Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

jsitea

1 Message

28932

October 21st, 2003 01:00

Help -SearchV hijacked my computer browser

here is the log.....hopefully someone can help me remove this virus...thanks

Logfile of HijackThis v1.97.3
Scan saved at 7:32:11 PM, on 10/20/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alset\HelpExpress\josh\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\josh\Client\HelpExp.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Alset\HelpExpress\josh\Client\PrintMonitor.exe
C:\WINDOWS\emsw.exe
C:\WINDOWS\System32\ImmH2c.exe
C:\WINDOWS\System32\Qyaj.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\josh\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://finance.yahoo.com/?u
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (disabled by BHODemon)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [workflo] G:\install\workflow.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [4X@95ME57C5BM8] C:\WINDOWS\System32\QlsO0A55.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Anou] C:\Documents and Settings\josh\Application Data\ewra.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\josh\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\josh\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.8508564815
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx

 

volcano11

2 Intern

 • 

28K Posts

October 21st, 2003 02:00

See the following in the Spywareinfo forums:

http://forums.spywareinfo.com/index.php?showtopic=13977

and also see the following:

http://www.pestpatrol.com/PestInfo/s/searchv.asp

Steve

volcano11

2 Intern

 • 

28K Posts

November 16th, 2003 19:00

EMsweetgrl1

1 Message

November 16th, 2003 19:00

I need help.. I'm not really computer smart... but I also have the "SearchV" homepage... and I can't get it to go away. I just need some guidance so I can get rid of it. I don't want to start deleting things because with my luck, I'll start deleting important stuff. If someone could help me out, that would be great :)

 

ChrisRLG

3.9K Posts

November 16th, 2003 21:00

Steve, cwshredder has been recently updated, and so will probably be able to cure this problem.

EMsweetgrl1, Try the following:-
--------------------------
Use these to remove Malware (Spyware and Adware).
Spybot S&D
Ad-Aware
Cwshredder
With all of these download them, install (after unzip if required), download the latest signature file, run, delete all that they find.

Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
Download, run, scan, save log, then in notepad copy the FULL log by copy and paste to a post in one of these specialist spyware removal forums:-
http://tomcoyote.org/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi
http://boards.cexx.org/index.php
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.

I am in all those sites as ChrisRLG. You might get me, but any of the more problematic ones are handled by the experts. If you get a 'advanced member' like me, we have other ways of asking for advice from the experts, to pass on to you.

You could post your log here in this thread (if in the Virus Information and Removal Board - if not post in that board not in this thread), and I will have a go at giving advice, but if you go to one of the more specalist forums more experts will be able to help.

ChrisRLG

3.9K Posts

November 16th, 2003 22:00

Your welcome Steve.

volcano11

2 Intern

 • 

28K Posts

November 16th, 2003 22:00

Thanks Chris,

Sometimes I wonder if we'll ever be able to keep up with this crud.  It seems like everytime an effective tool becomes available the perpetrators just come up with new ways to hijack, spy, and wreck people's computers.

Steve

Ternard

35 Posts

March 4th, 2004 09:00

Volcano

Friend of mine has been tearing his hair out for a few days over this problem, thanks to your suggestions, and others on this site, which I referred him to, he has now completely removed all traces, wishes to pass on his thanks.

Here is how he did it


H-Key Common User\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Na

Perhaps you might like to post my success to that site and let them know how it unfolded? It might help someone else similarly afflicted.

I ran a series of individual searches with Start> Run> Regedit> Edit> Find (and Find Next) for each of winshow, MSUpdater, sys.reg, and winlogon.exe.
Most importantly, I rebooted after each search.


Was this post helpful?

View All

No Events found!

Top