[solved]Please help me remove Searchweb2

[Roy Stannard]

undefinedCOLOR=Blue][/COLOR]

I have tried various spyware programmes (Adaware, Xoftspy; noadaware) to get rid of Searchweb2 - it's obviously a nightmare to get of.

Below is my Hijack this log - can someone with experience of this look at it and advise please.

Eternally grateful

Roy

Logfile of HijackThis v1.98.2
Scan saved at 11:33:56, on 07/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Axis Communications\Print System\TrayIcon.exe
C:\Program Files\Axis Communications\Print System\DriverScanner.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NoAdware\NoAdware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ROYSTA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.meqxpaeiljvgx.com/x4ygk4kcXNRROOURygJBb/brQryVmsQ4JuExd8VBtPmdtlxfGEvQWZcXFMf5cE1E.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0798B0BB-120A-A328-A890-0DF8CE9A6ACE} - C:\PROGRA~1\MEETEA~1\Funk real.exe
O2 - BHO: (no name) - {5C5B451D-8FD4-A770-FEA9-161E0A4FF202} - C:\PROGRA~1\MEETEA~1\Funk real.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AXIS Print System TrayIcon] C:\Program Files\Axis Communications\Print System\TrayIcon.exe
O4 - HKLM\..\Run: [AXIS Printer Driver Scanner] C:\Program Files\Axis Communications\Print System\DriverScanner.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [upload style] C:\PROGRA~1\PROXYB~1\tool trust.exe
O4 - HKLM\..\Run: [boreloadtypesoft] C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load\typemeow.exe
O4 - HKLM\..\Run: [One Ace Second Drive] C:\Documents and Settings\All Users\Application Data\mix memo one ace\cast poke.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.mediatel.co.uk/software/mapguide/cab/mgaxctrl.cab

Many thanks

Roy

 

[Byteman]

hi, You have a Lop infection...it seems this critter is spreading again after a nice timeout, lot's of posters sending logs in with this recently.

First make sure you have the following settings made:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Fix the following with HJT, have NO browser windows open, nothing but Hijackthis open, put checks into boxes next to each item in this list and the click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.meqxpaeiljvgx.com/x4ygk4...cXFMf5cE1E.html

O2 - BHO: (no name) - {0798B0BB-120A-A328-A890-0DF8CE9A6ACE} - C:\PROGRA~1\MEETEA~1\Funk real.exe


O2 - BHO: (no name) - {5C5B451D-8FD4-A770-FEA9-161E0A4FF202} - C:\PROGRA~1\MEETEA~1\Funk real.exe

O4 - HKLM\..\Run: [upload style] C:\PROGRA~1\PROXYB~1\tool trust.exe

O4 - HKLM\..\Run: [boreloadtypesoft] C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load\typemeow.exe

O4 - HKLM\..\Run: [One Ace Second Drive] C:\Documents and Settings\All Users\Application Data\mix memo one ace\cast poke.exe

Now, follow the paths in Windows Explorer and find each file below and delete them

C:\PROGRA~1\MEETEA~1\Funk real.exe <---this file at end

C:\PROGRA~1\PROXYB~1\tool trust.exe < etc

C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load\typemeow.exe <etc

Now boot to Safe Mode--tap the F8 key several time repeatedly and you will get a menu choose Safe Mode by

using |
the keyboard down arrow \|/


You should also complete these steps:

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\administrator\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

And then delete these folders:

C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load <-----this folder

C:\PROGRA~1\MEETEA~1 <--these will be longer names

C:\PROGRA~1\PROXYB~1 <longer name but you will see it.

Reboot, and post a new HJT log.

 

[Roy Stannard]

Hi Byteman

Thanks for your good advice.

Incidentally, I got rid of mist of the intrusive malware by uninstalling it at http://www.lop.com/new_uninstall.exe after disabling the security and putting temporarily in Trusted Sites.

This worked.

However I then followed your instructions to get rid of what remained and the log below is the the new HJT log.

Thankyou for taking the time out to do this. Really appreciated.

Roy Stannard

Logfile of HijackThis v1.98.2
Scan saved at 09:09:42, on 08/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Axis Communications\Print System\TrayIcon.exe
C:\Program Files\Axis Communications\Print System\DriverScanner.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Roy Stannard\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.splashfm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AXIS Print System TrayIcon] C:\Program Files\Axis Communications\Print System\TrayIcon.exe
O4 - HKLM\..\Run: [AXIS Printer Driver Scanner] C:\Program Files\Axis Communications\Print System\DriverScanner.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.mediatel.co.uk/software/mapguide/cab/mgaxctrl.cab

 

[Byteman]

Clean! Good work and thanks for reporting on the uninstaller for Lop.

 

[Roy Stannard]

The machine is still clean, but there is a residual problem of AVG flagging up virus-infected files in the System Volume Information\_restore folder which appears empty but a different file pops up on screen every hour or so.

Is there a quick clean solution?

one of the latest was in the file:

C:\system volume information \_restore{77BD54D2-7CCA-8CAA-8C8E-7D477D861/E733\RP415\A0091588.exe

Any advice?

Roy

 

[Byteman]

You must disable System Restore to remove all the infected files>

""By default, Windows prevents System Restore from being modified by outside programs""

doing this is safe but it does remove all your old Restore Points> no need for them anyway, as using one will just put back the junk> see below for directions and details:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

 

[Roy Stannard]

Doh!

Thanks Byteman - you have been helpful beyond the call of duty.
I can get back to running the radio station - check out www.splashfm.com

Many, many thanks

Roy

 

[Byteman]

You're very welcome!