There's no such thing as a stupid question, but they're the easiest to answer.


Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

the search was changed, then "fixed" but it still dont work


Dude21's Avatar
Dude21 Dude21 is offline
Member with 113 posts.
Join Date: Feb 2004
Location: Ohio, usa
07-Feb-2004, 08:59 AM #1
the search was changed, then "fixed" but it still dont work
I used to be able to type in a word in the search bar and it would take me to google search, untill some spyware was somehow installed on my computer so now when ever I type in something in the address bar like for an example test will take me too http:///?%20test and if I do Search test it takes me too http:///?%20Search%20test I tried doing this to restore it but it didnt work, so I went on over to the google site looked up help with my default search redid everything there and still no luck,
I even tried editing my registry and nothing, the only thing thats different in it (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main) is Search Page_bak
I didnt see anything wrong or strange in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search or in Main either Any help?
tsunam's Avatar
Senior Member with 1,240 posts.
Join Date: Sep 2003
Experience: Linux~su
07-Feb-2004, 09:03 AM #2
Alright do us a favor, download hijackthis and copy the log for us to look, its most likely some spyware thats taken over you ie from you. thats the link for the hjt program.
Dude21's Avatar
Dude21 Dude21 is offline
Member with 113 posts.
Join Date: Feb 2004
Location: Ohio, usa
07-Feb-2004, 10:12 AM #3
Ok thanks, and heres the log file:
Logfile of HijackThis v1.97.7
Scan saved at 10:10:02 AM, on 2/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXYZ01QR\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DelTIF] cscript "C:\Documents and Settings\Owner\Desktop\purgecache.vbs" //b //nologo DeleteCache "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files"
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
O16 - DPF: Yahoo! Go Fish -
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
Dude21's Avatar
Dude21 Dude21 is offline
Member with 113 posts.
Join Date: Feb 2004
Location: Ohio, usa
08-Feb-2004, 05:21 PM #4
Hi, can anyone help? much thanks.
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 47,598 posts.
Join Date: Dec 2002
Location: Loughton, Essex, UK
08-Feb-2004, 05:53 PM #5
nothing obvious there

have you got more than one user acccount on the computer, if so post a log from each account.

I've seen this behaviour affect all accounts, but only appear in one
Dude21's Avatar
Dude21 Dude21 is offline
Member with 113 posts.
Join Date: Feb 2004
Location: Ohio, usa
08-Feb-2004, 08:48 PM #6
No I only use one and thats owner
Dude21's Avatar
Dude21 Dude21 is offline
Member with 113 posts.
Join Date: Feb 2004
Location: Ohio, usa
10-Feb-2004, 05:26 AM #7
If it helps... here is everything I have in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

"Disable Script Debugger"="yes"
"Anchor Underline"="yes"
"Display Inline Images"="yes"
"Local Page"="C:\\WINDOWS\\System32\\blank.htm"
"Start Page"=""
"Search Page"=""
"Search Bar"=""
"Use Custom Search URL"=dword:00000001
"FormSuggest PW Ask"="no"
"Window_Placement"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,00,83,ff,ff,00,8 3,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00, \
"Use FormSuggest"="no"
"Use Search Asst"="no"
"Error Dlg Displayed On Every Error"="no"
"Error Dlg Details Pane Open"="yes"
"Expand Alt Text"="no"
"Move System Caret"="no"
"Enable Browser Extensions"="no"
"Force Offscreen Composition"=dword:00000000
"Friendly http errors"="yes"
"Enable AutoImageResize"="no"
"Display Inline Videos"="yes"
"Show image placeholders"=dword:00000000
"Window Title"=""
"Save Directory"="C:\\Documents and Settings\\Owner\\Desktop\\"
"Start Page_bak"=""
"Search Bar_bak"=""
"Search Page_bak"=""
"Use Search Assistant"="no"

and in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

"Search Page"=""
"Local Page"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00, \
"Start Page"=""
"CompanyName"="Microsoft Corporation"
"Search Bar"=""
cybertech's Avatar
Moderator with 69,437 posts.
Join Date: Apr 2002
Location: USA
10-Feb-2004, 10:17 AM #8
Use HJT to fix this one:

R3 - Default URLSearchHook is missing
VirtualMe's Avatar
VirtualMe VirtualMe is offline
Senior Member with 867 posts.
Join Date: Sep 2002
10-Feb-2004, 11:06 AM #9
If cybertechs suggestion don't fix it then try this.

Re: Help! I can't search from my Address Bar anymore!

Make this registry change. There should only be two lines, The "Default" and
then this value in

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

or download the attachment


Note: Only use attachment for Win XP only!

to the desktop and and change it to


when ask if you want to change this file click YES

double click it and click Yes and/or OK

Then reset your seach page if need be.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.

Last edited by VirtualMe; 10-Feb-2004 at 11:29 AM..
Dude21's Avatar
Dude21 Dude21 is offline
Member with 113 posts.
Join Date: Feb 2004
Location: Ohio, usa
14-Feb-2004, 07:46 PM #10
@cybertech - I'm not sure what HJT or R3 is

@VirtualMe - it worked! Thanks alot
Adam_Black's Avatar
Adam_Black Adam_Black is offline
Computer Specs
Member with 141 posts.
Join Date: Aug 2003
Location: London, England
Experience: Half-geek. Like half-elf. You know?
14-Feb-2004, 07:53 PM #11

HJT = HijackThis

R3 = type of suspicious registry key that HJT detects
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools

You Are Using: Server ID
Trusted Website Back to the Top ↑