4662a5a87b22/netzip/RdxIE.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.5023958333
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_scn.cab
O19 - User stylesheet: c:\windows\java\my.css
 
Joined
Oct 9, 2001
Messages
9,396
welcome to T.S.G:)

run hijackthis again and put a checkmark against these entries....double check
in case you miss anything
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1211.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O4 - HKLM\..\Run: [winmain] winmain.exe
O9 - Extra button: Sidesearch (HKLM)
O13 - DefaultPrefix: http://193.125.201.50/?trk=
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.17.21/071517ee4662a5...etzip/RdxIE.cab
O19 - User stylesheet: c:\windows\java\my.css

re-boot after and delete the clearsearch and sidesearch folders
 

Metallica

Malware Specialist
Joined
Jan 28, 2003
Messages
692
Hi cumulus,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1211.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O4 - HKLM\..\Run: [winmain] winmain.exe
O13 - DefaultPrefix: http://193.125.201.50/?trk=
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.17.21/071517ee4662a5...etzip/RdxIE.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_scn.cab
O19 - User stylesheet: c:\windows\java\my.css <= unless that is of your own making

Reboot after doing so, preferably into safe mode and delete:
C:\PROGRAM FILES\LYCOS\SIDESEARCH <= entire folder
C:\PROGRAM FILES\CLEARSEARCH <= entire folder
winmain.exe

Regards,

Pieter
 

cumulus

Thread Starter
Joined
Sep 20, 2003
Messages
4
THANKS A MILLION YOU GUYS.

FREE AT LAST

FREE AT LAST

THANK BILL GATES

I'M FREE AT LAST.

KEITH
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top