Thanks for all the info and tips!! Here's some more info on SearchV pasted from the PestPatrol site, updated yesterday:
Overview
Vendor Notes: from the web site: 'SearchV is a Performance-Based Advertising Network that reaches millions of consumers daily, via our partnerships with top quality web sites. We offer Cost-Per-Click (CPC) advertising solutions, so you only pay for unique visitors that have clicked on your specific ad. What's more, you choose the price that you want to pay for each click and you can change this price at any time. Our easy to use, on-line tools allow you to manage your ad campaign in real-time!'
Alias:W32/Dumaru trojan
See Also:Winshow
Category: Hijacker: A trojan that may reset your browser's home page and/or search settings to point to other sites. Such sites are sometimes porn sites, often loaded with advertisting. Homepage Hijackers may prevent you from changing your browsers's homepage.
Similar Pests:
Hijacker
Origins
Groups:[First Aid], First Aid
By These Groups:Searchv.com
Mailing Address:First Aid PO BOX 5874 Gasa, 541245 WS
EMail:support@searchv.com
URL:http://www.searchv.com/
Distribution
Prevalence:0.0% of all pest reports (14 per 100,000 reports) More Info
Clot Factor:On average, 3 objects detected in each machine [The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.]
Countries Affected:
In the past three months, we have received reports of SearchV in Canada, Israel, United States.
Growth:Decreased 100.0% over the last 90 days
Operation
Storage Required:at least 317KB
Browser Performance:Likely to slow performance of Internet Explorer.
Risks
Privacy Policy:http://www.searchv.com/privacy.html
Detection and Removal
Automatic Removal:PestPatrol detects this.
PestPatrol removes this.
Manual Removal:
Close all browser and all Windows Explorer windows before proceeding...
1. Click Start | Run and type regedit to open the Registry Editor.
2. Navigate to this key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.
3. In the right pane, look for an entry called Start Page. Double click it.
4. In the Value Data box, if the URL is http://www.searchv.com/, that's your culprit. Change it to your desired start page.
5. Click OK and close the Registry Editor.
SearchV may modify your hosts file to redirect searches to http://209.66.114.130/ Search for 209.66.114.130 and remove this line if found.
Stop Running Processes:
Kill (see further info below) these running processes with Task Manager:
systemroot+\updreg.exe
systemroot+\system32\vxdmgr32.exe
systemroot+\system32\load32.exe
systemroot+\dllreg.exe
profilepath+\start menu\programs\startup\rundllw.exe
profilepath+\application data\iebs.exebelt.exe
msupdater.exe
Unregister (see below) DLLs:
Unregister these DLLs with Regsvr32, then reboot:
systemroot+\iempg.dll
systemroot+\system32\dreplace.dllwinshow.dll
Remove Files:
Remove these files (if present) with Windows Explorer:
systemroot+\updreg.exe
systemroot+\sys.reg
systemroot+\iempg.dll
systemroot+\system32\vxdmgr32.exe
systemroot+\system32\load32.exe
systemroot+\dllreg.exe
profilepath+\start menu\programs\startup\rundllw.exe
profilepath+\application data\iebs.exe
systemroot+\system32\dreplace.dllbelt.exe
winshow.dll
winshow.cfg
msupdater.exe-04f9ec8b.pf
msupdater.exe
Delete Registry Items
The registry is a hierarchical configuration database maintained by Windows and your applications. The database is stored on disk, and a copy in memory is created when you boot.
Most applications, including pests you want to remove, will modify the registry in some way, adding their own entries and changing some previous entries. Complete removal of an application includes registry edits.
The registry can be edited with Regedit.
Kill Running Processes
Many programs cannot be deleted if they are currently running. Use Task Manager to stop any process that is running. (In Windows 2000 and XP, Task Manager lists all processes; in earlier versions of Windows, only visible processes will be listed.) Invoke Task Manager via Ctrl-Alt-Del. In NT/2000/XP, choose the Processes tab to list all programs. Find the exe of interest, highlight it, and end it.
Background: Windows can run many programs at the same time, but with just a single CPU, can only perform one task at a time. In your computer, Windows gives the illusion that several programs are running in parallel by switching rapidly from one to the next, giving each a time-slice of the CPU. But if any program hangs, Windows may get stuck on that task, and be unable to switch to the other running programs, causing everything to hang.
A task or process is a program (such as an exe file) that is being executed or run. When a program is started, Windows loads it into memory (RAM), adds it to an internal list of running processes, and provides the process with the memory and other resources it needs. Windows tracks what processes are using what resources, and when one of these processes is terminated, Windows can usually return its resources to the general pool, for redistribution to other processes.
Example: For some pests such as CommonName, if you edit the registry while one of their processes is running, that process will "repair" the registry, undoing your work. In the case of CommonName, you must first kill the 'winnet.exe' process (otherwise, it will keep setting itself up to run automatically). In Task Manager, choose 'winnet.exe' and end the process.
Remove AutoStart
The registry contains defines several procedures for automatically starting software when you boot your machine. One of these is in HKEY_LOCAL_MACHINE at \Software\Microsoft\Windows\CurrentVersion\Run. You may use RegEdit to find this key. Do not delete the entire branch -- just the key over on the right-hand side of your screen.
Example: Many pests such as CommonName will start running when you boot. To prevent CommonName from automatically restarting, go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There will be a value here titled 'Zenet' or 'Winnet'. Delete it and reboot the machine immediately.
For more info on AutoStarting methods used by pests, click here.
Remove Files and Directories
Many programs create one or more directories, at the time of installation, for the convenient organization of their files. Such directories are logical containers. Complete removal of a pest may require removal of files in various locations, and may require removal of one or more directories.
Both Files and Directories may be found and removed using Windows Explorer:
1. Right-click on the Start button (lower left of your screen).
2. Choose Explore.
3. Locate the file or directory of interest and highlight it.
4. Right-click to invoke the popup menu, and choose Delete.
UnRegister DLLs
You can use the Regsvr32 tool (Regsvr32.exe) to register and unregister object linking and embedding (OLE) controls such as dynamic-link library (DLL) or ActiveX Controls (OCX) files that are self-registerable.
RegSvr32.exe has the following command-line options:
Regsvr32 [/u] [/n] [/i[:cmdline]] dllname
/u - Unregister server<BR/>
/i - Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
/n - do not call DllRegisterServer; this option must be used with /i
When you use Regsvr32.exe, it attempts to load the component and call its DLLSelfRegister function. If this attempt is successful, Regsvr32.exe displays a dialog indicating success. If the attempt is unsuccessful, Regsvr32.exe returns an error message, which may include a Win32 error code.
Example: To unregister Winshow's winshow.dll:
1. Click the Start button, and select Run
2. Enter this command line:
regsvr32 /u [systemroot]\winshow.dll
For example, in a Windows XP machine in which your systemroot was at c:\winnt, you would enter:
regsvr32 /u c:\winnt\winshow.dll
