MySearch & Internet Explorer - Please Help

[Dedcrayzie]

Hi Learned Friends,

I've this problem with an IE where a rogue URL keeps replacing the default homepage. I've run HijackThis and its picked up all the rogue entries in the registry. I deleted what I figured would be the culprits (including the hosts file) and rebooted only to find that the problem was still there. Kindly advise on what to do next. I'm pasting the results of the scan below.

Thanks for any help you can offer.

Afroman

Logfile of HijackThis v1.97.7
Scan saved at 17:54:06, on 13/01/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\NOVELL\CLIENT32\NWPOPUP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRA~1\FUNKSO~1\PROXY\phostwin.exe
C:\WINDOWS\SYSTEM\WSASRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MGACTRL.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
P:\GRPWISE\V55\SOFTWARE\CLIENT\WIN32\NOTIFY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://my.search/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://my.search/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.search/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://my.search/hp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.search/sp.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 181.1.100.1:8080
O1 - Hosts: 64.237.53.4 my.search
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MGA Control Center] Mgactrl.exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [MGA Diagnostic] C:\Program Files\Matrox MGA PowerDesk\mgadiag.exe -s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\QUICKEN.EXE
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
O4 - Startup: MGA QuickDesk.lnk = C:\Program Files\Matrox MGA PowerDesk\qdesk\mgaqdesk.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: GroupWise Notify.lnk = GRPWISE\V55\software\CLIENT\Win32\Notify.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.43.128.1,158.43.192.1,154.32.105.18

 

[carrr]

Download and run the CWShredder tool:

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Reboot for good measure.

Run Hijack This! again.
Remove any of these entries that might be left:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://my.search/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://my.search/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.search/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://my.search/hp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.search/sp.php

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[carrr]

AND....

.....man, am I getting lax. BE SURE that this entry is gone (i.e. remove it if it's still around after the CWshredder is run):

O1 - Hosts: 64.237.53.4 my.search

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[Dedcrayzie]

Thanks a bunch Carrr. I'll let you know how I get on.

Afroman

 

[Dedcrayzie]

Hi Carrr,

Fantastic stuff!!! Your suggestion worked a treat! Thanks once again. You've been a great help.

Afroman