Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Homepage Hijack

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Homepage Hijack

Reply to Message Icon

Name: Sylvia Brown
Date: October 16, 2003 at 17:57:10 Pacific
OS: Windows 2000
CPU/Ram: HP/4.01 GB
Comment:

Hi guys,

Our homepage has been hijacked again, this time by searchv, and I've posted our hijackthis log below. We've tried all the usual tricks: Spybot, Ad-aware and Norton. Norton also tells us we have adware.cydoor, but we can't figure out how to get rid of that, either. This is our second or third hijack. How can we prevent this from happening? We've even installed a router with a hard firewall, and searchv still got through.

Thanks, as always.

Logfile of HijackThis v1.97.3
Scan saved at 7:42:39 PM, on 10/16/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\WinZip\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Computer1\Application Data\winshow\winshow.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: MSupdater.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .vbs: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.7766203704
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




Sponsored Link
Ads by Google

Response Number 1
Name: Abnormal
Date: October 16, 2003 at 18:00:07 Pacific
Reply:

For Searchv hijacks, run Hijack This and tick all lines that have this in it.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html

Look down the list for these entries;
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\your name\Application Data\winshow\winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\winnt\sys.reg
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O4 - Global Startup: MSupdater.exe

Check these in HJT and close all browser windows. Click Fix and reboot into Safe Mode by tapping F8 when booting.

Find and delete these files/folders
MSupdater.exe
winlogon.exe
sys.reg
winshow folder

Good luck



0

Response Number 2
Name: Abnormal
Date: October 16, 2003 at 18:06:35 Pacific
Reply:

That was a general post, to cover known
variants.


0

Response Number 3
Name: Solarian
Date: October 16, 2003 at 18:17:48 Pacific
Reply:

Sylvia Brown:

For added prevention, you might consider SpyBlaster and SpyGuard.

Both are freeware and very effective.

Solarian


0

Response Number 4
Name: oxmyrth
Date: October 16, 2003 at 20:06:53 Pacific
Reply:

In a variant I received MSUpdater.exe was placed in C:\Documents and Settings\All Users\Start Menu\Startup. After cleaning up,

Try modifying your hosts file (normally C:\Winnt\System32\Drivers\Etc\Hosts). add a line

127.0.0.1 www.searchv.com

So if they at least hijack by providing the source from another location, you don't add to their hit count.

Also when hijacked. Go to www.whois.org. look up the violator. For searchv here's the record.

_______________________________________
Registrant:
First Aid
PO BOX 5874
Gasa, Not Applicable 541245
WS
+12.1234567890


Domain Name: SEARCHV.COM

Administrative Contact:
Yohansen, Olaf admin@searchv.com
PO BOX 5874
Gasa, Not Applicable 541245
WS
+12.1234567890


Technical Contact:
Yohansen, Olaf admin@searchv.com
PO BOX 5874
Gasa, Not Applicable 541245
WS
+12.1234567890


Record last updated 05-06-2003 05:31:47 AM
Record expires on 05-05-2004
Record created on 05-05-2003

Domain servers in listed order:
NS1.SEARCHV.COM 81.3.164.1
NS2.SEARCHV.COM 217.146.192.22
_________________________________________

send them nasty emails expressing your disgust at their conduct. and don't forget to send to their provider notification of puriant behavior of their users. Go to some site that will give you DNS record information. Like www.network-tools.com. Enter their IP and find who hosts them. again for Searchv.

_______________________________________

whois whois.arin.net 209.66.114.129:

Abovenet Communications, Inc NETBLK-ABOVENET2 (NET-209-66-64-0-1)
209.66.64.0 - 209.66.127.255
APS Telecom MFN-C231-209-66-114-0-23 (NET-209-66-114-0-1)
209.66.114.0 - 209.66.115.255

__________________________________________

Send to Above Net an email expressing the effects you experienced by their customer modifying code on your machine. The more correspondance they get the more they will get anoyyed and do something. And don't forget to CC the FTC (UCE@FTC.GOV) and FCC (fccinfo@fcc.gov).

Be proactive. Don't let the powers or idiots that be dictate internet culture.


0

Response Number 5
Name: sonnysandiego
Date: October 17, 2003 at 23:05:11 Pacific
Reply:

searchtv or any other malware gets installed because somebody downloaded software that had it included. A firewall cannot protect you if a user downloads programs.


0

Related Posts

See More



Response Number 6
Name: Meet
Date: October 18, 2003 at 19:38:02 Pacific
Reply:

HI
My homepage has been hacked by the search.v. I do not know how to get rid of this, even through HackTHis program. If anyone could help me get rid of that and other hacks, that would be great. Thanks


Logfile of HijackThis v1.96.1
Scan saved at 7:34:08 PM, on 10/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Harmeet Dhani\Local Settings\Temp\Temporary Directory 4 for hijackthis196[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.yahoo.com
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Harmeet Dhani\Application Data\winshow\winshow.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [instal] F:\install\install.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: MSupdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2&04.00.04.03&http://www.bazowheels.com/modelb1.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.117/install.exe



0

Response Number 7
Name: Ryan
Date: October 19, 2003 at 13:32:49 Pacific
Reply:

Hey'all

I too have been battling the searchv problem. I see several different approaches, and I am beginning to think that the problem lies in the fact that seachv seems to attack your computer from multiple angles.

My current attempt involves using a good start-up manager. In there I found an unknown item which I disabled, a MSupdator which I also disabled... and the prime suspect an entry that looks like this:

regedit /s C:\WINDOWS\sys.reg

this looked very fishy... after all why would any program need to update the registry on every bootup so I took a look at this sys.reg file to see what was inside:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.searchv.com/"
"Search Page"="http://www.searchv.com/search.html"
"Search Bar"="http://www.searchv.com/search.html"

THOSE b---tardS!

Anyways.... I'm removing the entry from my startup AND deleting sys.reg, then I'm going to run spybot S&D, Ad-Ware6 and restart... praying that searchv will be gone... I'll let ya know


0

Response Number 8
Name: Ryan
Date: October 19, 2003 at 13:48:00 Pacific
Reply:

Just to update my last entry... after restarting SearchV seems to be gone. Yippie!


0

Response Number 9
Name: Sylvia Brown
Date: October 19, 2003 at 14:47:36 Pacific
Reply:

Thanks, guys. It worked! Our system now looks pretty clean. Norton only turns up one file, which we cannot get rid of. Norton instructs us to manually delete the file, but we just can't find it anywhere on our computer. It's adware.cydoor, cd_clint.dll.

Is something to worry about?

Thanks for always being such a huge help.


0

Response Number 10
Name: howdy
Date: October 21, 2003 at 18:27:19 Pacific
Reply:

So how do I get rid of this searchtv on my homepage. I do not have this HackThis program.

Thanks and much appreciated.


0

Response Number 11
Name: howdy
Date: October 21, 2003 at 19:20:46 Pacific
Reply:

OK i'm an idiot. The instructions to remove searchtv were on the posts above -- Hey, I'm new at this. Thanks for the info all.


0

Response Number 12
Name: Robbie
Date: October 23, 2003 at 13:29:14 Pacific
Reply:

heh I complained to Above.net, they claim I'm the only one complaining. Let them hear about it !!!!! Heres the email I got:


Date: 10/23/2003 13:27:43 -0400
From: Abuse_Abovenet <abuse@above.net>
To: "'Rob'" <**MY*EMAIL*ADDRESS*>
Subject: RE: Abuse by one of your customers (SEARCHV.COM) All headers
You're the only one who is complaining about this. This can only happen if
you have your MSIE settings to accept such a change. It doesn't 'hijack'
anything, it simply changes your start page to www.searchv.com.


========================
Policy Enforcement Division
AboveNet Inc.
========================



0

Response Number 13
Name: caeser
Date: October 23, 2003 at 21:40:55 Pacific
Reply:

I am very computer illiterate and don't understand the methods described to get rid of searchtv. Can someone explain? I have windows XP. thxs.


0

Response Number 14
Name: Hazard
Date: November 28, 2003 at 15:57:35 Pacific
Reply:

Hi, I'm also having problems with homepage hijacking. I've downloaded spybot and it fixed some things, but not everything. It helped fix the redirecting problem with www.msn.com but not with these sites. Whenever I type in

www.google.com
or
www.yahoo.com

i still get redirected to another site. Also when i type in a URL of a site that no longer exists i get redirected to that site. Some sites also get redirected to umaxsearch.com (a different redirected site) when i click on the links that should lead elsewhere. It also adds their search engine website link onto my favorites list.

what can i do? i can no longer access google or yahoo =(

is there any other software out there that may be able to help me clean up this mess?


0

Response Number 15
Name: davhutton
Date: November 28, 2003 at 20:08:03 Pacific
Reply:

I also have had the searchv.com hijack problem; I sent them a very nasty note at their web-support address(indeed, scalding) and got back this reply in the form of a FAQ:

Hi,
This is SearchV.Com support service's automatic reply to your message.
Please do not reply to it, otherwise, you will get this message again.
If you are not satisfied with the information below you can write to the
following address:
websupport@searchv.com

Here below is the relevant FAQs which responded to this issue:


Q: Without my consent, programs and settings on my computer have been
altered. Upon computer startup, my internet home page is automatically
set to your website - searchv.com. Please reply with instructions on how
to fix this situation.

A: After several weeks of searching, we found the man who did it. We
handed over all his data to the authorities. To get rid of the virus, do
the following:
Click on your Start button and select Run....
Type in the words regedit and click OK
When the Registry Editor pops, goto:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
And erase "sys C:\WINDOWS\sys.reg" string.

SearchV Support (end of their message)

Now, I could probably follow these instructions, but I know better than to start messing with my registry. Can someone tell me if their advice makes sense, or are they going to cause more problems with this fix?


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Homepage Hijack
Homepage Hijack: in.webcounter.cc www.computing.net/answers/security/homepage-hijack-inwebcountercc/8174.html

Windows95 Homepage Hijack Solution www.computing.net/answers/security/windows95-homepage-hijack-solution/12543.html

cool-homepage hijack www.computing.net/answers/security/coolhomepage-hijack/7347.html