1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] loader.exe

Discussion in 'Earlier Versions of Windows' started by ChfTx, Sep 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ChfTx

    ChfTx Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    287
    The file...."Loader.exe"..is "performing an illegal operation and will be shut down"...............I get this message at the start up screen...I can get past it, but.........

    What is it?........How does it affect my system?...........and how can I fix it?

    HP Vectra, 333MHz, P2, 192 RAM, Win98Se..............

    Recently installed the "Update Win98Se" from Win98........and has been like this ever since....

    Thanks!!!
     
  2. beekeeper

    beekeeper

    Joined:
    Aug 17, 2003
    Messages:
    125
  3. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    I found the same information as Beekeeper; it is apparently associated with adware known as Clear Search. Apparently, you cannot delete it because it is running so go into your Task Manager and terminate it before deleting.

    Here is a good thread about it
     
  4. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    If loader.exe is located here

    c:\WINDOWS\loader.exe

    It could be coolweb

    See if you also have c:\WINDOWS\iedll.exe

    If you have - download and run this :-

    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    Better still download and run Hijackthis, then we can take a look at it

    Please Download hijackthis

    http://www.spywareinfo.com/downloads.php#det

    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    After the scan has finished the "scan" button will turn into a "save log" button

    save the log file and paste it here

    PLEASE NOTE: A small help file for HijackThis is located at http://tomcoyote.org/hjt

    steam
     
  5. ChfTx

    ChfTx Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    287
    ok steamwiz.......Thanks, and ....


    here is a copy of the save log from the scan..........

    Logfile of HijackThis v1.97.2
    Scan saved at 4:01:01 PM, on 9/19/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ATI2EVAE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\SAVE\SAVE.EXE
    C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\3CMLNKW.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
    C:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\WINDOWS\TWAIN_32\SCANWIZ5\SDII.EXE
    C:\ATI\ATIDESK\ATISCHED.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ewebsearch.net/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.passthison.com/r4/?vu083003
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://146.20.38.19
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://146.20.38.19
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ewebsearch.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\ONTRACK\FIX-IT\MEMCHECK.EXE
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKCU\..\Run: [ModemInstallAssistant] D:\SUPPORT\MODEMINSTALL.EXE
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Startup: ATISched.lnk = C:\ATI\ATIDESK\atisched.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O13 - DefaultPrefix: http://193.125.201.50/?trk=
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://e2give.com/downloads/UGO20.exe
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com./pcpitstop/PCPitStop.CAB
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://64.227.53.90/stereo/mp3search.exe
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.3422453704
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  6. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    When these guys tell you what to remove, you should think about clearing your start up 'stuff' too....that's a bit much to be running upon startup. It's got to take forever to get to your desktop ;)
     
  7. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
    Hi ChfTx ,

    Open Task Manager ( Ctrl+Alt+Delete ) select Processes , End Process each of the following ,

    LOADER.EXE
    SAVE.EXE
    UPDATESTATS.EXE

    Close all browser windows Scan Hijack This , put a check in the following entries and hit ''Fix Checked '' ,

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://146.20.38.19

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://146.20.38.19

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ewebsearch.net/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/

    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com

    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

    O4 - HKLM\..\Run: [winmain] winmain.exe

    O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe

    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe

    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe

    O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE

    O13 - DefaultPrefix: http://193.125.201.50/?trk=

    O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://e2give.com/downloads/UGO20.exe

    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

    Shutdown & Reboot your computer in Safe Mode , Tap the F8 key on Reboot

    Navigate to and Delete the following

    C:\PROGRAM FILES\SAVE > Folder
    C:\PROGRAM FILES\CLEARSEARCH > Folder
    C:\PROGRAM FILES\MEDIA\MEDIA\UpdateStats > Folder
    C:\WINDOWS\LOADER.EXE > File
    C:\WINDOWS\iedll.exe > File

    Shutdown & Normal Reboot

    Download and install Spybot search & destroy www.security.kolla.de Open Spybot search & destroy , Click Online , Search for updates , Download all available updates , log offline , Close all browser windows , check your taskbar for minimized windows as well , Run Spybot search & destroy , put a check in every entry Spybot search & destroy returns , Click fix problems.

    Shutdown & Reboot your computer

    Next , Download SpywareBlaster v2.6.1 and SpywareGuard v2.2 for the prevention of both Spyware Active X installation and running , and Browser Hijacking protection in real-time http://www.wilderssecurity.net/index.html

    Finally Post a new Hijack This log for a follow-up review


    The following link can assist you in optimizing your start-up applications www.pacs-portal.co.uk/startup_pages/startup_full.htm

    Good luck
     
  8. ChfTx

    ChfTx Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    287
    OK....I've done all that you said and here is the latest Hijack log:

    Logfile of HijackThis v1.97.2
    Scan saved at 8:14:08 PM, on 9/21/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\VVJB.EXE
    C:\WINDOWS\SYSTEM\PNS4SUR.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\RUNDLL16.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {301C0160-EADE-11D7-A8DD-0020E014715E} - (no file)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [2WLJ3J92T65#EQ] C:\WINDOWS\SYSTEM\HqoX.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

    and Candy's right, I've got about 40 programs on my start up menu!!...I can't copy and paste, it won't let me do it......fixing that is the next task (actually, I've already started with the link BlueSpruce sent)

    Thanks sooo much!!
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    More malware there.

    Check, and have Hijack This fix the following as well:

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\RUNDLL16.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL

    O3 - Toolbar: (no name) - {301C0160-EADE-11D7-A8DD-0020E014715E} - (no file)

    O4 - HKLM\..\Run: [2WLJ3J92T65#EQ] C:\WINDOWS\SYSTEM\HqoX.exe


    After rebooting, delete the following, if still there:

    The C:\Program Files\IncrediFind folder (KeenValue parasite variant)
    The C:\WINDOWS\SYSTEM\HqoX.exe file (Win32/Peper trojan variant)
     
  10. ChfTx

    ChfTx Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    287
    have done everything here. My system is running quite a bit better.

    Thanks for all your help! I really appreciate it.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165938

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice