1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need searchv help - especially from flrman1

Discussion in 'Virus & Other Malware Removal' started by Ace Rimmer, Oct 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Ace Rimmer

    Ace Rimmer Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    45
    UGH - I am beaten and bruised...I cannot shake this searchv bug that is now digging away at my registry and brain. I have used spybot, HJt, and Adaware - with all updates. They do find most of the carniage, but at every re-boot, I keep getting searchv as my IE home page.

    I have looked at this forum for guideance and advice in the past as well as through the archives. I know that flrman1 has some great input - so I am looking for any suggestions. :D Hulp!

    Using Win XP Pro.

    All the 'searchv' lines below have been checked within every sweep, but still showing up on re-boot.

    HJt log file is as follows:
    Logfile of HijackThis v1.97.3
    Scan saved at 9:20:23 PM, on 10/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\TrayIcon.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
    C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Pete\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Pete\Application Data\winshow\winshow.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
    O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
    O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Outlook.lnk = ?
    O4 - Global Startup: MSupdater.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1702381004389e944a01/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37908.8232291667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    :D
     
  2. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Are you also fixing this entry?

    O4 - Global Startup: MSupdater.exe
     
  3. Ace Rimmer

    Ace Rimmer Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    45
    Hey :) Winchester

    You mean by checking it through HJt or Adaware? Doesnt that remove MSupdater.exe?

    Sorry - I am a bit green in all this.

    -AW
     
  4. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    You said: "All the 'searchv' lines below have been checked within every sweep, but still showing up on re-boot."

    That global startup item also needs to be fixed with HT. If you aren't, that's why the items are coming back.

    This is evil:

    O4 - Global Startup: MSupdater.exe
     
  5. Ace Rimmer

    Ace Rimmer Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    45
    Ok - lemme try.....yes, this is VERY evil! What the heck is the job of MSupdater.exe? Is that the actual trojan?

    Sweeping and rebooting now.


    -Peter
     
  6. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Run HJT again - scan - place a check next to the following items in the list - close all IE and other browsers - push fix checked in HJT


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Pete\Application Data\winshow\winshow.dll
    O4 - Global Startup: Microsoft Outlook.lnk = ?
    O4 - Global Startup: MSupdater.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1702381004389e...ip/RdxIE601.cab


    Reboot to SAFE mode and delete the following two files
    C:\Documents and Settings\Pete\Application Data\winshow\winshow.dll
    MSupdater.exe (you might have to search for it)

    (winshow is part of this as well as msupdater)
     
  7. Ace Rimmer

    Ace Rimmer Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    45
    Imm - I just did this and searchv still coming back.

    IN safe mode I could not find C:\Documents and Settings\Pete\Application Data\winshow\winshow.dll

    \Application Data\winshow\winshow.dll does not exist - and searched for winshow.dll - no luck.

    Found MSupdater.exe and deleted in safe mode.

    Here is my current log file now:


    Logfile of HijackThis v1.97.3
    Scan saved at 10:15:13 PM, on 10/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\TrayIcon.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
    C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Pete\Desktop\SPY WARE\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
    O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
    O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37908.8232291667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  8. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    re: not finding the file - did you do the search for hiddens and system type files?

    Regarding the default entries for search etc. - Have you had SDHelper
    (part of SpyBot - Search and Destroy) 'immunize' the settings at the current state ? (check the settings or turn it off)
    U could try using Reset web settings in IE after turning the immunize feature off (assuming it's on)
    Perhaps there are some policy restrictions on this user?

    Use HJT to generate a startup list (Config > Misc. Tools > Generate Startuplist log) and post that here so I can see the
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
    key.
     
  9. Ace Rimmer

    Ace Rimmer Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    45
    Scratch that - I did find C:\Documents and Settings\Pete\Application Data\winshow\winshow.dll
    and deleted in safe mode.

    So both have been done and I still have sv coming up. I tried resetting the home page - no luck.

    This is killing me - let me try running SDhelper
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Ace Rimmer

    Try this:

    Go to Start > Run > type regedit and click OK
    Navigate to :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Right click on that key and select export. Save it somewhere you will find it later if needed.
    Now see if there is a sys.reg entry in the right hand pane, click on it and delete it if it is there.

    and delete the file C:\WINDOWS\sys.reg



    Now navigate to:
    HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
    and do the same thing for winshow.dll

    Run HijackThis again. Put a check beside the following, close all other windows and select fix checked.


    Reboot:
    Search hidden and system files for a sys.reg file. Delete it if found. You may need to open Windows Explorer and go to tools > folder options > view tab > and put a check in "show hidden files and folders" and uncheck "hide protected OS files".
    Do the same for winshow.dll.. IF found in winshow folder, you can delete the entire winshow folder.

    Please keep us posted.

    You may want to create a restore point first. When we get this fixed and everything is well, you will need to clear all restore points off your machine.
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Does the "Winshow" folder exist? That should be deleted.

    If

    winshow.dll
    winshow.cfg

    are any place else on the system they should be deleted to.

    And do a general search for searchv* with the wild card and delete whatever you find.

    Search the registry for that as well> run regedit click Edit>Find to enter the search string. Start the seach with the file tree collapsed. Entries you find in "mru" keys are not relevant but you can delete them anyway, they just represent previous searches.
     
  12. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    I WAS a little sloppy earlier - I should have had you delete the entire winshow folder
    C:\Documents and Settings\Pete\Application Data\winshow
    rather than just the dll - whoops :(
     
  13. Ace Rimmer

    Ace Rimmer Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    45
    flrman1 - thanks for chiming in - I have a questions first - how do I make a restore point (before I do this)?
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click Start -> All Programs > Accessories > System Tools > System Restore. System Restore will open, click "Create a Restore Point" then click Next. Enter a name for this Restore Point ( for example "Before SearchV regedit"). Click "Create"
     
  15. Ace Rimmer

    Ace Rimmer Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    45
    flrman1 - doing this now - very interesting. I also found
    winshow.cfg and MSupdater.exe in there as well and deleted (as well as winshow.dll).

    Restore point is secure.

    Am now running HJt and cleaning again.

    More in a few minutes.....
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172741

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice