Help -SearchV hijacked my computer browser

Question

here is the log.....hopefully someone can help me remove this virus...thanks Logfile of HijackThis v1.97.3Scan saved at 7:32:11 PM, on 10/20/2003Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\Program Files\Norton AntiVirus
avapsvc.exeC:\WINDOWS\System32
vsvc32.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\WScript.exeC:\Program Files\Grisoft\AVG6\avgcc32.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Alset\HelpExpress\josh\HXIUL.EXEC:\Program Files\Alset\HelpExpress\josh\Client\HelpExp.exeC:\Program Files\Sony\VAIO Action Setup\VAServ.exeC:\Program Files\Alset\HelpExpress\josh\Client\PrintMonitor.exeC:\WINDOWS\emsw.exeC:\WINDOWS\System32\ImmH2c.exeC:\WINDOWS\System32\Qyaj.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\josh\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exeC:\WINDOWS\System32
otepad.exec:\progra~1\Support.com\client\bin	gcmd.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://finance.yahoo.com/?uR3 - Default URLSearchHook is missingO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (disabled by BHODemon)O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbsO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [workflo] G:\install\workflow.exeO4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startupO4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.regO4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe'O4 - HKLM\..\Run: [4X@95ME57C5BM8] C:\WINDOWS\System32\QlsO0A55.exeO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [Anou] C:\Documents and Settings\josh\Application Data\ewra.exeO4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\josh\HXIUL.EXEO4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\josh\Client\HelpExp.exeO4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: VAIO Action Setup (Server).lnk = ?O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)O9 - Extra button: Real.com (HKLM)O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS
pqtplugin3.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeopleO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.8508564815O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx

volcano11 · Answer

See the following in the Spywareinfo forums: http://forums.spywareinfo.com/index.php?showtopic=13977 and also see the following: http://www.pestpatrol.com/PestInfo/s/searchv.asp Steve

volcano11 · Answer

See the following: http://forums.techguy.org/t172387/s189d7ed402318e84d02d26b54f26a989.html  Steve

EMsweetgrl1 · Answer

I need help.. I'm not really computer smart... but I also have the "SearchV" homepage... and I can't get it to go away. I just need some guidance so I can get rid of it. I don't want to start deleting things because with my luck, I'll start deleting important stuff. If someone could help me out, that would be great :)

ChrisRLG · Answer

Steve, cwshredder has been recently updated, and so will probably be able to cure this problem.

EMsweetgrl1, Try the following:-
--------------------------
Use these to remove Malware (Spyware and Adware).
Spybot S&D
Ad-Aware
Cwshredder
With all of these download them, install (after unzip if required), download the latest signature file, run, delete all that they find.

Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
Download, run, scan, save log, then in notepad copy the FULL log by copy and paste to a post in one of these specialist spyware removal forums:-
http://tomcoyote.org/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi
http://boards.cexx.org/index.php
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.

I am in all those sites as ChrisRLG. You might get me, but any of the more problematic ones are handled by the experts. If you get a 'advanced member' like me, we have other ways of asking for advice from the experts, to pass on to you.

You could post your log here in this thread (if in the Virus Information and Removal Board - if not post in that board not in this thread), and I will have a go at giving advice, but if you go to one of the more specalist forums more experts will be able to help.

ChrisRLG · Answer

Your welcome Steve.

volcano11 · Answer

Thanks Chris,

Sometimes I wonder if we'll ever be able to keep up with this crud. It seems like everytime an effective tool becomes available the perpetrators just come up with new ways to hijack, spy, and wreck people's computers.

Steve

Ternard · Answer

Volcano

Friend of mine has been tearing his hair out for a few days over this problem, thanks to your suggestions, and others on this site, which I referred him to, he has now completely removed all traces, wishes to pass on his thanks.

Here is how he did it

H-Key Common User\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Na

Perhaps you might like to post my success to that site and let them know how it unfolded? It might help someone else similarly afflicted.

I ran a series of individual searches with Start> Run> Regedit> Edit> Find (and Find Next) for each of winshow, MSUpdater, sys.reg, and winlogon.exe.
Most importantly, I rebooted after each search.

Virus & Spyware

Was this post helpful?