My Search Bar plug-in keeps coming back

M

Marta

I got hit by a couple of different trojans and spyware
last week. Zserv, Ezula, Begin2search, spyware.jmzxm to
name a few. I used Hijackthis to clean up the registry
and scanned MAS, Ad-Aware and Norton to remove all
vermin. I have two accounts on this machine. I have
booted into safe mode and scanned with the three tools on
both user accounts. All scans in safe mode are finding
nothing.

But everything I logon to userM after logging off userG,
I get an alert from MAS saying that it has allowed
navshext.dll to make changes in a green pop-up followed
by a red pop-up saying that My Search Bar browser Plug-in
is trying to install. I always ask MAS to remove it. But
I can't find where it keeps coming back from. Hijack log
is clean. MAS, AD-Aware and Norton say I'm clean.

Any clues as to find out where this is coming from? Any
logs I can look at? Any source for information on My
Search Bar plug-in.

Thanks!
 
J

JohnF.

You will have to disable System Restore to dump the registry entries of the
trojans that got on there earlier, then you will have to clean out all your
temp files in each account, temp under Docs and settings/UserX, the temp
internet files, and also the temp under c:\windows or Winnt which ever you
have.

Run the cleaners in safe mode after you dump all that and I would install
SpywareBlaster from Javacool Software just as an added measure. be sure to
update it and then set it to protect for everything.

JohnF.
 
G

Guest

Thanks John. I had already disabled System Restore. I
have run CleanUp! to clean out the temp and I also
manually checked and emptied those folders. I've run a
couple scans in Safe mode and everything scans clean.
I've loaded Spyware Blaster. But I still get this pop-up
from MAS.

I can't seem to find any information about this specific
search bar so I don't know where else to look. It almost
seems as if it is a bad alert from MAS.
 
J

JohnF.

Have you done this?

1. Start the registry editor. This is done by clicking Start then Run. (The
Run dialog will appear.) Type regedit and click OK. (The registry editor
will open.)

2. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \
{014DA6C1-189F-421a-88CD-07CFE51CFF10}', if it exists.

3. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \
{014DA6C9-189F-421a-88CD-07CFE51CFF10}', if it exists.

4. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ Explorer \ Browser Helper Objects \
{014DA6C1-189F-421a-88CD-07CFE51CFF10}', if it exists.

5. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ Explorer \ Browser Helper Objects \
{014DA6C9-189F-421a-88CD-07CFE51CFF10}', if it exists.

6. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ Uninstall \ My Search Uninstall \ DisplayName', if it
exists.

7. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ Uninstall \ My Way Speedbar Uninstall \ DisplayName', if it
exists.

8. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ Uninstall \ MyWaySearchAssistant \ DisplayName', if it
exists.

9. Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Toolbar'

10. In the right pane, delete the value called
{014DA6C9-189F-421a-88CD-07CFE51CFF10}, if it exists.

11. Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Internet Explorer \ Toolbar \
WebBrowser'

12. In the right pane, delete the value called
{014DA6C9-189F-421a-88CD-07CFE51CFF10}, if it exists.

13. Exit the registry editor.

14. Restart your computer.

15. Delete the following folders:
%ProgramsDir%\MySearch\
%ProgramsDir%\MyWay\
Note: %ProgramsDir% is a variable (?). By default, this is C:\Program Files.

16. Start Microsoft Internet Explorer.

17. In Internet Explorer, click Tools -> Internet Options.

18. Click the Programs tab -> Reset Web Settings.


JohnF.
 
M

Marta

Thank you John!!!

You got it. It was step #11/12 below that did the trick.
Steps 1-10 were all clean but I found the guid in
HKCU\Software\Microsoft\Internet
Explorer\Toolbar\WebBrowser. Removing it from that key
solved it.

BTW, I did a registy search of both of the guids and also
found them in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\ActiveX Compatibility\{014DA6C1-189F-421a-88CD-
07CFE51CFF10}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\ActiveX Compatibility\{014DA6C9-189F-421a-88CD-
07CFE51CFF10}

They don't seem to be causing any issues or alerts so I'm
leaving them unless you recommend removing them.

Thank you so much for sticking with me and helping me
solve this issue. This has been puzzling me for a week
and driving me crazy. I hate having an unsolved problem.

Again, a big thank you.

Marta
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Help - they keep coming back! 3
eXact Search Bar keeps trying to install 2
Eager-search 1
IBIS keeps coming back 3
INetSpeak Websearch keeps coming back 3
Aurareco 1
Malware 8
Searchweb2.com - still comes back 1

Top