help removing searchv.com problem

[Sony]

hi,
not sure how this happened, but whenever i start my pc and open internet explorer the homepage is set to searchv.com, if i change it to something else it's fine, even if i close ie and restart it. however, the next time i start my pc it's back to searchv.com, i've tried using:
CWShredder - a tool i found on online, after searching deja and used ad-aware, but still after starting the pc it's back to searchv.com, any ideas on how to stop this?

thank you.

[Doobie]

have you checked your start up items to see if anything that is starting up could be changing your homepage?

go to start run and type
msconfig

check your start up entries...

NOTE: msconfig will not work on win2k..

[Sony]

hi,
thank you for the response, just wanted to ask i have win2000 do you know how i can access the startup programs list, i'm sure that's where it must be.

Thank you.

[Miz]

Directions for manually removing searchv can be found here.

Did you update AdAware before you ran it? Spyware writers are like virus writers...constantly re-writing/changing/tweaking their malware to try to evade programs like AdAware so updating AdAware is crucial.

I've never used Pest Patrol, which is referred to on the above page. You might consider getting Spybot, which I use in conjuction with AdAware.

Between the two of them, pretty much all spyware (except CoolWebSearch, which you've already eliminated with CWShredder) will be removed.

[Steve1]

You can get msconfig for w2k HERE .

You can download HijackThis to take care of the browser hijackers.

[wintomato]

Great removal tool. It lists everything, and found stuff that spybot didn't. thanks. but still my IE6 is slow to open pages. I've tried almost everything. anymore suggestions?

[Miz]

Have you shut down all of W2K's unnecessary services? If not, the guide on Black Viper's site is reliable.

It's a little tedious but usually worth it in terms of better system performance and online security.

[wintomato]

I'll give it a go, but the system was working fine before the intervention of CWS. It just makes me think there's something I've missed despite having used "hijack this" "Spybot" "CWShredder" etc
I'm thinking that a file/service has disguised itself and is still running. The rest of the system runs fine, it just takes a few seconds to long to open the internet pages on broadband.
Sorry, I don't mean to hijack this thread.

[glc]

If you run Spybot in the advanced mode - on the Immunize page you can lock the IE start page.

[wintomato]

thanks glc, I have changed that now, although I'm not having any problems with the IE start page. I changed that, and it hasn't changed back since.

I have found all sorts of diallers in C:/WINNT folder, and even a "default" dialer with a **** username and *********** password in connections/internet options.

PS it wasn;t me looking at the dodgy sites that this sort of thing could come from! I'm just left to sort out the mess.

[wintomato]

Coolwebsearch decided to reinstall itself again without visiting any site that it could come from, which makes me think it's still on the system somewhere... my god it's mutating..

[Steve1]

Cool Web Search can be a hard one to get rid of. You can download CWShredder and get rid of it. After you have run the shredder, if you want, you can run hijackthis again and post the log here. I can spot most of the items relating to CWS. I'd be happy to have a look at it for you.

[SARGE]

http://www.spywareinfo.com/downloads/spg/

[wintomato]

thanks steve1.
I have tried everything, and I mean everything but the home page keeps changing and the pages are still slow to open, so I figured there was something that I have missed, something has disguised itself, tricky bugger.
Sarge, I did have spybot installed, but it came up with an error when I tried to update it. So I am trying uninstalling spybot and reinstalling.
But Steve1, I ran CWShredder, it found nothing, and here is the list generated by Hijack this.. thanks

Logfile of HijackThis v1.97.3
Scan saved at 18:13:09, on 12/11/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\sjconway\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SBS2000:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.57.28/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINNT\mshhoc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Service] C:\WINNT\system32\msrexe.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://sbs2000/myconsole/mstscax.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...924.4969791667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...88/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cavendishknight.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cavendishknight.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cavendishknight.com

[Oldkid]

wintomato, ET AL
Suggest you update CWShredder & run it again. It was just updated a couple of days ago to fix some particularly heinous mutations of this crapware.

Same with HijackThis. It's latest version is 1.97.5. In HT you can go to Config.>Misc. Tools & update it from there.

After you've run the updated shredder, post a new log with the updated HT.

[Steve1]

Oldkid is right. You should get the updated Spybot Search and destroy and run it. Have it fix all enties in red. Run the updated shredder and then download the updated HijackThis and post the log.

[Oldkid]

Another thing--if you're still having trouble updating SSD, try using another mirror. UniDo (Europe) is usually swamped. There's an arrow next to UniDo that will reveal a drop down list of other sites. More info here:
http://www.net-integration.net/cgi-b...ST;f=28;t=6991

Another thing to remember is that with all of these tools you should have all other windows closed before you fix anything.

Steve1 & everyone, hope you all don't mind me butting in on this.

[Steve1]

Quote:

Steve1 & everyone, hope you all don't mind me butting in on this.

No problem here. The more help and info the better.

[kobalt58]

I too had problem with searchv.com, but a scan by Housecall fixed everything .
Housecall is a free virus scanner on trendmirco.com

There apparently was a .exe in the C drive that would run to change things back to searchv.com on stratup.

[wintomato]

thanks everyone
I'll give it a go. I have been using the most up to date programs, but will give them all another go. I will post the list once I have done it. I assume there was nothing that I'd missed in the log i posted earlier in the thread.
.. watch this space.

[Cricket]

You might to give SpywareBlaster and SpywareGuard a try. I've been using these utilities for the past few weeks and the amount of junk that ends up on my computers after being on-line has been reduced dramatically.

Cricket

[SARGE]

Cricket, how do you run a "scan" using those?

[wintomato]

Phew, I think I've done it. I was just about to post another message in desperation, I had run updated versions of Spybot, hijack this, and run spywareblaster and spyware guard and done an sfc/ scannow which restored a couple of dlls, but the explorer was still running slow, then at the last moment I remembered to try cwshredder too, which I did, and I think it has solved it.
At last. CWShredder found just 2 infected files in IE and now it seems to be running ok. That's a hell of a list of things to do to get rid of these adtrackers.
thanks for your help and suggestions everyone.