[Dude21]

I used to be able to type in a word in the search bar and it would take me to google search, untill some spyware was somehow installed on my computer so now when ever I type in something in the address bar like for an example test will take me too http:///?%20test and if I do Search test it takes me too http:///?%20Search%20test I tried doing this to restore it but it didnt work, so I went on over to the google site looked up help with my default search redid everything there and still no luck,
I even tried editing my registry and nothing, the only thing thats different in it (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main) is Search Page_bak
I didnt see anything wrong or strange in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search or in Main either Any help?

[tsunam]

Alright do us a favor, download hijackthis and copy the log for us to look, its most likely some spyware thats taken over you ie from you. http://www.merijn.org/downloads.html thats the link for the hjt program.

[Dude21]

Ok thanks, and heres the log file:

Quote:

Logfile of HijackThis v1.97.7
Scan saved at 10:10:02 AM, on 2/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXYZ01QR\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phpground.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.phpground.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DelTIF] cscript "C:\Documents and Settings\Owner\Desktop\purgecache.vbs" //b //nologo DeleteCache "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files"
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Dude21]

Hi, can anyone help? much thanks.

[dvk01]

nothing obvious there

have you got more than one user acccount on the computer, if so post a log from each account.

I've seen this behaviour affect all accounts, but only appear in one

[Dude21]

No I only use one and thats owner

[Dude21]

If it helps... here is everything I have in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

"NoUpdateCheck"=dword:00000001
"NoJITSetup"=dword:00000001
"Disable Script Debugger"="yes"
"Show_ChannelBand"="No"
"Anchor Underline"="yes"
"Cache_Update_Frequency"="Once_Per_Session"
"Display Inline Images"="yes"
"Do404Search"=hex:01,00,00,00
"Local Page"="C:\\WINDOWS\\System32\\blank.htm"
"Save_Session_History_On_Exit"="no"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Start Page"="http://www.phpground.net/"
"Use_DlgBox_Colors"="yes"
"Search Page"="http://www.google.com"
"Default_Page_URL"="http://qus8.hpwis.com/"
"Default_Search_URL"="http://srch-qus8.hpwis.com/"
"Search Bar"="http://g.msn.com/0SEENUS/SAOS01"
"Use Custom Search URL"=dword:00000001
"AddToFavoritesExpanded"=dword:00000001
"FormSuggest PW Ask"="no"
"Window_Placement"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,00,83,ff,ff,00,8 3,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00, \
00
"FullScreen"="no"
"AutoSearch"=dword:00000004
"NotifyDownloadComplete"="no"
"Use FormSuggest"="no"
"Use Search Asst"="no"
"HistoryViewType"=hex:08,00,66,63,03,00,00,00,00,00
"Error Dlg Displayed On Every Error"="no"
"Error Dlg Details Pane Open"="yes"
"HistoryTopNSitesView"=dword:00000014
"Expand Alt Text"="no"
"Move System Caret"="no"
"NscSingleExpand"=dword:00000001
"NoWebJITSetup"=dword:00000000
"Page_Transitions"=dword:00000000
"FavIntelliMenus"="no"
"Enable Browser Extensions"="no"
"UseThemes"=dword:00000000
"Force Offscreen Composition"=dword:00000000
"AllowWindowReuse"=dword:00000001
"Friendly http errors"="yes"
"ShowGoButton"="no"
"SmoothScroll"=dword:00000000
"Enable AutoImageResize"="no"
"Enable_MyPics_Hoverbar"="yes"
"Play_Animations"="yes"
"Play_Background_Sounds"="yes"
"Display Inline Videos"="yes"
"Show image placeholders"=dword:00000000
"Print_Background"="no"
"Window Title"=""
"Save Directory"="C:\\Documents and Settings\\Owner\\Desktop\\"
"BandRest"="Never"
"Start Page_bak"="http://www.phpground.net/"
"Search Bar_bak"="http://www.google.com/ie"
"Search Page_bak"="http://www.google.com"
"Use Search Assistant"="no"

and in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

"Default_Page_URL"="http://qus8.hpwis.com/"
"Default_Search_URL"="http://srch-qus8.hpwis.com/"
"Search Page"="http://srch-qus8.hpwis.com/"
"Enable_Disk_Cache"="yes"
"Cache_Percent_of_Disk"=hex:0a,00,00,00
"Delete_Temp_Files_On_Exit"="yes"
"Local Page"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00, \
62,00,6c,00,61,00,6e,00,6b,00,2e,00,68,00,74,00,6d,00,00,00
"Anchor_Visitation_Horizon"=hex:01,00,00,00
"Use_Async_DNS"="yes"
"Placeholder_Width"=hex:1a,00,00,00
"Placeholder_Height"=hex:1a,00,00,00
"Start Page"="http://qus8.hpwis.com/"
"CompanyName"="Microsoft Corporation"
"Custom_Key"="MICROSO"
"Wizard_Version"="6.00.2800.1017"
"Search Bar"="http://srch-qus8.hpwis.com/"
"FullScreen"="no"
"BandRest"="Never"

[cybertech]

Use HJT to fix this one:

R3 - Default URLSearchHook is missing

[VirtualMe]

If cybertechs suggestion don't fix it then try this.


Re: Help! I can't search from my Address Bar anymore!

Quote:

Make this registry change. There should only be two lines, The "Default" and
then this value in

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

or download the attachment

urlsearchhooks.txt

Note: Only use attachment for Win XP only!


to the desktop and and change it to

urlsearchhooks.reg

when ask if you want to change this file click YES

double click it and click Yes and/or OK

Then reset your seach page if need be.

[Dude21]

@cybertech - I'm not sure what HJT or R3 is

@VirtualMe - it worked! Thanks alot

[Adam_Black]

Ugh.

HJT = HijackThis

R3 = type of suspicious registry key that HJT detects