search.xrenoder.com

Discussion in 'privacy problems' started by Balb, Jun 1, 2003.

Thread Status:
Not open for further replies.
  1. Balb

    Balb Guest

    Hi, i have a problem, whenver i enter a domain name, that doesn't exist, i get redirected to "search.xrenoder.com" instead of "auto.search.msn.com", i have already downloaded HijackThis, but i don't know which items to check and remove.
    Would be great, if somebody could help me out.

    Here's my HijackThis log:

    Logfile of HijackThis v1.94.0
    Scan saved at 10:09:44, on 01.06.03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://searchbar.findthewebsiteyouneed.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=129193
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=129193
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.raging.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=129193
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.raging.com"); (C:\Programme\Netscape\Users\default\prefs.js)
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com
    O1 - Hosts: 193.125.201.46 worldsex.com
    O1 - Hosts: 193.125.201.46 www.worldsex.com
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\ISTBAR\ISTBAR.DLL (file missing)
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [AVPCC] C:\Programme\Kaspersky Anti-Virus\avpcc.exe /wait
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [F-STOPW.EXE] C:\Programme\FSI\F-Prot\F-STOPW.EXE
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Programme\Xupiter\XTCfgLoader.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [AVPCC Service] C:\Programme\Kaspersky Anti-Virus\avpcc.exe /Service
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: Erinnerungen für Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Watchdog.lnk = C:\WINDOWS\TWAIN\A4s2\Watchdog.exe
    O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Programme\Windows Media Components\Encoder\WMENCAGT.EXE
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {15C3C7A4-9676-11D3-9799-0060087190B9} - http://www.media18.de/spezial/active2.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Balb,

    To start with, delete your hosts file or rename it to hosts.bak. You can find your hosts file for Windows 95/98/ Me here c:\windows\hosts
    Next check the following items in HijackThis.
    Close all IE, OE and explorer Windows, and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=129193
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=129193
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=129193
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\ISTBAR\ISTBAR.DLL (file missing)
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Programme\Xupiter\XTCfgLoader.exe
    O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
    O4 - Startup: Erinnerungen für Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Encoder Agent.lnk = C:\Programme\Windows Media Components\Encoder\WMENCAGT.EXE
    O16 - DPF: {15C3C7A4-9676-11D3-9799-0060087190B9} - http://www.media18.de/spezial/active2.exe
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

    Reboot after doing so, preferably into safe mode and manually delete the following folders (if still present)
    c:\program files\rb32
    C:\Programme\ISTsvc

    Then download Spybot - Search & Destroy

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Regards,

    Pieter
     
  3. Balb

    Balb Guest

    Thanks!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That was fast. :)

    You´re welcome.

    Pieter
     
Thread Status:
Not open for further replies.