1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[solved]Please help me remove Searchweb2

Discussion in 'Virus & Other Malware Removal' started by Roy Stannard, Sep 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Roy Stannard

    Roy Stannard Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    4
    undefinedCOLOR=Blue][/COLOR]

    I have tried various spyware programmes (Adaware, Xoftspy; noadaware) to get rid of Searchweb2 - it's obviously a nightmare to get of.

    Below is my Hijack this log - can someone with experience of this look at it and advise please.

    Eternally grateful

    Roy

    Logfile of HijackThis v1.98.2
    Scan saved at 11:33:56, on 07/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\Axis Communications\Print System\TrayIcon.exe
    C:\Program Files\Axis Communications\Print System\DriverScanner.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\NoAdware\NoAdware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\ROYSTA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.meqxpaeiljvgx.com/x4ygk4kcXNRROOURygJBb/brQryVmsQ4JuExd8VBtPmdtlxfGEvQWZcXFMf5cE1E.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0798B0BB-120A-A328-A890-0DF8CE9A6ACE} - C:\PROGRA~1\MEETEA~1\Funk real.exe
    O2 - BHO: (no name) - {5C5B451D-8FD4-A770-FEA9-161E0A4FF202} - C:\PROGRA~1\MEETEA~1\Funk real.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
    O4 - HKLM\..\Run: [AXIS Print System TrayIcon] C:\Program Files\Axis Communications\Print System\TrayIcon.exe
    O4 - HKLM\..\Run: [AXIS Printer Driver Scanner] C:\Program Files\Axis Communications\Print System\DriverScanner.exe
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [upload style] C:\PROGRA~1\PROXYB~1\tool trust.exe
    O4 - HKLM\..\Run: [boreloadtypesoft] C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load\typemeow.exe
    O4 - HKLM\..\Run: [One Ace Second Drive] C:\Documents and Settings\All Users\Application Data\mix memo one ace\cast poke.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.mediatel.co.uk/software/mapguide/cab/mgaxctrl.cab

    Many thanks

    Roy
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi, You have a Lop infection...it seems this critter is spreading again after a nice timeout, lot's of posters sending logs in with this recently.

    First make sure you have the following settings made:

    Fix the following with HJT, have NO browser windows open, nothing but Hijackthis open, put checks into boxes next to each item in this list and the click "Fix checked"

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.meqxpaeiljvgx.com/x4ygk4...cXFMf5cE1E.html

    O2 - BHO: (no name) - {0798B0BB-120A-A328-A890-0DF8CE9A6ACE} - C:\PROGRA~1\MEETEA~1\Funk real.exe


    O2 - BHO: (no name) - {5C5B451D-8FD4-A770-FEA9-161E0A4FF202} - C:\PROGRA~1\MEETEA~1\Funk real.exe

    O4 - HKLM\..\Run: [upload style] C:\PROGRA~1\PROXYB~1\tool trust.exe

    O4 - HKLM\..\Run: [boreloadtypesoft] C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load\typemeow.exe

    O4 - HKLM\..\Run: [One Ace Second Drive] C:\Documents and Settings\All Users\Application Data\mix memo one ace\cast poke.exe

    Now, follow the paths in Windows Explorer and find each file below and delete them

    C:\PROGRA~1\MEETEA~1\Funk real.exe <---this file at end

    C:\PROGRA~1\PROXYB~1\tool trust.exe < etc

    C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load\typemeow.exe <etc

    Now boot to Safe Mode--tap the F8 key several time repeatedly and you will get a menu choose Safe Mode by

    using |
    the keyboard down arrow \|/


    You should also complete these steps:



    And then delete these folders:

    C:\Documents and Settings\All Users\Application Data\Remote Axis Bore Load <-----this folder

    C:\PROGRA~1\MEETEA~1 <--these will be longer names

    C:\PROGRA~1\PROXYB~1 <longer name but you will see it.

    Reboot, and post a new HJT log.
     
  3. Roy Stannard

    Roy Stannard Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    4


    Hi Byteman

    Thanks for your good advice.

    Incidentally, I got rid of mist of the intrusive malware by uninstalling it at http://www.lop.com/new_uninstall.exe after disabling the security and putting temporarily in Trusted Sites.

    This worked.

    However I then followed your instructions to get rid of what remained and the log below is the the new HJT log.

    Thankyou for taking the time out to do this. Really appreciated.

    Roy Stannard

    Logfile of HijackThis v1.98.2
    Scan saved at 09:09:42, on 08/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\Axis Communications\Print System\TrayIcon.exe
    C:\Program Files\Axis Communications\Print System\DriverScanner.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Roy Stannard\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.splashfm.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
    O4 - HKLM\..\Run: [AXIS Print System TrayIcon] C:\Program Files\Axis Communications\Print System\TrayIcon.exe
    O4 - HKLM\..\Run: [AXIS Printer Driver Scanner] C:\Program Files\Axis Communications\Print System\DriverScanner.exe
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.mediatel.co.uk/software/mapguide/cab/mgaxctrl.cab
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Clean! Good work and thanks for reporting on the uninstaller for Lop.
     
  5. Roy Stannard

    Roy Stannard Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    4


    The machine is still clean, but there is a residual problem of AVG flagging up virus-infected files in the System Volume Information\_restore folder which appears empty but a different file pops up on screen every hour or so.

    Is there a quick clean solution?

    one of the latest was in the file:

    C:\system volume information \_restore{77BD54D2-7CCA-8CAA-8C8E-7D477D861/E733\RP415\A0091588.exe

    Any advice?

    Roy
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
  7. Roy Stannard

    Roy Stannard Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    4
    Doh!

    Thanks Byteman - you have been helpful beyond the call of duty.
    I can get back to running the radio station - check out www.splashfm.com

    Many, many thanks

    Roy
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    You're very welcome!
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271141

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice