dcsimg
www.webdeveloper.com
Results 1 to 7 of 7

Thread: Cleaning up a trojan (MyWebSearch)

  1. #1
    Join Date
    Sep 2004
    Location
    At the corner of WALK and DONT WALK
    Posts
    1,741

    Cleaning up a trojan (MyWebSearch)

    I downloaded a program that allowed me to view an online christmas card (dumb mistake, I know.) After it was taken off my computer via a spyware scan, I got this message:

    RUNDLL

    Error loading C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL

    The specified module could not be found.
    How do I fix this?

  2. #2
    Join Date
    Nov 2003
    Location
    Worthington, OH, USA
    Posts
    3,634
    I'd start with the registry by looking for it under

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    54 68 65 42 65 61 72 4D 61 79

  3. #3
    Join Date
    Dec 2005
    Location
    American, living in Toronto, ON. CANADA
    Posts
    6,746
    I just found & quaranteened 8 "Trojan.Bifrose-495"s on my computer last night. Interesting that the anti-viral I was using didn't catch these. I tried the OpenSource "ClamWin" AV just to see if it did anaything, and it found these 'backdoor' trojans in my "OPERA" uninstall folder... hmm
    fyi...

  4. #4
    Join Date
    Sep 2004
    Location
    At the corner of WALK and DONT WALK
    Posts
    1,741
    Found some entries:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: "MyWebSearch Email Plugin"
    • HKEY_CURRENT_USER\Softwar\MyWebSearch
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: "My Web Search Bar"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: "MyWebSearch Email Plugin"



    Now that I've found them, what do I do with them?

  5. #5
    Join Date
    Nov 2003
    Location
    Worthington, OH, USA
    Posts
    3,634
    Click on them and hit the delete key....

    Looking at those keys, I'd say there are others, but they'll be harder to ferret out. Since this program loads as a browser helper object (BHO) As a precaution you may want to download BHODemon and let it run.

    Here's a few other things to look for:
    Registry keys:

    * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch
    * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch\bar
    * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch\Installer
    * HKEY_LOCAL_MACHINE\SOFTWARE\MySearch\Installer\downloaded
    * HKEY_CLASSES_ROOT\FunWebProducts.DataControl.1
    * HKEY_CLASSES_ROOT\FunWebProducts.DataControl
    * HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler.1
    * HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler
    * HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar.1
    * HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar
    * HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.1
    * HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.2
    * HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu
    * HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager.1
    * HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager
    * HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager.1
    * HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager
    * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton.1
    * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton
    * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl.1
    * HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl
    * HKEY_CLASSES_ROOT\FunWebProducts.ShellViewControl.1
    * HKEY_CLASSES_ROOT\FunWebProducts.ShellViewControl
    * HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1
    * HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel
    * HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin.1
    * HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin
    * HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1
    * HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin
    * HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin.1
    * HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin
    * HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin.1
    * HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin
    * HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller.1
    * HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller
    * HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive
    * HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products
    * HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftOfficeOutlook\Addins\MyWebSearch.OutlookAddin
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{00A6FAF1-072E-44cf-8957-5838F569A31D}
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current\Version\Explorer\Browser Helper Objects{07B18EA1-A523-4961-B6BB-170DE4475CCA}


    Directories:

    * %Program Files%\MySearch
    * %Program Files%\MySearch\bar
    * %Program Files%\MySearch\bar\1.bin
    * %Program Files%\MySearch\bar\Cache
    * %Program Files%\MySearch\bar\History
    * %Program Files%\MySearch\bar\Settings
    * %Program Files%\MySearch\Installr
    * %Program Files%\MySearch\Installr\1.bin
    * %Program Files%\MySearch\Installr\Cache
    * %Program Files%\MySearch\Installr\setups

    Most Common Files (there are about 150 other variations):

    Filename : S4PLUGIN.DLL
    MD5 : 0a36e982b7b8a673b1425b28dcae1389

    Filename : S4BAR.DLL
    MD5 : e7b25ad9d8e67f838155c885241b9a5a

    Filename : S4EZSETP.DLL
    MD5 : 790bf31764a9491df6d1c9c1b3773726

    Filename : NPMYSRCH.DLL
    MD5 : 90dbe27e8cf609504d08fbdd9e659653
    54 68 65 42 65 61 72 4D 61 79

  6. #6
    Join Date
    Sep 2004
    Location
    At the corner of WALK and DONT WALK
    Posts
    1,741
    Thanks! I found the keys, and am now looking for the files.

  7. #7
    Join Date
    Nov 2006
    Location
    Nursing Home
    Posts
    268
    install spybot search and destroy and install it with tea timer.

    then remove the registry entries in safe mode and run a full virus scan

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles