52 replies to this topic

[nomininolife]

This program takes no notice of msconfig, it makes itself work again, you have to get to the root of it.

System restore is of no use in this situation.


David

[miniEgg]

I think he has already said that he ran the Add/remove program and it removed the program but not the reg entry which is causing the problem

[mek0n]

Malwarebytes.org, download it and it will remove the issue. Have just hasd the same issue on acustomers PC and the latest update removes it.

[DJ T]

I'll stick my IT 2 pence worth in. (Deal with these things all day)

Go to http://www.malwarebytes.org/ and download and install the software. allow it to update after install

Run a full scan.

After scan has finished select removal all threats and it should (touch wood) of removed it. It may want to restart during this process. Please let it.

[taffy1967]

Yes I did check and made sure those programmes were uninstalled.

I'm now running Malwarebytes Anti-Malware and it's already found 20 infected objects, so hopefully this will sort it once and for all.

Edited by taffy1967, 12 November 2008 - 08:47 PM.

[Bristolboy]

[taffy1967]

Well I tried Malwarebytes Anti-Malware and even though it found 20 problems it's still showing up on Spybot - Search & Destroy.

I ran Registry Search again and this is what it found: -

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 12/11/2008 23:44:32 for strings:
; 'myway'
; 'mywebsearch'
; 'funwebproducts'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Fun Web Products]
"CacheDir"="C:\\Users\\Turner Family\\AppData\\LocalLow\\FunWebProducts\\Shared\\Cache\\"

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Fun Web Products\Data]
"DataDir"="C:\\Users\\Turner Family\\AppData\\LocalLow\\FunWebProducts\\Data\\"

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Fun Web Products\ScreenSaver]
"ImagesDir"="C:\\Users\\Turner Family\\AppData\\LocalLow\\FunWebProducts\\ScreenSaver\\Images\\"

[HKEY_CURRENT_USER\Software\AppDataLow\Software\FunWebProducts]

[HKEY_CURRENT_USER\Software\AppDataLow\Software\FunWebProducts\Settings]

[HKEY_CURRENT_USER\Software\AppDataLow\Software\MyWebSearch]

[HKEY_CURRENT_USER\Software\AppDataLow\Software\MyWebSearch\bar]

[HKEY_CURRENT_USER\Software\AppDataLow\Software\MyWebSearch\bar]
"CacheDir"="C:\\Users\\Turner Family\\AppData\\LocalLow\\MyWebSearch\\bar\\Cache\\"
"SettingsDir"="C:\\Users\\Turner Family\\AppData\\LocalLow\\MyWebSearch\\bar\\Settings\\"
"sscURL"="http://www.mywebsear...p?id=ZKfox000(2)&fl=0&ptb=gr.Gy7NBgICGecqa82ytGw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}"
"HistoryDir"="C:\\Users\\Turner Family\\AppData\\LocalLow\\MyWebSearch\\bar\\History\\"
"SkinsDirLowIL"="C:\\Users\\Turner Family\\AppData\\LocalLow\\MyWebSearch\\bar\\"
"ConfigRevisionURL"="http://cfg.mywebsear...83&p=ZKfox000(2)"

[HKEY_CURRENT_USER\Software\AppDataLow\Software\MyWebSearch\SearchAssistant]

[HKEY_CURRENT_USER\Software\AppDataLow\Software\MyWebSearch\SearchAssistant]
"ABS"="http://www.mywebsear...913&searchfor="
"DES"="http://www.mywebsear...913&searchfor="

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d835c84_0]
@="{0.0.0.00000000}.{83646a7e-a1d6-475c-ac85-e73e39c04a6d}|\\Device\\HarddiskVolume2\\Program Files\\MyWebSearch\\bar\\2.bin\\M3SKPLAY.EXE%b{00000000-0000-0000-0000-000000000000}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]

[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\\Program Files\\MyWebSearch\\bar\\2.bin\\M3SKPLAY.EXE"="MyWebSearch Skin Player"

; End Of The Log...

I guess I'm going to have to wiper my computer to be completely free of it?

[Bristolboy]

, blimey riley, it must be pretty bad if that didn't get rid of it.

As i said earlier get searching on the spybot forum as they seem to have loads of tools and various methods of virus removal.
Hope you get it sorted soon

Bb

[minivan2007]

get a mac pmsl

[taffy1967]

There are two options you could take right.
The quickest way would be to go through the registry and remove these keys specified.
I would backup the registry first:
1. Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER.
If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
2. Wait for Windows to search for available disks and most recent restore points. In the System Properties dialog box, on the System Protection tab, click Create,
3. Type a name for the restore point and then click Create.
4. After the restore point has been created successfully, click OK two times.
Note If System Restore is turned off, click to select the local disk, click Apply and then click Create.

Then navigate through the registry to each key and right click each key and press delete. You can get to the registry by going to DOS prompt it may be called command prompt and typing regedit. I think this can also be done using the run option.

The other option would be to backup all your important files and data and do a fresh install of windows, but this takes some time and you don't really get the satisfaction that you get that you managed to beat some annoying virii.

Well I went through the registry deleting all that appears in the list I pasted above, so I thought I had it beat.

But Spybot - Search & Destroy still brought up the same My Way My Websearch result: -

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca}

So I went back into the registry and tried to remove that, but even though I was able to delete it, when I double checked (clicked off and then re-checked), that registry entry was back again. So no matter how many times I tried to remove it, it would stubbornly return again.

Malwarebytes finds it, but is also unable to delete it. This is the Malwarebytes log report: -

Malwarebytes' Anti-Malware 1.30
Database version: 1390
Windows 6.0.6001 Service Pack 1

13/11/2008 22:16:53
mbam-log-2008-11-13 (22-16-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 131455
Time elapsed: 56 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

So I guess I'm going to have to wipe my PC to get rid of it once and for all then.

[taffy1967]

At least the Registry Search is looking better I guess: -

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 13/11/2008 22:35:24 for strings:
; 'myway'
; 'mywebsearch'
; 'funwebproducts'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


Anyway thanks for all the help everyone.

Edited by taffy1967, 13 November 2008 - 10:57 PM.