How to cure SearchV problems

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dvk01

Derek
Thread Starter
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Unfortunately CWshredder and other automated tools are not cleaning the latest versions of CWS at this time so they have to be removed manually

go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

Tick any R1 or R0 entry that contains searchV, like these few examples,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/

then there will be at least 2 of these and probably all 3 of these entries
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents
and Settings\***************\Application Data\winshow\winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - Global Startup: MSupdater.exe
doublecheck to make sure you haven't missed any, close all browser windows & press fix checked
then
reboot & delete
C:\Documents and Settings\*****************\Application Data\winshow folder
C:\WINDOWS\sys.reg
then do a search for & delete MSupdater.exe

if you need further help please post a full hijackthis log so we can help you
 
Joined
Aug 18, 2003
Messages
2,438
****Merijn wrote:
I've seen reports now that SVCservice is connected to CWS in some way. It
appears together with SearchV and ApprovedLinks. I'm adding support for
removing it into CWShredder.

By the way, until it's done, beware that the svcservice.exe file is also ran
from this entry, only visible in StartupList:

Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcinit.exe****

As you see, this is only seen if you ask for a "startuplist" in HJT.
 

dvk01

Derek
Thread Starter
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Another new CWS entry hits the charts
C:\DOCUMENTS & sETTINGS \xxxxxxx\LOCAL SETTINGS\Temp\sqlogco.dll

This one installs & reinstalls SearchV and cool-homepage.com

I assume, that knowing CWS trickery it will be a different xxxxxx.dll every time, so we need to keep an eye out for the C:\DOCUMENTS & sETTINGS \xxxxxxx\LOCAL SETTINGS\Temp entries
 
Joined
Oct 17, 2003
Messages
2
I followed your instructions and I think I solved the issue. Thank you!!!

Can you tell me what I can do to avoid this from happening again?
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
PLEASE DO NOT POST YOUR HIJACK THIS LOG TO THIS THREAD!

START YOUR OWN THREAD PLEASE!
 
Joined
Mar 9, 2003
Messages
4,699
That would be a HUGE help!! Let's keep our fingers crossed.
Thanks for the update Derek. (y)
 

dvk01

Derek
Thread Starter
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
CW shredder now cures all known forms of searchV CWS hijack
 
Joined
Dec 8, 2003
Messages
1
Hello and greetings from Finland!

Thanks VERY MUCH for your help. I had big problems with these search pages that made my net-connection also very slow.

Within 5 minutes all problems were solved.

Thanks and keep up good work!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top