how to clean c:\searchpage.html#1503

By cairo
May 8, 2004
Topic Status:
Not open for further replies.
  1. HEllo all,
    I am recently facing this problem, with always IE default page been set to c:\searchpage.html#1503, no matter how many times I change it.

    Well, I have used spybot, and fix those problems. As well as HijackThis to fix it. I clean all the registry values 'searchpage'. But, it keep coming back. annoying....

    I cleaned the file 'searchpage.html' in c drive, but once it back, I open IE and it popups a window and says, it can't find the file~!

    I post my log from HijackThis, hopes it may help.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:02:26 AM, on 9/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\www\Apache2\bin\Apache.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\system32\pctspk.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\www\Apache2\bin\Apache.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\deinst_qfe002.exe
    C:\Program Files\802.11 Wireless LAN\802.11b Wireless USB Adapter HW.00 V1.11\Wireless Configuration Utility HW.00.exe
    C:\Program Files\Microsoft Encarta\Encarta Reference Library 2003\EDICT.EXE
    C:\WINDOWS\System32\conime.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Documents and Settings\Jackson Wong\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msgr\mssearch.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [TiKL] C:\WINDOWS\System32\tikl.exe
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Wireless Configuration Utility HW.00.lnk = %SystemRoot%\Installer\{1010B07F-99A1-4F8E-8CB7-AEA8FC8A587D}\NewShortcut3.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Researcher (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37793.8036111111
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8E199566-1E52-4055-9969-D3BE605E7982}: NameServer = 132.234.250.10 132.234.1.1

    I just want to PERMANENTLY clean this annoying 'searchpage'. pls help.

    thnk
    Cairo
  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Can Hijackthis fix the problems in the 013 - group?

    Check your Internet Explorer Options. What is your default-homepage?

    The MSPY002 in the 04-group looks suspicious to me. What is it?

    I also think you should install SP1 for IE6, and do an MS-update for IE-related stuff.
  3. cairo

    cairo Newcomer, in training Topic Starter Posts: 21

    Can Hijackthis fix the problems in the 013 - group?
    A: Yes and No. Yes, all of them, spybot and HijackThis said the problems are fixed. No, however, that "searchpage" keeps coming back.

    Check your Internet Explorer Options. What is your default-homepage?
    A: I changed it for many times, but my default homepage is changed back to "c:\searchpage.html#1503" everytime I reopen my IE.

    The MSPY002 in the 04-group looks suspicious to me. What is it?
    A: I dunno what is it.... What it is?

    I also think you should install SP1 for IE6, and do an MS-update for IE-related stuff.
    A: Thanks, I'll try.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Go here for instructions to remove thie culprit: TinyKeylogger (tikl.exe)
    http://www.kephyr.com/spywarescanner/library/tinykeylogger/index.phtml

    Then go into Regedit and browse to:
    HKLM\Software\Microsoft\Windows\CurrentVersion\URL
    Change the value of key (Default) in DefaultPrefix to: http://
    Under key Prefixes:
    (Default) should be (value not set)
    ftp - ftp://
    gopher - gopher://
    change value of 3 keys "home, mosaic and www" to: http://

    MSPY002 is part of Microsoft's Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word, so should be OK for you.
  5. cairo

    cairo Newcomer, in training Topic Starter Posts: 21

    I think the problem has been fixed. So far so good...

    Well, thank you, realblackstuff !
  6. cairo

    cairo Newcomer, in training Topic Starter Posts: 21

    two minutes later.....

    I am back. Unfortunately, I went back to registry.... and all those searchpage value is back.

    Again, it's looking for c:/searchpage.html everytime I open IE.

    huh.... if I reinstall IE, does it help?
  7. Spike

    Spike Newcomer, in training Posts: 2,371

  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  9. cairo

    cairo Newcomer, in training Topic Starter Posts: 21

    thanks realblackstuff and spike,

    I have solved the annoying searchpage.html

    ok, for those who facing the same problem as I did, try the following website, http://www.wilderssecurity.com/showthread.php?p=163614

    The are some situation where we/re not the same, but go on and skip the steps. It helps.

    Good luck

    Cairo
  10. Marconey09

    Marconey09 Newcomer, in training Posts: 38

    Sounds kind of like you have a Virus.... :eek: You can fix that by reinstalling or just simply repairing Windows... Or whatever you have, that has happened to me so many times! It's worked all the time for me... It may or may not be a virus it may just be SPAM but you never know. I would just try it once and see if it works! Good luck! :grinthumb
  11. Marconey09

    Marconey09 Newcomer, in training Posts: 38

    Hahaha! Nevermind I didn't see what you said at the end. Forget what I said! But still it works! Hahaha. :grinthumb
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.