Searchv doesnt go away

Computing.Net > Forums > Security and Virus > Searchv doesnt go away

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Searchv doesnt go away

Name: McShade
Date: October 11, 2003 at 13:22:39 Pacific
OS: Win XP
CPU/Ram: PIII/640

Comment:

Im trying to get rid of my homepage www.searchv.com and i just cant. I followed the instructions in this site, I deleted manual every entries for searchv and winshow.dll in registry, but whenever i reboot he comes back. Here's my HThis Log File, after the reboot! Please help!
ogfile of HijackThis v1.97.3
Scan saved at 20:49:50, on 11-10-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\PopUp Killer\popupkiller.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system\serve.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\LMachado\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.lispolis.pt:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\LMachado\Application Data\winshow\winshow.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: MSupdater.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://200.198.71.17/demonstracao/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37904.0508912037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Sponsored Link

Ads by Google

Response Number 1

Name: mamabear
Date: October 11, 2003 at 13:41:30 Pacific

Reply:

The lastest ref file for Ad-aware contains new signatures for Searchv. Here's the link:
Computing.net thread
(Scroll down - I posted the wrong ref file the first time - what can I say? I'm getting old.)

Response Number 2

Name: Tom41
Date: October 11, 2003 at 14:48:45 Pacific

Reply:

Hi McShade,
You also have a couple of Trojans that need to be removed:
Backdoor.Jeem:
C:\WINDOWS\System32\msrexe.exe
Unknown:
C:\WINDOWS\system\serve.exe
Would you email me a zipped copy of serve.exe to analyze? Click my name for the email addy.
Run HT again and check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT fix all checked.
You NEED to restart your computer when you're done.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\LMachado\Application Data\winshow\winshow.dll
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
After restarting delete the following:
C:\WINDOWS\system\serve.exe
C:\WINDOWS\System32\msrexe.exe

Response Number 3

Name: Abnormal
Date: October 11, 2003 at 14:50:20 Pacific

Reply:

Did Ad-Aware work?
You can try this.
Close all other windows...check off:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Eric\Application Data\winshow\winshow.dll
O4 - Global Startup: MSupdater.exe
"Fix Checked"...reboot
after restarting.....look in C:\Documents and Settings\LMachado\Application Data & delete "winshow"
Info found at Spywareinfo.

Response Number 4

Name: Abnormal
Date: October 11, 2003 at 14:53:34 Pacific

Reply:

Sorry Tom, did not want to step on your toes.

Response Number 5

Name: Tom41
Date: October 11, 2003 at 14:57:04 Pacific

Reply:

Don't worry Abnormal, Your not gonna hurt my feelings..Feel free to jump in anytime..

do viruses go away bmupdate install updates but icon doesnt go away	xp volume doesnt go away windows update icon won't go away office live pop up won't go away
See More

Response Number 6

Name: McShade
Date: October 11, 2003 at 15:25:21 Pacific

Reply:

Thanks for ur support guys, but unfortunatelly nothing worked, searchv is still driving me mad. I tried Adware, HT and Spybot. Im starting to loose my confidence.

Response Number 7

Name: mamabear
Date: October 11, 2003 at 16:07:13 Pacific

Reply:

I don't know if this helps in this case, but I know with some of these things, you have to manually change your homepage back to where you want it after cleaning it out before you reboot.
Did you update your AAW ref files?

Response Number 8

Name: mamabear
Date: October 11, 2003 at 17:10:23 Pacific

Reply:

Did you fix all the items suggested by Tom 41 and Abnormal? Did you run an updated AAW scan?
This may be your problem:
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
It�s the sub7 v 2.1 trojan.
Run HJT and fix it together with the hijacked search and start pages. I would suggest first you clean up by running an updated AAW scan.
Then remove the thing, preferably in safe mode.
Or if you prefer, you could remove it manually
Clicky

Response Number 9

Name: Tom41
Date: October 11, 2003 at 17:39:42 Pacific

Reply:

Run HT again and fix this entry, it's the culprit:
O4 - Global Startup: MSupdater.exe
MSupdater.exe is a Winshow updater.
This:
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
Is Backdoor.Jeem, not sub7 v2.1.

Response Number 10

Name: McShade
Date: October 11, 2003 at 19:01:18 Pacific

Reply:

Tom is right guys. That is the solution! My old pc is back and doing what i say... It has some few other problems but ill try to manage it.
Thanks

Response Number 11

Name: ahulett
Date: October 12, 2003 at 08:01:24 Pacific

Reply:

It depends on what AV program you use (SARC = Backdoor.Jeem, Sophos = Sub7v2.1), so, both names have the potential of being right.
If you still have these files by chance, I'd like you to submit them to us at our submission system.
http://www.lavahelp.com/submit/
If you don't have them, that's ok.
Thanks,
Aaron Hulett
Lavasoft R&D

Response Number 12

Name: Tom41
Date: October 12, 2003 at 10:05:30 Pacific

Reply:

Hi Aaron,
Don't wish to argue but Sophos detects it as Troj/Bdoor-AML
http://www.sophos.com/virusinfo/analyses/trojbdooraml.html
Sub7 v2.1 would show up as:
O4 - HKLM\..\RunServices: [WinLoader] C:\%WINDOWS%\msrexe.exe
There would also be a System.ini entry and the .exe file association would have been altered.
I've sent a copy of the server.exe file to TK, so he should forward it to you guys after analyzing it.

Response Number 13

Name: KyTaX
Date: October 14, 2003 at 04:35:47 Pacific

Reply:

Hi, can someone help me please. I read this thread, and tried to attempt the instructions given, but Im not good with computer and need help. I downloaded HT and Stinger, but I don't know what to do next since most of the logs differ.
Sorry to bother you all.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.exe
C:\WINDOWS\Explorer.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\PowerS.exe
C:\windows\msbb.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Janab\My Documents\My Videos\stinger.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://e-plus.cc/teen+f---/113/?lang={SUB_RFC1766}&id=170201055066900177
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.xtra.co.nz/newuser/
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Janab\Application Data\winshow\winshow.dll
O2 - BHO: (no name) - {85810C93-C14C-11D5-BC4B-0050BA28E4FE} - C:\WINDOWS\System32\popkill.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [msbb] C:\windows\msbb.exe
O4 - HKLM\..\Run: [PSV] C:\WINDOWS\PSV.exe
O4 - HKLM\..\Run: [VCJ] C:\WINDOWS\VCJ.exe
O4 - HKLM\..\Run: [CFCF] C:\WINDOWS\CFCF.exe
O4 - HKLM\..\Run: [TAH] C:\WINDOWS\TAH.exe
O4 - HKLM\..\Run: [ADGKNQTXA] C:\WINDOWS\ADGKNQTXA.exe
O4 - HKLM\..\Run: [BEHKORU] C:\WINDOWS\BEHKORU.exe
O4 - HKLM\..\Run: [YBFI] C:\WINDOWS\YBFI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [AEHKNR] C:\WINDOWS\AEHKNR.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [JQX] C:\WINDOWS\JQX.exe
O4 - HKLM\..\Run: [ADHKN] C:\WINDOWS\ADHKN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://world.yahoo.com

Again, Sorry for the long post.

Response Number 14

Name: Jeff Landers
Date: October 14, 2003 at 15:08:26 Pacific

Reply:

Hi gents,
I would realy appreciate your help on this as well. I changed sys.reg to www.google.com, trashed MSUpdater.exe but am still getting pop ups with IE. Could you please help? Thanks,
Logfile of HijackThis v1.97.3
Scan saved at 23:52:30, on 14-10-2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Navnt\DefWatch.exe
c:\mcdetect\icserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
c:\mcdetect\wake_up.exe
C:\WINNT\System32\nslsvice.exe
C:\Program Files\Navnt\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Beeldschermtachograaf\Bstmon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\WINNT\System32\atwtusb.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\PROGRA~1\NETSWI~1\NETSWT~1.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\ACNU\ACNUpdater.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\svchost.exe
c:\program files\acnu\acnupdatersvc.exe
c:\mcdetect\nrunner.exe
c:\mcdetect\e_mail.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\myname\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.company.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\myname\Application Data\winshow\winshow.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Dsetext] C:\WINNT\dsetext.wsf
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [bstacho] "C:\Program Files\Beeldschermtachograaf\Bstmon.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [eSupportInstall] c:\progra~1\support.com\tmp\esupportinstall.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
O4 - HKCU\..\Run: [NetSwitcher Tray Application] C:\PROGRA~1\NETSWI~1\NETSWT~1.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: BlackICE Agent.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=https://portal.company.com
O15 - Trusted Zone: *.company.com
O16 - DPF: {2D43C9E8-E08F-11D3-95A4-0090271F0946} (Keon Class) - https://testtoken.company.com/WebPassPort/install/WebPassPort.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8A44D7B-5F99-452C-9F2D-6E3941996110}: NameServer = 62.58.50.5 62.58.50.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = internal.company.com,company.com,dir.svc.company.com

Response Number 15

Name: smithdk
Date: October 14, 2003 at 17:47:49 Pacific

Reply:

Delete these lines:
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF:
START_PAGE_URL=https://portal.company.com
O15 - Trusted Zone: *.company.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8A44D7B-5F99-452C-9F2D-6E3941996110}: NameServer = 62.58.50.5 62.58.50.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = internal.company.com,company.com,dir.svc.company.com

Response Number 16

Name: Charcoal
Date: October 14, 2003 at 18:57:46 Pacific

Reply:

I've also had some problems. I've tried fixing it somewhat on my own, in teh past i've been able to fix these types of problems relativly easy, but ad-aware dosen't catch it, I can't find program files that affect it, and fixing the reg-keys dosen't work. Thanks for any help you can provide!
Logfile of HijackThis v1.97.3
Scan saved at 8:48:36 PM, on 10/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Documents and Settings\- Cody -\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-big.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\tgtsoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0075546E-5D3D-11D2-A3E5-0060971304D8} (WTX_Installer Class) - http://www.webtrends.com/Download/Browser/Plugins/WordUtils/v4.1/Microsoft/wtx_setup.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/13a93af2c4b016583500/netzip/RdxIE2.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {76D31A21-9402-11D6-97B6-0010DC2A6243} - http://secure2.comned.com/signuptemplates/ActiveSecurity.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37577.298275463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

Response Number 17

Name: smithdk
Date: October 14, 2003 at 19:10:56 Pacific

Reply:

You should post this as a new post. Read my responses in this post and remove those same lines.

Response Number 18

Name: KyTaX
Date: October 14, 2003 at 22:47:32 Pacific

Reply:

Do I have those same lines? I can't seem to find them.

Response Number 19

Name: Jeff
Date: October 14, 2003 at 23:22:15 Pacific

Reply:

Hi Smithdk,
Thanks for quick response...
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
has been deleted but does not help.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Will try
O14 - IERESET.INF:
START_PAGE_URL=https://portal.company.com
'company' is the name of my own company. Changed it so as not to get hassled by the boss.
O15 - Trusted Zone: *.company.com
'company' is the name of my own company. Changed it so as not to get hassled by the boss.
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8A44D7B-5F99-452C-9F2D-6E3941996110}: NameServer = 62.58.50.5 62.58.50.6
I think this is the server of my own company(?)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = internal.company.com,company.com,dir.svc.company.com
'company' is the name of my own company. Changed it so as not to get hassled by the boss.
Are you sure about the rest Smithdk? Thanks,

Response Number 20

Name: smithdk
Date: October 15, 2003 at 04:06:12 Pacific

Reply:

Since this computer is for your company then you can keep the references about your company.
delete these lines:
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\myname\Application Data\winshow\winshow.dll
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

Response Number 21

Name: Alex
Date: October 15, 2003 at 10:09:31 Pacific

Reply:

I have tried to remove searchv.com with HiJackThis 4 times. It does not work. I'd appreciate any help. Here is the HiJackThis log file after fixes:
Logfile of HijackThis v1.97.3
Scan saved at 11:48:59 AM, on 10/15/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\drivers\dcfssvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINXP\system32\pctspk.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\PROGRA~1\VISION~1\ONETOU~2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\System32\ctfmon.exe
E:\Program Files\Microsoft ActiveSync\WCESCOMM.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINXP\system32\NOTEPAD.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/des-moines
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] e:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\WCESCOMM.exe"
O4 - HKCU\..\Run: [BMUpdate] C:\WINXP\System32\BMUpdate.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office XP\Office10\OSA.exe
O4 - Global Startup: MSupdater.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37591.4365046296
O16 - DPF: {B931B906-B275-475F-99DE-923596CC9DB6} (PAS6_Forecaster.Forecaster) - http://www.bplans.com/common/startcost/Pas6_Forecaster.CAB

Response Number 22

Name: smahmud
Date: October 15, 2003 at 16:21:12 Pacific

Reply:

Folks I am stuck with the same problem.
Winshow.dll/cfg and the folder do not go away even after running Hijack This. Following is the log file:
Logfile of HijackThis v1.97.3
Scan saved at 7:11:12 PM, on 10/15/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shahid Mahmud\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smbusiness.dellnet.com/
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: MSupdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://segue.webex.com/client/latest/webex/ieatgpc.cab
Please advise.

Response Number 23

Name: smithdk
Date: October 15, 2003 at 18:16:27 Pacific

Reply:

This line looks suspicious:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
This line is bad:
O4 - Global Startup: MSupdater.exe
I would disable this line:
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

Response Number 24

Name: cixelsyd
Date: October 15, 2003 at 20:19:21 Pacific

Reply:

I had this same problem, and I found that I had the "regedit /s C:\WINNT\sys.reg" set also, and after removing that and deleting the file in the window directory my browser started with the default blank page again.
The key was under:
HEKY_LOCAL_MACHINE\Sofware\Microsoft\Windows\Current_Version\Run
and it was called "sys" with a value of "regedit /s C:\WINNT\sys.reg"
Hope that helps,
Sven
P.S. Sadly Adaware didn't get rid of it with the newest reference file (updated tonight when I tried removing it)

Response Number 25

Name: A7UN B
Date: October 16, 2003 at 06:26:36 Pacific

Reply:

ive tried ad-are, pest patrol and hijackthis to get rid of this SearchV but it just will not go away.
please help!!

Response Number 26

Name: Tom41
Date: October 17, 2003 at 01:12:35 Pacific

Reply:

A7UN B, post your Hijack log...

Response Number 27

Name: dea
Date: October 19, 2003 at 11:23:12 Pacific

Reply:

WAHH!!! I'm just another girl who can't get rod pof this stupid SearchV... I also wrote to teh search v customer support and no replay - ad now this... i hope i didn't all my e-mail to a list of junk!!! WAH!!! IF anyone can help me... PLEASE!!! Here's my hijak file listing..:
Logfile of HijackThis v1.97.3
Scan saved at 11:19:26 AM, on 10/19/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator\Application Data\winshow\winshow.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37573.2379050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
PLEASE HELP MEE!!!!! Thanks guys!-Dea
;)

Response Number 28

Name: smithdk
Date: October 19, 2003 at 12:05:10 Pacific

Reply:

Fix this line:
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator\Application Data\winshow\winshow.dll

Response Number 29

Name: madridcaveman
Date: October 23, 2003 at 03:49:13 Pacific

Reply:

Dear Smithdk,
Removing winshow.dll worked thanks! Just for your info, another Trojan also came with the program Dc669.exe which was not detected by HT. Norton found that one in the Recycle.
Keep up the noble work guys. The world needs more guys like you who help others without asking anything in return...

Response Number 30

Name: smithdk
Date: October 23, 2003 at 04:19:31 Pacific

Reply:

Glad it worked out. Thanks for posting back.

Sponsored Link

Ads by Google

PC-Cillin 2000

ADW.Tenget.A virus

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Searchv doesnt go away

IST wont go away!

Summary

www.computing.net/answers/security/ist-wont-go-away/12820.html

porn wont go away

Summary

www.computing.net/answers/security/porn-wont-go-away/3978.html

SPYWARE/PORN wont go away!!!!

Summary

www.computing.net/answers/security/spywareporn-wont-go-away/5164.html

From the Geek Dictionary
awesome - great u r now in a big problem...!!!

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
"save as" button

Kaspersky Internet Security 2010

boot failure

online gaming

Win 98 Will not start

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE