searchweb2 removal help

Hi Fred and welcome to A2K,

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.obyyvpentdfvtzynk.net/NGGmp81hkDTWFVvz6F/m8/rvSH5bM7gP1ypOo7hQrY2ix3kn5U7rsv4mf_fLoVJI.htm
O2 - BHO: (no name) - {E72A0314-BE5E-2A9B-41D9-7CC5DC4409F2} - C:\PROGRA~1\SHOWSE~1\Gram meta.exe (file missing)
O4 - HKLM\..\RunServices: [Windows Registers] winservicess.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winfix3.exe
O4 - HKCU\..\Run: [eggs 2] C:\DOCUME~1\george\APPLIC~1\BOLDDA~1\Surf Obj Mp3.exe

Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD
winservicess.exe
winfix3.exe
C:\DOCUME~1\george\APPLIC~1\BOLDDA~1\Surf Obj Mp3.exe << delete the folder

Restart your computer,
Restart HJT and post back a fresh log please

More help please
I've gotten to safe mode but this is stuff I have not seen before. Can I get simple instructions, for this please. I did the first stuff but deleting those bold things I have no clue.

Thanks for your time.

In safemode, with View All/View Hidden Files/Folders enabled per the link in Don's post above,
Click on Start >Search > Search All Files/Folders
enter winservicess.exe into the "All or part of file name" box, then click "Search" and wait while the search runs. When found, the file will appear in a line over in the right-hand pane of your Search window. Right-click the filename over there, and select-and-confirm "Delete". Do the same for winfix3.exe. For \Surf Obj Mp3.exe, delete not just the file, but also the folder containing that file.

Then reboot and continue following Don's instructions.

Blue toolbar
Thanks will try it with some help on my end. Is there more to the file then just winservices.exe. Search found this file winservicess.exe in folder C:\Documents and Settings\george... ? Is that what I look for? Search found Surf Obj Mp3 in four spots in the computer. It is in HJT folder, drwtsn32(this is Dr. Watson file?) for all users, C:\Documents and Settings\George and same for Sue and same for Caitlin. I have XP Home with four users. I just did the HJT thing, have not done the safe mode search yet. Sorry not great with this kind of computer workings. Will I have to do everyone or will we get this out of the whole computer?

Thank you, alot
Fred12345

Logfile of HijackThis v1.97.7
Scan saved at 10:35:13 PM, on 11/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\george\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38163.506087963
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

You've gotta get rid of all instances of those two files, and all instances of that folder ... for every user on the machine. Then empty your recycle bin and all your Temp folders.

Oh, BTW ... Are you unsure how to get into safemode?

safe mode
Thanks

I just tap the F8 button as the machine is firing up, scroll with arrow keys and let it sign on with a funny screen and do search. I am not to sure about this searching hidden files? how long do I let it search and do I get rid of HJT file and the Norton file containing the bad guys? I will do all users the same, looking for the same files including the R1 file which changes every time I HJT scan.

Thank You
Fred

More questions
Sorry I meant Dr Watson file not Norton. I am getting Icons for backups-200411 do I delete these now as well.

Fred

I wouldn't be too concerned about instances of 'em in Norton or HJT. You might wanna go into Norton's Quarantine file and delete 'em from there in normal fashion, if you can.

The "Hidden Folders Thing" is this: Click Start.

Open My Computer. Select Tools >Options>View Tab.

Under "Hidden files and folders", select "Show hidden files and folders", uncheck "Hide protected operating system files (recommended)", click "Yes" to confirm, then click "OK" to apply, then enter your search term and start your search. A search can take a while. As long as the little magnifying glass is movin' around, your machine isn't hung. Just be patient.

Trying to rid blue tool bar
When I go MIE, tools, privacy, settings I was getting lop and searchweb showing under allowed sites will that be fixed too? They the problem here right.

You are a great help, Thanks.

My advice would be to disable System Restore; you will lose your previous restore points, but you won't reinfect your machine by restoring it to an infected state. Some folks argue otherwise.

What we're tryin' to do here is get rid of your hijackers, yup, anf lop and searchweb are your main hijackers. It can be tedious, but it can be done.

I haven't loked at your HJT log yet ... wanna try to get did of some of the worst stuff before we start tweakin' things.

I dunno if I'll be able to get back to you yet this evenin', but I'll try ... and if not, somebody else oughtta be along. Don is good, Craven de Kere is good, Monger is good ... couple other folks, too. Be careful, though, anyone can post just about anything they want, whether they know what they're doin' or not - and lotsa the puppies haven't a clue. Beware of newbies ... they ain't nescessarilly bad, but there's no track record to check ... and remember what free advice is worth :wink:

Blue no more?
I really want to thank you? Seems to be working? See attached Log. Please get back to me about any other stuff you see.

Fred12345

Logfile of HijackThis v1.97.7
Scan saved at 1:43:50 AM, on 11/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\george\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38163.506087963
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

What did I miss?
Look who is back.

I must have missed something.

Fred

Logfile of HijackThis v1.97.7
Scan saved at 2:05:28 AM, on 11/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\george\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bhnxqswrcjvpuscnzkjjw.com/NGGmp81hkDTWFVvz6F/m8/rvSH5bM7gP1ypOo7hQrY0cIQ7jfaaXKf4mf_fLoVJI.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BCE9F6B2-2380-2EC3-17E0-67231891913E} - C:\DOCUME~1\george\APPLIC~1\SHOWSE~1\Gram meta.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [uploadcityacecamp] C:\Documents and Settings\All Users\Application Data\Option glue upload city\Cool slow.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eggs 2] C:\DOCUME~1\george\APPLIC~1\BOLDDA~1\Surf Obj Mp3.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38163.506087963
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Hi Fred,
Lets attack this from another rte,

Please see this Post We need to get you the updated version of HJT, After you have downloaded the latest version of HJT remove the old version please,

Follow the steps outlined in the post, If you can please log as Administrator to perform this.

In the section for cleaning out your Temp Folders, Be sure and empty your Recycle Bin as well,
Simply Right Click on the Recycle Bin, Choose Empty Recycle Bin,

While still in safe mode,

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bhnxqswrcjvpuscnzkjjw.com/NGGmp81hkDTWFVvz6F/m8/rvSH5bM7gP1ypOo7hQrY0cIQ7jfaaXKf4mf_fLoVJI.html
O4 - HKLM\..\Run: [uploadcityacecamp] C:\Documents and Settings\All Users\Application Data\Option glue upload city\Cool slow.exe
O4 - HKCU\..\Run: [eggs 2] C:\DOCUME~1\george\APPLIC~1\BOLDDA~1\Surf Obj Mp3.exe

Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD
C:\Documents and Settings\All Users\Application Data\Option glue upload city\Cool slow.exe

C:\DOCUME~1\george\APPLIC~1\BOLDDA~1\Surf Obj Mp3.exe


As Timber said, Please remove all instances of the above files and the folder that the file is sitting in,, again empty your recycle bin,

Restart your computer and post back a fresh log please,


Fred, this hijacker can be a pain, so it may take a few run throughs to get it,

Oh boy, blue tool bar
This is great help, but I am an unranked amateur. Sorry, new to computers.
Q's from me. How to do's
1 Log on as administrator?
2 Empty temp files? (MIE>tools>Internet options>general>Temp IF>delete>ok)
I am trying to learn fast, maybe too fast. Please keep it simple.

I am trying to follow everything.

Fred

Computer Administrator
Don
I like your picture under your name, it fits what I am doing.
I went start>Control panel>User accounts> it appears all four users are administrators. so I should be able to work from my account?

Fred

After you boot into safemode, you should be presented with a logon screen listing all users plus "Administrator". The reason to log in as "Administrator" is that other users may not have full administrational privileges on that machine.


Yeah, you wanna empty your IE cache, which is what you're doin there in IE>Tools. You wanna empty ALL Temp files, though.

Open your root drive - Right-click lick "My Computer", select "Explore". Navigate down the tree to your root drive (the drive Windows is on - usually C, find the folder named "Temporay Files", open that folder, select all contents, and delete. Delete just the contents in this instance, not the folder. Close the folder. Then navigate a bit further down the tree to your Windows folder, open it, and find \Windows\Temp. Open that folder, select all contents, and delete. Again, in this instance, delete just the contents of the folder, not the folder itself.

When you've emptied the folders and gotten rid of the other files and folders you've been instructed to delete, empty your recycle bin and reboot.

It is possible some files may not wanna let you delete them. If so, please report back with the full path and name of any that put up a fight.

Another tip?
Hey Fred*

It was great to see that you're hopefully getting some help with getting rid of the dumb toolbar! I was doing some more research for you and came across several different ideas, but it looks like the person writing on this site is doing a pretty good job, many of the things I came across he's already mentioned. I'll keep looking stuff up, if all this is unsucessful, lemme know!

Good luck, and way to go with your expert computer skills!

Craig