|
Click to See Complete Forum and Search --> : Cleaning up a trojan (MyWebSearch) Mr Initial Man 12-21-2006, 11:15 AM I downloaded a program that allowed me to view an online christmas card (dumb mistake, I know.) After it was taken off my computer via a spyware scan, I got this message: RUNDLL Error loading C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL The specified module could not be found. How do I fix this? TheBearMay 12-21-2006, 11:43 AM I'd start with the registry by looking for it under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx WebJoel 12-21-2006, 01:56 PM I just found & quaranteened 8 "Trojan.Bifrose-495"s on my computer last night. Interesting that the anti-viral I was using didn't catch these. I tried the OpenSource "ClamWin" AV just to see if it did anaything, and it found these 'backdoor' trojans in my "OPERA" uninstall folder... hmm fyi... Mr Initial Man 12-21-2006, 07:35 PM Found some entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: "MyWebSearch Email Plugin" HKEY_CURRENT_USER\Softwar\MyWebSearch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: "My Web Search Bar" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: "MyWebSearch Email Plugin" Now that I've found them, what do I do with them? TheBearMay 12-22-2006, 07:26 AM Click on them and hit the delete key.... Looking at those keys, I'd say there are others, but they'll be harder to ferret out. Since this program loads as a browser helper object (BHO) As a precaution you may want to download BHODemon and let it run. Here's a few other things to look for: Registry keys: * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch\bar * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch\Installer * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch\Installer\downloaded * HKEY_CLASSES_ROOT\FunWebProducts.DataControl.1 * HKEY_CLASSES_ROOT\FunWebProducts.DataControl * HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler.1 * HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler * HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar.1 * HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar * HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.1 * HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.2 * HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu * HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager.1 * HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager * HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager.1 * HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton.1 * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl.1 * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl * HKEY_CLASSES_ROOT\FunWebProducts.ShellViewControl.1 * HKEY_CLASSES_ROOT\FunWebProducts.ShellViewControl * HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1 * HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel * HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin.1 * HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin * HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1 * HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin * HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin.1 * HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin * HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin.1 * HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin * HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller.1 * HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller * HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive * HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products * HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftOfficeOutlook\Addins\MyWebSearch.OutlookAddin * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{00A6FAF1-072E-44cf-8957-5838F569A31D} * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current\Version\Explorer\Browser Helper Objects{07B18EA1-A523-4961-B6BB-170DE4475CCA} Directories: * %Program Files%\MySearch * %Program Files%\MySearch\bar * %Program Files%\MySearch\bar\1.bin * %Program Files%\MySearch\bar\Cache * %Program Files%\MySearch\bar\History * %Program Files%\MySearch\bar\Settings * %Program Files%\MySearch\Installr * %Program Files%\MySearch\Installr\1.bin * %Program Files%\MySearch\Installr\Cache * %Program Files%\MySearch\Installr\setups Most Common Files (there are about 150 other variations): Filename : S4PLUGIN.DLL MD5 : 0a36e982b7b8a673b1425b28dcae1389 Filename : S4BAR.DLL MD5 : e7b25ad9d8e67f838155c885241b9a5a Filename : S4EZSETP.DLL MD5 : 790bf31764a9491df6d1c9c1b3773726 Filename : NPMYSRCH.DLL MD5 : 90dbe27e8cf609504d08fbdd9e659653 Mr Initial Man 12-22-2006, 03:52 PM Thanks! I found the keys, and am now looking for the files. grumpyoldtechs 12-23-2006, 04:34 PM install spybot search and destroy and install it with tea timer. then remove the registry entries in safe mode and run a full virus scan webdeveloper.com
Copyright Internet.com Inc., All Rights Reserved. |
|