how to clean c:\searchpage.html#1503

[cairo]

HEllo all,
I am recently facing this problem, with always IE default page been set to c:\searchpage.html#1503, no matter how many times I change it.

Well, I have used spybot, and fix those problems. As well as HijackThis to fix it. I clean all the registry values 'searchpage'. But, it keep coming back. annoying....

I cleaned the file 'searchpage.html' in c drive, but once it back, I open IE and it popups a window and says, it can't find the file~!

I post my log from HijackThis, hopes it may help.

Logfile of HijackThis v1.97.7
Scan saved at 10:02:26 AM, on 9/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\www\Apache2\bin\Apache.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\www\Apache2\bin\Apache.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\deinst_qfe002.exe
C:\Program Files\802.11 Wireless LAN\802.11b Wireless USB Adapter HW.00 V1.11\Wireless Configuration Utility HW.00.exe
C:\Program Files\Microsoft Encarta\Encarta Reference Library 2003\EDICT.EXE
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Jackson Wong\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msgr\mssearch.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TiKL] C:\WINDOWS\System32\tikl.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless Configuration Utility HW.00.lnk = %SystemRoot%\Installer\{1010B07F-99A1-4F8E-8CB7-AEA8FC8A587D}\NewShortcut3.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37793.8036111111
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E199566-1E52-4055-9969-D3BE605E7982}: NameServer = 132.234.250.10 132.234.1.1

I just want to PERMANENTLY clean this annoying 'searchpage'. pls help.

thnk
Cairo

 

[RealBlackStuff]

Can Hijackthis fix the problems in the 013 - group?

Check your Internet Explorer Options. What is your default-homepage?

The MSPY002 in the 04-group looks suspicious to me. What is it?

I also think you should install SP1 for IE6, and do an MS-update for IE-related stuff.

 

[cairo]

Can Hijackthis fix the problems in the 013 - group?
A: Yes and No. Yes, all of them, spybot and HijackThis said the problems are fixed. No, however, that "searchpage" keeps coming back.

Check your Internet Explorer Options. What is your default-homepage?
A: I changed it for many times, but my default homepage is changed back to "c:\searchpage.html#1503" everytime I reopen my IE.

The MSPY002 in the 04-group looks suspicious to me. What is it?
A: I dunno what is it.... What it is?

I also think you should install SP1 for IE6, and do an MS-update for IE-related stuff.
A: Thanks, I'll try.

 

[RealBlackStuff]

Go here for instructions to remove thie culprit: TinyKeylogger (tikl.exe)
http://www.kephyr.com/spywarescanner/library/tinykeylogger/index.phtml

Then go into Regedit and browse to:
HKLM\Software\Microsoft\Windows\CurrentVersion\URL
Change the value of key (Default) in DefaultPrefix to: HTTP
Under key Prefixes:
(Default) should be (value not set)
ftp - ftp://
gopher - gopher://
change value of 3 keys "home, mosaic and www" to: HTTP

MSPY002 is part of Microsoft's Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word, so should be OK for you.

 

[cairo]

I think the problem has been fixed. So far so good...

Well, thank you, realblackstuff !

 

[cairo]

two minutes later.....

I am back. Unfortunately, I went back to registry.... and all those searchpage value is back.

Again, it's looking for c:/searchpage.html everytime I open IE.

huh.... if I reinstall IE, does it help?

 

[Spike]

Try following the thread here...

http://servicenews.symantec.com/cgi...ric.virus_corporate.general&next=20&tpre=ent&

Seems a little long-winded, but it also seems to have sone the job for a number of people.

 

[RealBlackStuff]

I see you have 2 instances of svchost.exe
Is one of them in normal letters and one in all CAPITALs?
If so, you have a different virus, the Blaster Worm.

Critical Security Patch for Windows XP

http://www.microsoft.com/downloads/...6c-c5b6-44ac-9532-3de40f69c074&displaylang=en


W32.Blaster.Worm Removal Tool

http://securityresponse.symantec.com/avcenter/FixBlast.exe

 

[cairo]

thanks realblackstuff and spike,

I have solved the annoying searchpage.html

ok, for those who facing the same problem as I did, try the following website, http://www.wilderssecurity.com/showthread.php?p=163614

The are some situation where we/re not the same, but go on and skip the steps. It helps.

Good luck

Cairo

 

[Marconey09]

Sounds kind of like you have a Virus.... You can fix that by reinstalling or just simply repairing Windows... Or whatever you have, that has happened to me so many times! It's worked all the time for me... It may or may not be a virus it may just be SPAM but you never know. I would just try it once and see if it works! Good luck! :grinthumb

 

[Marconey09]

Hahaha! Nevermind I didn't see what you said at the end. Forget what I said! But still it works! Hahaha. :grinthumb