1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Search V help please

Discussion in 'Virus & Other Malware Removal' started by 18c, Oct 15, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. 18c

    18c Thread Starter

    Joined:
    May 30, 2003
    Messages:
    131
    ok im having an issu with this browser addon or something when ever i open up my browser it goes to this as my home page http://www.searchv.com/w/ now i have changed my home page back .. but if i reboot it goes back to search v home page.. i ran hijack this and it listed all teh stuff i deleted all teh stuff pertaing to search v and seemed to remove it.. until i rebooted then it was back.. i ran ad-aware also this didnt help eiother. can someone please help me!!! thank you here is what i get from hijack this:

    Logfile of HijackThis v1.97.3
    Scan saved at 7:48:31 PM, on 10/15/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\UpromiseRemindU\UpromiseRemindU.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Thomas Mount\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Thomas Mount\Application Data\winshow\winshow.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKLM\..\Run: [UpromiseRemindU] wjview /cp:p "C:\Program Files\UpromiseRemindU\System\Code" Main lp: "C:\Program Files\UpromiseRemindU"
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: MSupdater.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: RemindU (HKCU)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...www.thermaltake.com/3d/xaserIII/xaserIII.html
    O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} - http://www.topmoxie.com/external/builds/upromise/upromise_moxie0.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://68.10.18.56:23/tsweb/msrdp.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.8085648148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    18c

    Click on the link below and it will download CWShredder. Close all browser windows. UnZip it and click on the cwshredder.exe and let it do it's thing.

    http://www.spychecker.com/download/download_cwshredder.html

    When it is finished restart your computer.


    Then go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Come back here and post another HT log and we'll get rid of what's left.
     
  3. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    After your SB scan, download the free Ad-Aware 6 Personal Build 181 and have it do a thorough cleaning of your unwanted files: http://www.lavasoft.de/support/download/

    Launch the program ... on the start-up screen, you will need to first run the Webupdate Feature (globe at the top), or click "check for updates" to get the Reference File up to date.

    Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

    Then see that you have these options checked:
    Under Ad-Aware 6 Settings, Tweaks, Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-Aware 6 Settings, Tweaks, Cleaning Engine:
    "Let Windows remove files in use after reboot."

    Next ...

    Run Ad-Aware 6.
    Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
    Make a Quarantine only if you do not have the Auto-Quarantine option ON.
    Then choose "Next" to remove the chosen objects.
    Finally ... Reboot

    Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.

    As flrman1 suggested, then post a fresh HT logfile to make sure nothing was left behind.

    Once you are cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of sites to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    Unfortunately CWshredder and other automated tools are not cleaning the latest versions of CWS at this time so they have to be removed manually

    Edit: I have received conformation from Merijn, the developer of HJT & CWshredder that he is upadating CWshredder to account for the new variations, so we should very soon have an easy way to remove this almighty pest

    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Thomas Mount\Application Data\winshow\winshow.dll
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
    O4 - Global Startup: MSupdater.exe

    reboot & delete
    C:\Documents and Settings\Thomas Mount\Application Data\winshow folder
    C:\WINDOWS\sys.reg
    then do a search for & delete MSupdater.exe
     
  5. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Thanks for the heads-up Derek ... (y)
     
  6. obxwindsurf

    obxwindsurf

    Joined:
    Oct 16, 2003
    Messages:
    7
    Hello,

    I'm posting to this thread because although all the major spyware scanners (AdAware 6 build 181, Spybot S&D current version with current definitions, and HijackThis V 1.97) all find and root this out.

    However... (and that's a big However!),

    After scanning the Security Event Viewer, even with a successful user login (no errors like caps lock or wrong password), there are and have been as far as the log goes back (around 9/1) always 2 Failure Audits in a pair, followed by a success Audit reported by advapi32.dll (one of the Windows XP Authentication components).

    Upon logging in and desktop and environment startup being completed checking the properties of the IE Browser home page it has been set to the searchv/w/ page (http://www.searchv.com/w/) , and Winshow has installed winshow/winshow.dll into C:\Documents and Settings\<justloggedinuser>\Application Data.

    As long as you don't use the browser this can be deleted and does delete using normal means so it hasn't loaded yet, however there are registry entries, previously cleaned by Spybot, or AdAware, or HijackThis which are back.

    Removing this is not the issue. The three spyware killers above detect and remove it and anything that THEY know are related to this (reg entries, dlls, configs, dats, etc.)

    There is something else at work here that neither McAfee AV (with current scanning engine and dat files) or any of the spyware killers are aware of.

    The pair of failure audits in the event viewer always followed by a success audit (under normal no-fail login conditions) are suspect.

    Is there any way to get more information on this pair of fail audits? I have checked the mod dates of the advapi32.dll and they appear to be dated back to 2002 (so I suspect they are original "equipment").

    After any of the spyware eliminators above runs and cleans the system, subsequent runs BEFORE LOGOUT-LOGIN CYCLE show the system as clean, no hijack has taken place, no winshow DLLs are on the system and everything seems OK.

    As soon as you logout and login again, the "secret thing" retriggers, reinstalls, makes registry entries, and hijacks the browser home page. This is before IE is run (right clicking the desktop icon, selecting properties -> General (home page has already been set to http://www.searchv.com/w/

    Any ideas on logs I might find as to WHAT is doing these registry entries and re-installing WinShow?

    I've read that this comes in with a MS JVM ByteVerify exploit, and while I saw McAfee detect and stop some of these in recent weeks, there is a brief time when McAfee is downloading an update and restarting the engine that the system is unprotected. I learned this after surfing while updating was taking place.

    HijackThis reported that the MS Byte Verify patch was NOT on the system, although WIN XP has actively kept up with and installed all updates available from MS.

    I have since disabled the MS JVM and enabled the Sun JVM V 1.4.1 which is also installed on my system.

    If you have any idea of what logs, files, audit trails, etc. that I can examine for what is reinstalling, I will post what I find back here.

    Regards,
    Kevin
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    OBXwindsurf, read my post above the bits that relaod searchV and other coolwebsearch parts are either msupdater.exe and /or sys.reg

    one or both of those entries will appear with a winshow entry as well.

    AS I said above AT THIS TIME none of the automatic removers have these in their database but CWEshredder is in the process of being updated to account for it & I am led to believe also spybot & adaware will both be soon.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    Also because you use sun java rather than the buggy M$ version YOU WILL NOT have the byte veryfier patch because you DO NOT have M$ Java
     
  9. obxwindsurf

    obxwindsurf

    Joined:
    Oct 16, 2003
    Messages:
    7
    I HAD the MS JAVA JVM installed prior so I should have had but did not. I just switched over to the Sun Java last night after seeing the recommendation and not finding my system having the patch.

    BTW, now that I Remember it was CWShredder that reported that I did not have the patch. But a version of CWShredder that I downloaded did detect and remove (I think but I could be wrong - I was trying every well known and conceivable Spyware killer to get rid of this)

    Also are MSUpdater.exe and sys.reg trojans of original Microsoft code or are they named to masquerade? That is, upon deletion to I need to reinstall their OEM counterparts, or are there none?

    Regards,
    Kevin
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    msupdater & sys.reg are entries put in by CWS

    they are not legitimate in any way and should be deleted to cure the CWS infection
     
  11. obxwindsurf

    obxwindsurf

    Joined:
    Oct 16, 2003
    Messages:
    7
    Thanks for the quick reply. I knew that something else could be at work. It will be interesting to see if the "failure audit pair" goes away after this fix.

    Regards,
    Kevin
     
  12. 18c

    18c Thread Starter

    Joined:
    May 30, 2003
    Messages:
    131
    i did teh same thing teh cw shredder told me that i should delete teh java patch and download teh sun one and that is what i did is this a bad thing?
     
  13. 18c

    18c Thread Starter

    Joined:
    May 30, 2003
    Messages:
    131
    thanx for teh help guys.. it worked i to delete them manualy like you said but that finaly worked the only thing i wanted to mention was those 2 files you told me to delete
    C:\Documents and Settings\Thomas Mount\Application Data\winshow folder
    C:\WINDOWS\sys.reg
    i couldnt find them they were nt there but my browser seems to be good..

    couple questions though in my before mentioned post i dleted teh java program that was in my browser like shredder said and i installed teh sun java is this good or bad?

    and second is there anything i can download and install that will help this form happening again?
     
  14. obxwindsurf

    obxwindsurf

    Joined:
    Oct 16, 2003
    Messages:
    7
    An update on my WinShow problem. I did a search through all files on my system for MSupdater.exe and sys.reg

    No sys.reg, but there was MSupdater.exe in all its glory.

    Out of curiosity I quarantined this and opened it in binary mode with TextPad.

    First recognizable string says "This program cannot be run in DOS mode".

    Another string inside of the program appeared to be the command to download winshow.dll over the net:

    http://00hq.com/update/winshow.dll winshow.dll \winshow

    Further down in the code was what appeared to be a bunch of statements to perhaps boostrap the remainder of the program's actions over the Internet, maybe the bulk of the code that needed to execute to do the dirty work on the system.

    Then another string:
    DllRegisterServer...\...WinShow Installer

    Then the hex dump gets interesting - many programs which hex dump typically dump 16 bytes per line. The characters that appear next is a block of ascii that when you look at the *shape* of it resembles a skull.

    Further down is the "exe info" which indicated that it was masquerading as "Install MFC Application".

    This file was placed not in the registry, but in:
    C:\Documents and Settings\All Users\Application Data\Start Menu\Startup

    I'm sure it wanted to share with everyone on the system ;-}

    Anyway, thanks for the help in eliminating this.

    Had I known about MSupdater.exe it would have saved me time, but you guys made the situation go from hopeless last night to relieved tonite.

    Best regards,
    Kevin
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    !8C the files will be there but probably are hidden

    unhide them by following this advice
    make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hide protected operating system files is UNticked

    they should be removed for safety's sake but without the registry entries telling them to run don't do anything and we have removed the registry entries

    Sun Java is much better than MS java with less security risks, more stable and because Sun invented it in the first place and M$ just borrowed it and adapted it a bit, the original proper Sun version is the preferable one to have & use
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172225

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice