[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11406
  • Last Modified:

Searchweb2 toolbars

I have a friend who is plagued by searchweb2 toolbars.
I have run ad-aware, No Adware and spybot to no avail.
The following Hijack This log was made in save mode, can anyone help me identify trhe culprit.

Regards John

Logfile of HijackThis v1.98.2
Scan saved at 17:30:49, on 04/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {16E8DFB1-123D-5E5E-0B12-405598751C9B} - C:\DOCUME~1\Jennifer\APPLIC~1\DELETE~1\KnobFast.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093599569937
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB774BC6-F0F4-4F61-AF89-AD2E94BF1A2C}: NameServer = 192.168.0.1

0
jcolles
Asked:
jcolles
2 Solutions
 
SheharyaarSaahilCommented:
Hello jcolles =)

Use ToolbarCop to remove the unwanted Toolband, Toolbar Icons and BHO:
http://windowsxp.mvps.org/toolbarcop.htm
0
 
SheharyaarSaahilCommented:
And abt ur hijackthis log, well now u can Post ur logs at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
SheharyaarSaahilCommented:
And of course dont remember to use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
Also if u want u can Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
riotzCommented:
C:\DOCUME~1\Jennifer\APPLIC~1\DELETE~1\KnobFast.exe
C:\PROGRA~1\SPYBOT~1\SDHelper.dll

get rid of these 2
that should help ;)
0
 
rossfingalCommented:
Hi!

Do not remove the following:
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
It's part of Spybot Search and Destroy!

Also, you may want to stop Knobfast.exe from running -
using Task Manager to kill it.
Then search your entire computer for any instances of it;
and delete all that you find -
this may have to be done in Safe Mode.

Good luck!
RF
0
 
jcollesAuthor Commented:
I have tried to stop knobfast, but with no success.  Toolbarcop stops with a no access error
as does hijack this if I try to remove it there.

If I run process explorer, there are always at least 2 processes called 'iexplore.exe'.  If I kill one of these processes, the offending tooolbar dissapears, but the process immediately re-starts.   Am I right in thinking that this may be  the problem, and if so how do I get rid of it.
Regards John

0
 
SheharyaarSaahilCommented:
Open C;\Documents and Settings\Jennifer\Application Data folder and there you will some DELETE... folder... right ??
You have to delete this folder, if you get Access Denied error then take its ownership and then delete it :)

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421

Note: If you cannot see the Security tab, then you will have to goto Explorer>Tools>Folder Options>View and untick Simple File Sharing, apply and now u shud get that tab in XP PRO !!
For XP Home edition, you will have to boot into safemode and have to login as Administrator to access the Security tab, coz in xp home this tab cannot be visible to standard users !!
0
 
woodendudeCommented:
http://www.searchweb2.com/help.html#uninstall     removes all instances of websearch2.
0
 
jcollesAuthor Commented:
Sorry about the long delay.   For a number of reasons I have not been able to get back to my customer to try your suggestions so at the moment she is living with the problem.   I hope to get there later this week and will let you know the outcome.
John
0
 
SheharyaarSaahilCommented:
ok..... listening....! :)
0
 
LucFCommented:
jcolles,

Any update on this yet?

LucF
0
 
jcollesAuthor Commented:
Apologies for not coming back to you.  I solved it about a week ago.
That HJT analysis site is great, I took out everything it marked a nasty and finally the problem went.
Thanks to all for your help.
0
 
SheharyaarSaahilCommented:
cool :)
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now