Hi,

My computer got infected with some kind of bug, which kept changing Windows Reg file every time I start my computer, it changed my home page URL to "searchdot.net" from "earthlink.net". I've tried Spybot, Ad-aware6, Hijackthis and Stinger, all are most recent versions, I got rid of "searchv.com" but this pesky "searchdot.net" still there. Following are the log file from Hijackthis:

Logfile of HijackThis v1.97.3
Scan saved at 7:47:34 AM, on 10/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Documents and Settings\Your Daddy\Local Settings\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MSupdater.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37393.2084375
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

The first two lines starting with "R0" are the lines deleted with Hijackthis and then
re-appeared after reboot.

Please help!

Run HT again and check the following items. Next, close all browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - (no file)
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKCU\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - Global Startup: MSupdater.exe

After restarting delete the following file:
C:\WINDOWS\Fonts\msoffice.hta

Hijack This! pointed out a file called "msoffice.hta", hidden in the Fonts directory. I searched for the file, and opened it directly from the search window with Text Editor. This revealed the "searchdot.net" hijack. Note: You won't see it if you open the Fonts directory, as it's specially configured to only show font files such as TTF.

I searched for msoffice.hta in the REGEDIT, and removed it. (It came up as a start-up file.) I also deleted the file from my computer.

This fixed it!

Keywords:
removing searchdot.net
default homepage
searchdot msoffice.hta
hijack virus fixing deleting castrating
search dot net searchdotnet searchdot.net

I too was a victim of searchdot.net hijacking my homepage.

I used File Locator Pro's text search feature with 'searchdot' as the keyword on all files on my hd. It came back with this list of files all having a searchdot.net reference somewhere inside of them:

VTIDISC.exe
VTIBD.exe
VTIFORM.exe
VTIPRES.exe
VTIDBSAT.dll
vtidb.wiz
vtiform.wiz
vtidisc.wiz
vtipres.wiz
_vti_adm.*
_vti_aut.*
vtipres.inf
vtiform.inf
vtidisc.inf
vtidb.inf
vinavbar.inf
vinavbar.btl
FP5AVNB.dll
and,
msoffice.hta

Then I did a Regedit search by typing 'msconfig' and found a hidden value loading it each time WinXp startsup.

I attacked it by first, deleting each of the registry entries, then deleting the files, and finally rebooting. Yes, it's a pesky piece of mal-ware indeed!

I too got the Searchdot.net pest and my disadvantage is I am not a computer specialist.
Could any of you guys break it more down for me.
Sorry, I am just too ignorant ( though not stupid), and let me know how I could rid myself of the problem, and if its just giving me the home-address of the initiator so I can visit him and take the problem with a baseball bat out of the universe.

Thanks Joseph

It took me a couple of hours to clean this mess up. What did it for me was running Hijackthis and then having it remove these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKCU\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta

I then deleted the msoffice.hta and sys.reg files and rebooted. Pretty cleaver hiding a file in the Fonts folder.

WHOIS RESULTS
Domain Name: searchdot.net
Registrant: Eric Alson
po box 57
London, London, 23569
GB

eric@hihost4all.com
+04.562849663
+04.

Administrative Contact: Name: Eric
Last Name: Alson
Address: po box 57
City: London
State: London
Zip Code: 23569
Country: GB
Company:
Email: eric@hihost4all.com
Telephone: +04.562849663
Fax:

Billing Contact: Name: Eric
Last Name: Alson
Address: po box 57
City: London
State: London
Zip Code: 23569
Country: GB
Company:
Email: eric@hihost4all.com
Telephone: +04.562849663
Fax:

Technical Contact: Name: Eric
Last Name: Alson
Address: po box 57
City: London
State: London
Zip Code: 23569
Country: GB
Company:
Email: eric@hihost4all.com
Telephone: +04.562849663
Fax:

Domain Name Created On: 10/3/2003 3:36:00 PM
Domain Name Expires On: 10/3/2004

Name Servers: Name Server 1: NS1.ADVANCEDHOSTERS.COM
Name Server 2: NS2.ADVANCEDHOSTERS.COM

o-o-o-o-o-o-o-o

WHOIS RESULTS
Domain Name: searchv.com
Administrative Contact:
Yohansen, Olaf admin@searchv.com
PO BOX 5874
Gasa, Not Applicable 541245
WS
+12.1234567890


Technical Contact:
Yohansen, Olaf admin@searchv.com
PO BOX 5874
Gasa, Not Applicable 541245
WS
+12.1234567890


Record last updated 05-06-2003 05:31:47 AM
Record expires on 05-05-2004
Record created on 05-05-2003

Domain servers in listed order:
NS1.SEARCHV.COM 81.3.164.1
NS2.SEARCHV.COM 217.146.192.22

I had the same problem, and could not solve it with either of the fixes posted here. I finally found out from some one that the file sys.reg contained a hidden reference to searchv.com. After running adaware, spybot or hk, look for sys.reg, open it with notepad, and earase the references to searchv.com
I hope this helps someone; it helped me. Good luck.

i had a problem like this, i could not stop it from hijacking me so i edited my hosts file so it looked like this

127.0.0.1 localhost
216.239.41.99 www.searchdot.net

216.239.41.99 is google. let the jerks hijack me, i'll hijack myslef right back!

... but it doesn't connect to anything. Did it used to for anyone? Did the hijackers get busted?

I used the method indicated by Lorax (message number 2 above) and it worked fine for me

Thanks

I had exactly the same problem. I solved the problem by following tom41's instructions plus deleting references to searchv in sys.reg, as suggested by Roberto in response 7. Hope this is helpful.

Damn... I deleted too much with HijackThis so now I'm rebuilding... but I weeded out the unwanted stuff.

Q

Some useful sounding tips. But I tried to follow reply no 2 and it hasn't helped. Where is sys.reg? That sounds easy but I cannot locate that file.

I do the following to remove the hijack:

1. deleted msoffice.hta in the fonts directory
2. Replaced all references to searchdot in my registry to http://www.google.com using "regedit"

re-booted. Problem solved!

crafty wankers!

I have tried EVERYTHING above. I STILL have it. WTF? I even tried all ways in ssafe-mode, and with system restore off. Why would someone want to do this?

Me too, unfortunately. Adey (Response 14) how do you edit regedit? There seem to be hundreds of sub-directories, so where do we start? Thanks!

Man was I PISSED OFF that I couldn't get rid of this thing. But thank you, Lorax. I'm FREE!

For those of you still puzzled, I'll break it down for you:
1) Do a file search for msoffice.hta
It'll be in your Fonts directory. Delete it.
2) Select START, Run, then type "regedit" in the window. Hit "Okay"
3) Do an Edit/Find and type in "searchdot" - it'll find every registry entry that you need to change, one at a time.
4) When it finds an entry, click on it and you'll have the opportunity to change the value to something besides www.searchdot.net. Change it to some other site.
5) Keep searching and changing until you've changed them all (it'll be around 5 or so).
6) Rinse, lather, repeat.
7) Reboot. And it's gone.
Good luck.

All,

I just started a thread labeled "Searchv Homepage" can you all help me there?

mark

I simply followed your advise in finding the msoffice.hta file in the c:/windows/fonts directory, but this is where I digress:
I opened the file, found the lines that had the URL and changed both to my perferred URL (in this case yahoo).
I can now thank the very same malware in helping me reset my favorite homepage in the registry without haveing to do it myself!