hi, im new here, I've been having problems with some spyware that displays pop-ups and redirects me to http://searchweb2.com, I've scanned my computer with Adaware and Spybot, and then someone recommended HijackThis so I decided to give it a go, I removed all the files which had the name searchweb2 in it but it wasn't enough, can someone tell me which files I need to remove?


Logfile of HijackThis v1.97.7
Scan saved at 22:30:39, on 4.6.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\DEBUGO~1\AMOK SPAM.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index.html?http://about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://starfsmenn.hafnarfjordur.domain/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C279AEAA-F059-4D0A-3EF4-25CAA36B078A} - C:\PROGRA~1\prochope\MAPI SEND.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [blehbait] C:\PROGRA~1\DEBUGO~1\AMOK SPAM.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O14 - IERESET.INF: START_PAGE_URL=https://starfsmenn.hafnarfjordur.domain/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain

bump, anyone?

bump...

bump

bump, anyone?, plz

Hello man, ive registered on this server just to post you a reply ^^

i was having same problem and it was killing me so i googled and found a solution (and found your post that way too)
download and run this http://www.lop.com/new_uninstall.exe and all your problems will go away!! it like only takes 1 sec and all annoying stuff is gone!!! im so totally happy i finally got rid of it!!!!

take care


~M

thanx man, that worked like a charm, no annoying browser hi-jacks and toolbars for me, thanks again

Sorry we didn't get to you sooner. Busy place here.

Good job.

You should do these now as well though:

Go to Add/remove programs and remove:
"Window Search"
You may be given a security code to insert, do so
And reboot when done.

Then download and run these uninstallers:
1. New_uninstall.exe <-- you have done this one.
2. Toolbar_uninstall.exe

Find and delete the two empty folders in
program files that start with these letters:
"DEBUGO........." and "prochope"

Have a read here:
So how did I get infected in the first place?

ok, I dwl those uninstallers, but they found nothing, I deleted some folders from Program Files, called DEBUGO... and prochope, but I saw another folder I don't know what is, it's called "heart hope proc" it has one file called "defy real boob.dat", it's the only unusual file I see now, should I delete it or is it safe?

here is mu current HiJackThis log

Logfile of HijackThis v1.97.7
Scan saved at 14:37:20, on 12.6.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hafnarfjordur.is/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hafnarfjordur.is/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://starfsmenn.hafnarfjordur.domain/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Research (HKLM)
O14 - IERESET.INF: START_PAGE_URL=https://starfsmenn.hafnarfjordur.domain/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain
O17 - HKLM\Software\..\Telephony: DomainName = hafnarfjordur.domain
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D111858-510A-48E4-B091-16FB5658BC71}: NameServer = 213.176.128.51 213.176.128.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain



thanx for the help

Not sure about that folder and file, but it certainly doesn't sound legit nor native to Windows.

To be on the safe side, just rename the folder. If in a week or so you have received no errors, you can deduce that it would be safe to delete.

CAn you please locate this file for us:
C:\WINDOWS\Downloaded Program Files\SbCIe028.dll <-- file
Right click > send to > compressed (zipped) folder.
Then attach the zip to your next reply here.
Thanks.

here, I couldn't find it by exploring the Downloaded Program Files folder, so I had to copy the "C:\WINDOWS\Downloaded Program Files\SbCIe028.dll" into the address bar and download it from Downloaded Program Files to the desktop, but here it is

Moved to unknown files forum.

Thanks.

It is belogs to SideStep and is a bit newer version of:
/tk85-SbCIe026_dll_SbCIe0261_dll.html

Classified *O* as in open for debate if Ad/Spyware or not.

If you didn't wittingly install it I would have it fixed:

In Hijack This, check the following item, then close all browser windows, and press "Fix Checked":

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

Reboot.

ok, I removed that BHO, here's my log now

Logfile of HijackThis v1.97.7
Scan saved at 00:33:20, on 13.6.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hafnarfjordur.is/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hafnarfjordur.is/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://starfsmenn.hafnarfjordur.domain/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Research (HKLM)
O14 - IERESET.INF: START_PAGE_URL=https://starfsmenn.hafnarfjordur.domain/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain
O17 - HKLM\Software\..\Telephony: DomainName = hafnarfjordur.domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hafnarfjordur.domain


PS: This all started when I installed Messenger Plus! 3, I didn't pay much attention during the installation progress and didn't say I didn't want the sponsor program, is it ok to install Messenger Plus and selecting the option to install without the sponsor or should I just not install it?

nope, there's nothing else that needs fixing on my computer, thank you very much for all the help