Searchweb2 toolbars

Posted on 2004-11-04
Last Modified: 2010-04-11
I have a friend who is plagued by searchweb2 toolbars.
I have run ad-aware, No Adware and spybot to no avail.
The following Hijack This log was made in save mode, can anyone help me identify trhe culprit.

Regards John

Logfile of HijackThis v1.98.2
Scan saved at 17:30:49, on 04/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {16E8DFB1-123D-5E5E-0B12-405598751C9B} - C:\DOCUME~1\Jennifer\APPLIC~1\DELETE~1\KnobFast.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB774BC6-F0F4-4F61-AF89-AD2E94BF1A2C}: NameServer =

Question by:jcolles
    LVL 65

    Expert Comment

    Hello jcolles =)

    Use ToolbarCop to remove the unwanted Toolband, Toolbar Icons and BHO:
    LVL 65

    Assisted Solution

    And abt ur hijackthis log, well now u can Post ur logs at this site >>
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >>

    CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
    LVL 65

    Expert Comment

    And of course dont remember to use msconfig to untick unwanted progrmas as described here >>
    Also if u want u can Download these tools and install them:
    AdAware ==>
    SpyBot  ==>
    CoolWebShredder ==>
    Stinger ==>

    Turn off ur System Restore before cleaning the system if its WinME\XP >>
    Then Run all of them one by one in safemode and delete everything they detect.
    Then delete the temporary internet files and history of IE
    and run Disk Cleanup on ur hard drive to delete those temp and junk files.
    Restart back in Normal Mode to check for the problems now ?? :)
    LVL 4

    Expert Comment


    get rid of these 2
    that should help ;)
    LVL 12

    Accepted Solution


    Do not remove the following:
    It's part of Spybot Search and Destroy!

    Also, you may want to stop Knobfast.exe from running -
    using Task Manager to kill it.
    Then search your entire computer for any instances of it;
    and delete all that you find -
    this may have to be done in Safe Mode.

    Good luck!

    Author Comment

    I have tried to stop knobfast, but with no success.  Toolbarcop stops with a no access error
    as does hijack this if I try to remove it there.

    If I run process explorer, there are always at least 2 processes called 'iexplore.exe'.  If I kill one of these processes, the offending tooolbar dissapears, but the process immediately re-starts.   Am I right in thinking that this may be  the problem, and if so how do I get rid of it.
    Regards John

    LVL 65

    Expert Comment

    Open C;\Documents and Settings\Jennifer\Application Data folder and there you will some DELETE... folder... right ??
    You have to delete this folder, if you get Access Denied error then take its ownership and then delete it :)

    HOW TO: Take Ownership of a File or Folder in Windows XP:

    Note: If you cannot see the Security tab, then you will have to goto Explorer>Tools>Folder Options>View and untick Simple File Sharing, apply and now u shud get that tab in XP PRO !!
    For XP Home edition, you will have to boot into safemode and have to login as Administrator to access the Security tab, coz in xp home this tab cannot be visible to standard users !!
    LVL 10

    Expert Comment

    by:woodendude     removes all instances of websearch2.

    Author Comment

    Sorry about the long delay.   For a number of reasons I have not been able to get back to my customer to try your suggestions so at the moment she is living with the problem.   I hope to get there later this week and will let you know the outcome.
    LVL 65

    Expert Comment

    ok..... listening....! :)
    LVL 32

    Expert Comment

    by:Luc Franken

    Any update on this yet?


    Author Comment

    Apologies for not coming back to you.  I solved it about a week ago.
    That HJT analysis site is great, I took out everything it marked a nasty and finally the problem went.
    Thanks to all for your help.
    LVL 65

    Expert Comment

    cool :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now