1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

homepage set to searchv.com

Discussion in 'Virus & Other Malware Removal' started by mgnhsv, Oct 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. mgnhsv

    mgnhsv Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    8
    Hi all....

    I too have had my homepage set to searchv.com and can't set it back to the original. My HijackThis.log is as follows...... Thanks in advance for your help!!


    Logfile of HijackThis v1.97.3
    Scan saved at 8:03:56 PM, on 10/17/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\LogWatNT.exe
    C:\oracle\ora92\bin\omtsreco.exe
    C:\oracle\ora92\BIN\TNSLSNR.exe
    c:\oracle\ora92\bin\ORACLE.EXE
    c:\oracle\ora92\bin\ORACLE.EXE
    c:\oracle\ora92\bin\ORACLE.EXE
    c:\oracle\ora92\bin\ORACLE.EXE
    c:\oracle\ora92\bin\ORACLE.EXE
    c:\oracle\ora92\bin\ORACLE.EXE
    c:\oracle\ora92\bin\ORACLE.EXE
    c:\oracle\ora92\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    c:\winnt\system32\os2\dll\bk\FireDaemon.EXE
    c:\winnt\system32\os2\dll\bk\rundll32.exe
    C:\WINNT\system32\MSTask.exe
    c:\winnt\system32\os2\dll\bk\FireDaemon.EXE
    c:\winnt\system32\os2\dll\bk\FireDaemon.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINNT\system32\llass.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Documents and Settings\Mark Gray\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mark Gray\Application Data\Mozilla\Profiles\default\r3rdcgr1.slt\prefs.js)
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Time Zones for PCs.lnk = C:\Program Files\Time Zones for PCs\Tzpc.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .ATT: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .pan: C:\Program Files\Internet Explorer\PLUGINS\NpSmNp.dll
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.fastmetasearch.com/free_sex_viewer.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://raven.veloz.com/pub/download/oodlz_9bl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.6484143519
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0312.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    What's the deal with stuff running from
    c:\winnt\system32\os2\dll\bk\
    ?
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    Can you try this please.
    Go to Start > Run > type regedit then press OK
    Navigate to :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Right click on that key and select export.(that makes a copy of the key) Save it somewhere you will find it, open that file in notepad and copy & paste the results here.
     
  4. mgnhsv

    mgnhsv Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    8
    Derek,

    Found the folder and everything as you suggested but I did not have an 'export' option. I am Running IE 6.0 with Windows 2000. Had only the following choices when I found the Run folder: Expand (grayed out and not a choice), New, Find, Delete, Rename, Copy Key Name... as my options.
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    click on the key and look in the right hand pane

    is there a sys.reg entry if so select it and delete it

    tell us if it is there because you also need to delete it's actual file as well as the registry entry
     
  6. mgnhsv

    mgnhsv Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    8
    Derek,

    There is an entry there named: sys ( under the data column reads: regedit /s C:\WINNT\sys.reg ) and I did delete it.
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    Ok reboot the computer and navigate to C:\WINNT\sys.reg and delete that file
     
  8. mgnhsv

    mgnhsv Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    8
    Found the C:\WINNT\sys.reg and deleted it
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Now run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.fastmetasearch.com/free_sex_viewer.exe

    Re-boot after and run a scan here:
    http://www.trojanscan.com/
    Let us know the result.

    ;)
     
  10. mgnhsv

    mgnhsv Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    8
    Derek,

    Ran HiJack this with checks by the lines listed. Here are the results of trojanscan.com:

    Starting scan at 16:16:22:267...
    Scan Memory
    Memory not infected
    Scan folder: 'C:\', recursive
    Unable to scan C:\System Volume Information - Access is denied.
    Scan folder: 'D:\', recursive
    Finished scan at 16:49:45:427
    Total number of files is 181278, number of infected files is 0
    Average files per second is 90, average file size is 1600184

    Re-booted and looks like searchv.com is history!!!! Thanks so much for your help!!!

    Mark
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - homepage searchv
  1. PacerFan1
    Replies:
    4
    Views:
    438
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172745

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice