[Trevuren]

1. Download "Registry Search Tool" (RegSrch.vbs) from HERE

2. Start it and paste in svchop.

3. Wait for it to complete the search, click ok at the prompt.

4. Then when wordpad opens, copy the text as a reply into this thread.

5. Then repeat the above procedure with the following name: shdochop

6. Please include both reports in the same post.

Regards,

Trevuren

[Advertisements]

Hi,

here are the results of the two searches.

jamesjj


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "svchop" 10/27/2005 9:24:33 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FH"="C:\\WINDOWS\\system32\\svchop.exe home"

[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="svchop.exe"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "shdochop" 10/27/2005 9:27:13 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Internet Explorer\Main]
"Start Page"="res://shdochop.dll/blank.html"

[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="shdochop.dll"

[jamesjj]

Hi,

here are the results of the two searches.

jamesjj


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "svchop" 10/27/2005 9:24:33 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FH"="C:\\WINDOWS\\system32\\svchop.exe home"

[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="svchop.exe"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "shdochop" 10/27/2005 9:27:13 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Internet Explorer\Main]
"Start Page"="res://shdochop.dll/blank.html"

[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="shdochop.dll"

[Trevuren]

1. Backup the registry by going to Start>Run> and type "regedit" without the quotes. Then on the file menu choose ‘export’ in XP. Export the file to your Desktop.

If a restore of the registry is required in case of emergency, just click on the exported regfile on your desktop, and answer YES to the question whether you want to merge this file with the registry. Wait until you get a message saying something like Merge Successfull.

2. Boot into Safe Mode

3. Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.reg.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FH"=-

[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"=-

[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Internet Explorer\Main]
"Start Page"=-

[HKEY_USERS\S-1-5-21-643571872-1733290971-125703898-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"001"=-

4. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

5. Using Windows Explorer, please locate abd DELETE the following files:

shdochop.dll<==Search for this one using the Windows Search Function
C:\WINDOWS\system32\svchop.exe

6. Reboot your computer.

7. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

[jamesjj]

Hi,

I encountered some problems. When I got to step 4 and I tried to merge "fixme.reg" into the registry I got a message that said "Cannot import C:/Doc.... The specified file is not a registry script. You can only import binary registry files from within the registry editor." Therefore, I was unable to complete the instructions.
What should I do now?

jamesjj

[Trevuren]

What does the fixme.reg file look like on your desktop?

Is it a Notepad text file or a little blue cube?


Trevuren

[jamesjj]

The "fixme.reg" is a little white rectangle shape (probably represeting notepad) with a blue cube on top of it.
Hope this description helps.

jamesjj

[Trevuren]

1. I am not sure why it isn't merging.

2. What message(s) did you get when you tried to delete the following files while in Safe Mode:?

shdochop.dll<==Search for this one using the Windows Search Function
C:\WINDOWS\system32\svchop.exe

3. If they refuse to be deleted, please do a file Search and provide me with the complete path to the following file:

shdochop.dll



Regards,

Trevuren

[Trevuren]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.