MyWebSearch Repeatedly Reinstalls at Logon

[ChrisW]

I downloaded the beta of Antispyware and it promptly
detected the presence of MyWebSearch which was removed.
However, when certain users logon (everyone but me),
Antispyware detects that MyWebSearch is trying to
reinstall.
There are some other worrying notices from Antispyware
before the MyWebSearch red alert. These include notices
that an Internet Explorer Shell Browser has been allowed
and that the security level has been set to zero. There
is no chance of preventing these.
I have tried running Antispyware in Safe Mode until
nothing further is detected, but it still comes back.
I've also tried Ad-Aware, Spybot S&D, SpwareBlaster and
CWShredder. The Hijack this log reveals nothing
suspicious, nor do the System Explorers in Antispyware.
Any help gratefully received!

 

[Ron Kinner]

http://www.pchell.com/support/mywebsearch.shtml

Ron

 

[ChrisW]

-----Original Message-----
http://www.pchell.com/support/mywebsearch.shtml

Ron
.

Unfortunately not so simple. None of the hijackthis
lines shown on pchell appear in my log. Nor does
MyWebSearch show up as an installed program. The problem
is much more insidious.

 

[Ron Chamberlin]

Hi Chris,
Try this and see if it helps:
Boot into Safe Mode (F8) at startup;
Empty your temporary files AND your Temporary Internet Files C:\Documents
and Settings\Username\Local Settings\Temporary Internet Files folder ;
Run the scan while in safe mode;
If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recognize.

Ron Chamberlin
MS-MVP

 

[Sandi Hardmeier]

It may take some heavy work to get rid of this ****

Before trying to remove spyware:

Back up all essential data.

Download the recommended software

After all software has been downloaded, installed and updated disconnect the
computer from the internet and/or any network to which it may be attached.

The software you should download and have ready to use is:

Lspfix and Winsockfix, available at http://www.cexx.org/lspfix.htm and
http://www.spychecker.com/program/winsockxpfix.html

A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor (non XP SP2 users
only)
http://www.pcmag.com/article2/0,4149,270,00.asp
http://www.definitivesolutions.com/bhodemon.htm
http://www.webattack.com/get/bho.shtml

AdAware (note that Lavasoft have now released Ad-Aware SE Personal Edition,
available from http://www.lavasoftusa.com/support/download/ AdAware 6 users
should update to SE as soon as possible. All previous versions are NO LONGER
SUPPORTED)

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.html

HackerDefender Disabler - http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.

After obtaining the required software above, make sure you check for updates
and run the programmes in safe mode.

Malware removal (beginner's guide):

Go to Control Panel, Folder Options, View Tab. Turn on the option to show
hidden files. Turn off the option to hide protected system files.
***WARNING!! Files are hidden by Windows for a very good reason. It is not
wise to 'experiment' with these files. Unfortunately, to successfully remove
modern malware we must turn this protection off. There is a risk to doing
this. Please turn the protection back on when you have finished cleaning
your system.***

Run HackerDefender Disabler. A DOS window will flash onto your screen and
then disappear. This is normal.

If you are using Windows XP SP2 download and install Update KB888240 to
solve a known problem where add-ins will sometimes hide themselves from the
Add-On Manager. The hotfix is available from:
http://www.microsoft.com/downloads/...9e-b116-4d38-b00c-ff1d529106c8&displaylang=en

Go to Control Panel, add/remove programs. Check for malware entries and use
the uninstall programs, then reboot. Check all 'startup' folders at
...\Documents and Settings\All Users\Start Menu\Programs\Startup or
...\Documents and Settings\<username>\Start Menu\Startup

Go to start/run and type MSCONFIG. Go to the startup tab. Disable everything
that you do not recognise as legitimate (do not disable any power profile
options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find information
about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

If you are using Windows XP, go to Tools, Manage Add-Ons and disable
anything you don't want or recognise. If you are not running XP SP2 use one
of the BHO disablers mentioned earlier.

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

Start CWSHREDDER and fix anything it finds. Reboot back into safe mode.

Start AdAware.

Remember to update using the 'check for updates now' button. Update, then
select 'start' option.

Make sure that 'search for negligible risk entries' is turned on. Select
'use custom scanning options' then select 'customise'. Make sure the
following options are enabled: 'scan within archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan my IE favorites for
banned URLs', 'scan my Hosts file'.

Select the 'tweak' option. Under 'scanning engine', make sure 'unload
recognized processes and modules during scan' is enabled. Enable 'scan
registry for all users instead of current users'.

Under 'cleaning engine' turn on 'always try to unload modules..', 'during
removal unload explorer and IE if necessary', 'let windows remove files in
use at next reboot', 'delete quarantined items after restoring'.

Use the 'select drives and folders to scan' option to ensure that your
ENTIRE hard drive is scanned (if you have more than one hard drive, scan all
of them (of course, do not include floppy and CD/DVD).

Once finished, reboot again into safe mode. Run Spybot S&D. "Fix" anything
marked red.

If you are unable to get on to the internet after cleaning up your computer,
run LSPfix. If that doesn't work, run Winsockfix.

If you are using XP SP2 and are unable to access the internet after removing
malware, the following commandline may help - it will reset the winsock
catalogue:

netsh winsock reset

If the malware problem comes back further specialised assistance is
available via the Hijackthis forum at http://forum.aumha.org - make sure you
read the top announcements about pre-post steps you should take before
generating a hijackthis log.

 

[ChrisW]

No joy I'm afraid. I'll try Sandi Hardmeier's
suggestions next.

Chris

 

[ChrisW]

Thanks for your help. This looks like a full evening's
work which I'll do tomorrow.

Chris

-----Original Message-----
It may take some heavy work to get rid of this ****

Before trying to remove spyware:

Back up all essential data.

Download the recommended software

After all software has been downloaded, installed and updated disconnect the
computer from the internet and/or any network to which it may be attached.

The software you should download and have ready to use is:

Lspfix and Winsockfix, available at

http://www.cexx.org/lspfix.htm and

http://www.spychecker.com/program/winsockxpfix.html

A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor (non XP SP2 users
only)
http://www.pcmag.com/article2/0,4149,270,00.asp
http://www.definitivesolutions.com/bhodemon.htm
http://www.webattack.com/get/bho.shtml

AdAware (note that Lavasoft have now released Ad-Aware SE Personal Edition,
available from

http://www.lavasoftusa.com/support/download/ AdAware 6
users

should update to SE as soon as possible. All previous versions are NO LONGER
SUPPORTED)

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.h
tml

HackerDefender Disabler - http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.

After obtaining the required software above, make sure you check for updates
and run the programmes in safe mode.

Malware removal (beginner's guide):

Go to Control Panel, Folder Options, View Tab. Turn on the option to show
hidden files. Turn off the option to hide protected system files.
***WARNING!! Files are hidden by Windows for a very good reason. It is not
wise to 'experiment' with these files. Unfortunately, to successfully remove
modern malware we must turn this protection off. There is a risk to doing
this. Please turn the protection back on when you have finished cleaning
your system.***

Run HackerDefender Disabler. A DOS window will flash onto your screen and
then disappear. This is normal.

If you are using Windows XP SP2 download and install Update KB888240 to
solve a known problem where add-ins will sometimes hide themselves from the
Add-On Manager. The hotfix is available from:
http://www.microsoft.com/downloads/details.aspx? familyid=d788c59e-b116-4d38-b00c-
ff1d529106c8&displaylang=en

Go to Control Panel, add/remove programs. Check for malware entries and use
the uninstall programs, then reboot. Check all 'startup' folders at
...\Documents and Settings\All Users\Start Menu\Programs\Startup or
...\Documents and Settings\<username>\Start Menu\Startup

Go to start/run and type MSCONFIG. Go to the startup tab. Disable everything
that you do not recognise as legitimate (do not disable any power profile
options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find information
about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

If you are using Windows XP, go to Tools, Manage Add-Ons and disable
anything you don't want or recognise. If you are not running XP SP2 use one
of the BHO disablers mentioned earlier.

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and

path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

Start CWSHREDDER and fix anything it finds. Reboot back into safe mode.

Start AdAware.

Remember to update using the 'check for updates now' button. Update, then
select 'start' option.

Make sure that 'search for negligible risk entries' is turned on. Select
'use custom scanning options' then select 'customise'. Make sure the
following options are enabled: 'scan within archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan my IE favorites for
banned URLs', 'scan my Hosts file'.

Select the 'tweak' option. Under 'scanning engine', make sure 'unload
recognized processes and modules during scan' is enabled. Enable 'scan
registry for all users instead of current users'.

Under 'cleaning engine' turn on 'always try to unload modules..', 'during
removal unload explorer and IE if necessary', 'let windows remove files in
use at next reboot', 'delete quarantined items after restoring'.

Use the 'select drives and folders to scan' option to ensure that your
ENTIRE hard drive is scanned (if you have more than one hard drive, scan all
of them (of course, do not include floppy and CD/DVD).

Once finished, reboot again into safe mode. Run Spybot S&D. "Fix" anything
marked red.

If you are unable to get on to the internet after cleaning up your computer,
run LSPfix. If that doesn't work, run Winsockfix.

If you are using XP SP2 and are unable to access the internet after removing
malware, the following commandline may help - it will reset the winsock
catalogue:

netsh winsock reset

If the malware problem comes back further specialised assistance is
available via the Hijackthis forum at

http://forum.aumha.org - make sure you

 

[Bill Sanderson]

Sorry to hear that. Sandi's recipe is quite comprehensive, but as you note,
that takes time.

 

[Sandi - Microsoft MVP]

Ooh yeah, at least a full evening's work. I've been known to spread
de-infection of seriously ill machines over several days.

--
Hyperlinks are used to ensure advice remains current
Visit the Internet Explorer Online Community:
http://www.microsoft.com/windows/ie/community/default.mspx
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/

Thanks for your help. This looks like a full evening's
work which I'll do tomorrow.

Chris

-----Original Message-----
It may take some heavy work to get rid of this ****

Before trying to remove spyware:

Back up all essential data.

Download the recommended software

After all software has been downloaded, installed and updated disconnect the
computer from the internet and/or any network to which it may be attached.

The software you should download and have ready to use is:

Lspfix and Winsockfix, available at

http://www.cexx.org/lspfix.htm and

http://www.spychecker.com/program/winsockxpfix.html

A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor (non XP SP2 users
only)
http://www.pcmag.com/article2/0,4149,270,00.asp
http://www.definitivesolutions.com/bhodemon.htm
http://www.webattack.com/get/bho.shtml

AdAware (note that Lavasoft have now released Ad-Aware SE Personal Edition,
available from

http://www.lavasoftusa.com/support/download/ AdAware 6
users

should update to SE as soon as possible. All previous versions are NO LONGER
SUPPORTED)

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.h
tml

HackerDefender Disabler - http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.

After obtaining the required software above, make sure you check for updates
and run the programmes in safe mode.

Malware removal (beginner's guide):

Go to Control Panel, Folder Options, View Tab. Turn on the option to show
hidden files. Turn off the option to hide protected system files.
***WARNING!! Files are hidden by Windows for a very good reason. It is not
wise to 'experiment' with these files. Unfortunately, to successfully remove
modern malware we must turn this protection off. There is a risk to doing
this. Please turn the protection back on when you have finished cleaning
your system.***

Run HackerDefender Disabler. A DOS window will flash onto your screen and
then disappear. This is normal.

If you are using Windows XP SP2 download and install Update KB888240 to
solve a known problem where add-ins will sometimes hide themselves from the
Add-On Manager. The hotfix is available from:
http://www.microsoft.com/downloads/details.aspx? familyid=d788c59e-b116-4d38-b00c-
ff1d529106c8&displaylang=en

Go to Control Panel, add/remove programs. Check for malware entries and use
the uninstall programs, then reboot. Check all 'startup' folders at
...\Documents and Settings\All Users\Start Menu\Programs\Startup or
...\Documents and Settings\<username>\Start Menu\Startup

Go to start/run and type MSCONFIG. Go to the startup tab. Disable everything
that you do not recognise as legitimate (do not disable any power profile
options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find information
about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

If you are using Windows XP, go to Tools, Manage Add-Ons and disable
anything you don't want or recognise. If you are not running XP SP2 use one
of the BHO disablers mentioned earlier.

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and

path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

Start CWSHREDDER and fix anything it finds. Reboot back into safe mode.

Start AdAware.

Remember to update using the 'check for updates now' button. Update, then
select 'start' option.

Make sure that 'search for negligible risk entries' is turned on. Select
'use custom scanning options' then select 'customise'. Make sure the
following options are enabled: 'scan within archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan my IE favorites for
banned URLs', 'scan my Hosts file'.

Select the 'tweak' option. Under 'scanning engine', make sure 'unload
recognized processes and modules during scan' is enabled. Enable 'scan
registry for all users instead of current users'.

Under 'cleaning engine' turn on 'always try to unload modules..', 'during
removal unload explorer and IE if necessary', 'let windows remove files in
use at next reboot', 'delete quarantined items after restoring'.

Use the 'select drives and folders to scan' option to ensure that your
ENTIRE hard drive is scanned (if you have more than one hard drive, scan all
of them (of course, do not include floppy and CD/DVD).

Once finished, reboot again into safe mode. Run Spybot S&D. "Fix" anything
marked red.

If you are unable to get on to the internet after cleaning up your computer,
run LSPfix. If that doesn't work, run Winsockfix.

If you are using XP SP2 and are unable to access the internet after removing
malware, the following commandline may help - it will reset the winsock
catalogue:

netsh winsock reset

If the malware problem comes back further specialised assistance is
available via the Hijackthis forum at

http://forum.aumha.org - make sure you

read the top announcements about pre-post steps you should take before
generating a hijackthis log.

--
_______________________________________
Hyperlinks used to ensure advice is current
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org



.

 

[ChrisW]

A full evening's work later and annoyingly it's still
there.
I think I did everything right but nothing was found by
CWShredder, AdAware or Spybot.
I don't know if this is related but when I ran
HackerDefender it gave an error message:
Netstophackerdefender100
System error 1060 has occurred
The specified service does not exist as an installed
service
I guess I try forum.aumha.org next.

Thanks for your help.
Chris

-----Original Message-----
Ooh yeah, at least a full evening's work. I've been known to spread
de-infection of seriously ill machines over several days.

--
Hyperlinks are used to ensure advice remains current
Visit the Internet Explorer Online Community:
http://www.microsoft.com/windows/ie/community/default.msp x
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/

Thanks for your help. This looks like a full evening's
work which I'll do tomorrow.

Chris

-----Original Message-----
It may take some heavy work to get rid of this ****

Before trying to remove spyware:

Back up all essential data.

Download the recommended software

After all software has been downloaded, installed and updated disconnect the
computer from the internet and/or any network to which it may be attached.

The software you should download and have ready to use is:

Lspfix and Winsockfix, available at

http://www.cexx.org/lspfix.htm and

http://www.spychecker.com/program/winsockxpfix.html

A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor (non XP SP2 users
only)
http://www.pcmag.com/article2/0,4149,270,00.asp
http://www.definitivesolutions.com/bhodemon.htm
http://www.webattack.com/get/bho.shtml

AdAware (note that Lavasoft have now released Ad-Aware SE Personal Edition,
available from

http://www.lavasoftusa.com/support/download/ AdAware 6
users

should update to SE as soon as possible. All previous versions are NO LONGER
SUPPORTED)

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder -

http://www.intermute.com/spysubtract/cwshredder_download.h
tml

HackerDefender Disabler - http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.

After obtaining the required software above, make sure you check for updates
and run the programmes in safe mode.

Malware removal (beginner's guide):

Go to Control Panel, Folder Options, View Tab. Turn on the option to show
hidden files. Turn off the option to hide protected system files.
***WARNING!! Files are hidden by Windows for a very

good
reason. It is not

wise to 'experiment' with these files. Unfortunately,

to
successfully remove

modern malware we must turn this protection off. There is a risk to doing
this. Please turn the protection back on when you have finished cleaning
your system.***

Run HackerDefender Disabler. A DOS window will flash onto your screen and
then disappear. This is normal.

If you are using Windows XP SP2 download and install Update KB888240 to
solve a known problem where add-ins will sometimes hide themselves from the
Add-On Manager. The hotfix is available from:
http://www.microsoft.com/downloads/details.aspx? familyid=d788c59e-b116-4d38-b00c-
ff1d529106c8&displaylang=en

Go to Control Panel, add/remove programs. Check for malware entries and use
the uninstall programs, then reboot. Check

all 'startup'
folders at

...\Documents and Settings\All Users\Start Menu\Programs\Startup or
...\Documents and Settings\<username>\Start Menu\Startup

Go to start/run and type MSCONFIG. Go to the startup tab. Disable everything
that you do not recognise as legitimate (do not disable any power profile
options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you

don't
have this option,

don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find information
about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

If you are using Windows XP, go to Tools, Manage Add-

Ons
and disable

anything you don't want or recognise. If you are not running XP SP2 use one
of the BHO disablers mentioned earlier.

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and

path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

Start CWSHREDDER and fix anything it finds. Reboot back into safe mode.

Start AdAware.

Remember to update using the 'check for updates now' button. Update, then
select 'start' option.

Make sure that 'search for negligible risk entries' is turned on. Select
'use custom scanning options' then select 'customise'. Make sure the
following options are enabled: 'scan within archives', 'scan active
processes', 'scan registry', 'deep scan

registry', 'scan
my IE favorites for

banned URLs', 'scan my Hosts file'.

Select the 'tweak' option. Under 'scanning engine',

make
sure 'unload

recognized processes and modules during scan' is enabled. Enable 'scan
registry for all users instead of current users'.

Under 'cleaning engine' turn on 'always try to unload modules..', 'during
removal unload explorer and IE if necessary', 'let windows remove files in
use at next reboot', 'delete quarantined items after restoring'.

Use the 'select drives and folders to scan' option to ensure that your
ENTIRE hard drive is scanned (if you have more than one hard drive, scan all
of them (of course, do not include floppy and CD/DVD).

Once finished, reboot again into safe mode. Run Spybot S&D. "Fix" anything
marked red.

If you are unable to get on to the internet after cleaning up your computer,
run LSPfix. If that doesn't work, run Winsockfix.

If you are using XP SP2 and are unable to access the internet after removing
malware, the following commandline may help - it will reset the winsock
catalogue:

netsh winsock reset

If the malware problem comes back further specialised assistance is
available via the Hijackthis forum at

http://forum.aumha.org - make sure you

read the top announcements about pre-post steps you should take before
generating a hijackthis log.

--
_______________________________________
Hyperlinks used to ensure advice is current
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org


-----Original Message-----
http://www.pchell.com/support/mywebsearch.shtml

Ron
.

Unfortunately not so simple. None of the hijackthis
lines shown on pchell appear in my log. Nor does
MyWebSearch show up as an installed program. The problem
is much more insidious.

.

.

 

[merrie_hearted]

I was reading through the posts regarding MyWebSearch reinstalling and
wonder if the same sort of thing is happening with other software on my PC.
I am not an IT professional so can use the feedback.

Everyday I have MS Antispyware run and it says it detects and quarantines
these two items:
Vx2.ZServ Type: Trojan Threat Level: Severe

EUniverse Updater Type: Browser Hijacker Threat Level: High Author:
eUniverse.com Inc./Intermix Media

Then the next day the same two items appear again as detected and
quarantined.


So some questions:

1. Do you think these items are leaving applications that reinstall the
software? I am not rebooting.

2. Is there any way to find and remove whatever is leaving these on my hard
drive?

3. If they are not on my hard drive but being downloaded again everyday..
is that likely? ... then can I prevent that?

4. Is quarantining good enough to protect me from the effects of these
items?

5. What are these two items doing to my PC?

Any other advice?

This whole thing is appalling.

Nan H

 

[Bill Sanderson]

Yes - you are still actively infected--or at least an active element is
attempting to reinfect at some interval--you mention you are not
restarting--and is being prevented by Microsoft Antispyware.

My suggestion is that you restart in safe mode, and do full scans, scanning
until a full scan comes through clean.

If this doesn't do the job, there is more that can be done, but let's start
there.

FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

 

[Ron Chamberlin]

Hi Nan,

First of all start with Bill Sanderson's excellent suggestions, and get back
to the group if that doesn't kick them hard enough.


<This whole thing is appalling.>

-Climbing SoapBox-
Yes. This comment struck me as why a number of us are here in these NG's. I
remember when the Internet was fun, safe, secure, entertaining et al.
Now we have to stand by with garlic cloves and holy water just in case.
I see this program, coupled with best practices, firewall, and active anti
virus, as a way for us, as users, to put up a good preemptive defense rather
than having to go in with WD-40 and vise grips to clean the scum out.

Ron Chamberlin
MS-MVP

 

[Sandi Hardmeier]

The system error is a good thing; that means you are not infected with the
virus targeted by the utility See you in the aumha.org forums.

--
_______________________________________
Hyperlinks used to ensure advice is current
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org

A full evening's work later and annoyingly it's still
there.
I think I did everything right but nothing was found by
CWShredder, AdAware or Spybot.
I don't know if this is related but when I ran
HackerDefender it gave an error message:
Netstophackerdefender100
System error 1060 has occurred
The specified service does not exist as an installed
service
I guess I try forum.aumha.org next.

Thanks for your help.
Chris

-----Original Message-----
Ooh yeah, at least a full evening's work. I've been known to spread
de-infection of seriously ill machines over several days.

--
Hyperlinks are used to ensure advice remains current
Visit the Internet Explorer Online Community:
http://www.microsoft.com/windows/ie/community/default.msp x
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/

Thanks for your help. This looks like a full evening's
work which I'll do tomorrow.

Chris
-----Original Message-----
It may take some heavy work to get rid of this ****

Before trying to remove spyware:

Back up all essential data.

Download the recommended software

After all software has been downloaded, installed and
updated disconnect the
computer from the internet and/or any network to which
it may be attached.

The software you should download and have ready to use
is:

Lspfix and Winsockfix, available at
http://www.cexx.org/lspfix.htm and
http://www.spychecker.com/program/winsockxpfix.html

A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor
(non XP SP2 users
only)
http://www.pcmag.com/article2/0,4149,270,00.asp
http://www.definitivesolutions.com/bhodemon.htm
http://www.webattack.com/get/bho.shtml

AdAware (note that Lavasoft have now released Ad-Aware
SE Personal Edition,
available from
http://www.lavasoftusa.com/support/download/ AdAware 6
users
should update to SE as soon as possible. All previous
versions are NO LONGER
SUPPORTED)

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis -
http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder -
http://www.intermute.com/spysubtract/cwshredder_download.h
tml

HackerDefender Disabler -
http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.

After obtaining the required software above, make sure
you check for updates
and run the programmes in safe mode.

Malware removal (beginner's guide):

Go to Control Panel, Folder Options, View Tab. Turn on
the option to show
hidden files. Turn off the option to hide protected
system files.
***WARNING!! Files are hidden by Windows for a very good
reason. It is not
wise to 'experiment' with these files. Unfortunately, to
successfully remove
modern malware we must turn this protection off. There
is a risk to doing
this. Please turn the protection back on when you have
finished cleaning
your system.***

Run HackerDefender Disabler. A DOS window will flash
onto your screen and
then disappear. This is normal.

If you are using Windows XP SP2 download and install
Update KB888240 to
solve a known problem where add-ins will sometimes hide
themselves from the
Add-On Manager. The hotfix is available from:
http://www.microsoft.com/downloads/details.aspx?
familyid=d788c59e-b116-4d38-b00c-
ff1d529106c8&displaylang=en

Go to Control Panel, add/remove programs. Check for
malware entries and use
the uninstall programs, then reboot. Check all 'startup'
folders at
...\Documents and Settings\All Users\Start
Menu\Programs\Startup or
...\Documents and Settings\<username>\Start Menu\Startup

Go to start/run and type MSCONFIG. Go to the startup
tab. Disable everything
that you do not recognise as legitimate (do not disable
any power profile
options).

Now go to the Services tab. Turn on the option to 'hide
all Microsoft
Services'. Disable everything that remains. If you don't
have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the
boot menu options
appear. Choose Safe Mode as your startup choice. You
will find information
about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

If you are using Windows XP, go to Tools, Manage Add- Ons
and disable
anything you don't want or recognise. If you are not
running XP SP2 use one
of the BHO disablers mentioned earlier.

Empty your IE cache and your other temporary file
folders, eg: c:\temp,
c:\windows\temp or C:\Documents and
Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your
name) - sometimes
programmes can be hidden in there - watch out for
mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet
Files {Settings
Button}, View Objects, Downloaded Program Files. Check
for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make
sure there is no style
sheet chosen (under User Style Sheet - format documents
using my style
sheet). If the option is turned on, turn it OFF.

Start CWSHREDDER and fix anything it finds. Reboot back
into safe mode.

Start AdAware.

Remember to update using the 'check for updates now'
button. Update, then
select 'start' option.

Make sure that 'search for negligible risk entries' is
turned on. Select
'use custom scanning options' then select 'customise'.
Make sure the
following options are enabled: 'scan within
archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan
my IE favorites for
banned URLs', 'scan my Hosts file'.

Select the 'tweak' option. Under 'scanning engine', make
sure 'unload
recognized processes and modules during scan' is
enabled. Enable 'scan
registry for all users instead of current users'.

Under 'cleaning engine' turn on 'always try to unload
modules..', 'during
removal unload explorer and IE if necessary', 'let
windows remove files in
use at next reboot', 'delete quarantined items after
restoring'.

Use the 'select drives and folders to scan' option to
ensure that your
ENTIRE hard drive is scanned (if you have more than one
hard drive, scan all
of them (of course, do not include floppy and CD/DVD).

Once finished, reboot again into safe mode. Run Spybot
S&D. "Fix" anything
marked red.

If you are unable to get on to the internet after
cleaning up your computer,
run LSPfix. If that doesn't work, run Winsockfix.

If you are using XP SP2 and are unable to access the
internet after removing
malware, the following commandline may help - it will
reset the winsock
catalogue:

netsh winsock reset

If the malware problem comes back further specialised
assistance is
available via the Hijackthis forum at
http://forum.aumha.org - make sure you
read the top announcements about pre-post steps you
should take before
generating a hijackthis log.

--
_______________________________________
Hyperlinks used to ensure advice is current
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org

message

-----Original Message-----
http://www.pchell.com/support/mywebsearch.shtml

Ron
.

Unfortunately not so simple. None of the hijackthis
lines shown on pchell appear in my log. Nor does
MyWebSearch show up as an installed program. The
problem
is much more insidious.

.

.