1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

searchv hijacked, tried everything

Discussion in 'Virus & Other Malware Removal' started by wyzas, Oct 14, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wyzas

    wyzas Thread Starter

    Joined:
    Oct 14, 2003
    Messages:
    4
    Hello everyone,
    I hate to ask questions about something that's been asked about a lot before, but I've tried everything to remove this thing from my computer and it's still there. Herre's the story...

    My home page was hijacked by searchv.com, I did my research and found plenty of threads on how to remove it from my system. I've used HijackThis, Ad Aware, Spybot:S&D, CWShredder, and BHOdaemon to remove Everything that looked slightly out of place. I even removed some stuff i wanted to keep, but that's not the problem. I've deleted all files related to winshow (winshow.dll, winshow.cfg, winshow folder) and any extra executables that i can't figure out where they came from like bootcfg.exe in my windows/system32/ directory. I've read tons of posts and this is the advice i see most of the time.

    After I do all of this, my machine appears to be clean.

    If i reboot into safe mode, my machine is still clean.

    If i do a normal reboot, everything is back to square one.

    When i run msconfig to see what might be reinstalling the searchv stuff on boot, i don't see anything that isn't normal. I have some things that are supposed to be there like norton AV, web cam drivers, video and audio drivers, and bluetooth drivers, but nothing out of the ordinary.

    There also appears to be nothing wrong with HKLM/Software/Microsoft/CurrentVersion/Run in my registry.

    I have HJT log files of before and after if you need to see them.

    Anyone know what I'm missing that could be installing this crap when I boot?

    Thanks!
    Kahlil
     
  2. wyzas

    wyzas Thread Starter

    Joined:
    Oct 14, 2003
    Messages:
    4
    Ack! I didn't see e kegler's post on the same thing. I'm sorry
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    post a current hjt log so we can see

    also do this
    Can you try this please.
    Go to Start > Run > type regedit enter.
    Navigate to :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Right click on that key and select export.(that makes a copy of the key) Save it somewhere you will find it, open that file in notepad and copy & paste the results here.
     
  4. wyzas

    wyzas Thread Starter

    Joined:
    Oct 14, 2003
    Messages:
    4
    Here's the original HJT log:

    Logfile of HijackThis v1.97.3
    Scan saved at 9:18:07 AM, on 10/14/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NMapWin\bin\nmapserv.exe
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Documents and Settings\Aaron\My Documents\Downloads\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Aaron\Application Data\Mozilla\Profiles\default\mx3gy8cj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Aaron\Application Data\Mozilla\Profiles\default\mx3gy8cj.slt\prefs.js)
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Aaron\Application Data\winshow\winshow.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: MSupdater.exe
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37734.8531712963
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Here's the most recent:

    Logfile of HijackThis v1.97.3
    Scan saved at 12:27:53 PM, on 10/14/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Aaron\Application Data\Mozilla\Profiles\default\mx3gy8cj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Aaron\Application Data\Mozilla\Profiles\default\mx3gy8cj.slt\prefs.js)
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37734.8531712963
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    and here's my registry info:

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Class Name: <NO CLASS>
    Last Write Time: 10/14/2003 - 9:20 AM
    Value 0
    Name: Smapp
    Type: REG_SZ
    Data: C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

    Value 1
    Name: NvCplDaemon
    Type: REG_SZ
    Data: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    Value 2
    Name: LVCOMS
    Type: REG_SZ
    Data: C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

    Value 3
    Name: vptray
    Type: REG_SZ
    Data: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

    Value 4
    Name: ServiceLayer
    Type: REG_SZ
    Data: C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe

    Value 5
    Name: Nokia Tray Application
    Type: REG_SZ
    Data: C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
    Class Name: <NO CLASS>
    Last Write Time: 4/23/2003 - 7:27 PM

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
    Class Name: <NO CLASS>
    Last Write Time: 4/23/2003 - 7:27 PM
    Value 0
    Name: Installed
    Type: REG_SZ
    Data: 1


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
    Class Name: <NO CLASS>
    Last Write Time: 4/23/2003 - 7:27 PM
    Value 0
    Name: Installed
    Type: REG_SZ
    Data: 1

    Value 1
    Name: NoChange
    Type: REG_SZ
    Data: 1


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
    Class Name: <NO CLASS>
    Last Write Time: 4/23/2003 - 7:27 PM
    Value 0
    Name: Installed
    Type: REG_SZ
    Data: 1



    I think i did originally miss the O4 - Global Startup: MSupdater.exe that e kegler missed. could that be the problem?

    Unfortunately, I can't restart my system right now to check cause im at work and working through remote desktop which has shut down disabled =/ although im afraid to restart my system anyways..

    thanks for your help!
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    Yes the msupdater was your problem

    when you get home, make sure the registry entry is deletd and the file itself, then reboot

    sometimes you will have to go through all the performance again as you need to delete all the entries in one go to solve the problem
     
  6. wyzas

    wyzas Thread Starter

    Joined:
    Oct 14, 2003
    Messages:
    4
    Thanks Derek!

    Will be nice to end this headache when i get home.

    I really appreciate your help!

    -K
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171913

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice