Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

how do you get rid of this mywebsearch crap?!

Status
Not open for further replies.

Mizugori

Programmer
May 21, 2007
56
US
one of the users at work frequently gets spyware / viruses and crap on their workstation.

now there is a mywebsearch issue and in googling I have only found a bunch of suggestions to use antivirus programs I've never heard of that the users claim are "great at removing it"

can anyone tell me how to realistically clean this thing off? i don't know if it's actually a virus or what but it adds a toolbar to IE and firefox and frequently changes the search provider to itself, redirects some webpages, etc....

tried cleaning with mbam in safe mode with networking, and combofix, and am running symantec endpoint on all workstations.

please advise, and no offense but i don't really want generic suggestions about how to remove viruses and spyware in general, please respond if you have dealt with this exact issue yourself.

thanks
 
Found these instructions on another site:

Overview:
MyWebSearch is a toolbar that quite a few third party software developers bundle with their "free" software. It is a search and error page hijacker that can be fairly tricky to remove. Smileycentral.com is probably the largest website pushing this toolbar. This toolbar will quite likely slow the speed of IE web browsing and searching due to the hijackings.

There MIGHT be a built in uninstaller for some people called mywebsearch in your add/remove programs.

End Processes (may or may not exist):
mwsoemon.exe

Unregister DLLs:
Tip: this is only a list of known files/locations. You will want to do a search by the name of the file to see if they're on your system.
A while back I wrote a guide to Register/remove DLL or AX files which you will need if you don't know how to unregister these files.

Each file is in several locations so you'll need to search for them and unregister + delete them in every location you find.

f3cjpeg.dll
f3htmlmu.dll
f3popswt.dll
f3reprox.dll
f3restub.dll
f3scrctr.dll
m3outlcn.dll
m3skin.dll
mwsbar.dll
mwsoeplg.dll
mwsoestb.dll
mwssrcas.dll

Remove Directories:
commonprograms+\screensavers\jalapeno
programfilesdir+\common files\keenvalue
programfilesdir+\dynamic toolbar\flgobar\cache
programfilesdir+\flowgobar\toolbar
programfilesdir+\funwebproducts\shared\cache
programfilesdir+\incredifind\
programfilesdir+\mywebsearch\
programfilesdir+\screensavers\jalapeno

Clean your Registry:

You should be back to normal IF this was your only problem.


If you really want to make sure it is gone, tell the user they are going to lose everything on their PC, use Dariks Boot and Nuke to wipe the computer clean, reinstall Windows, give the computer back without admin privileges. Tell the user every time they get a virus they are going to lose everything on their PC. A virus scan is a second line of defense, the first should be user activity. If they lose their work a few times they wont be visiting pron sites (or other sites) on a work PC.

Cheers
Rob

The answer is always "PEBKAC!
 
Sounds like it is using some of the techniques pioneered by CoolWebSearch and some variants of that were a real bear to clean. Try running HiJackThis! and post the log on the virus/spyware forum: forum760

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
It is a real bear. You basically use regedit and kill things out of the registry so they don't run and kill the programs themselves.

And if you don't get the queen bee it puts all the nasties back on for you to take them off again.

You can get some idea of what may be running by using msconfig and the task manager. Might help to figure out what should be in msconfig and document it so the next time will be easier. You can also run a hijack log and visit the websites where people help clean things up.

Ed Fair
Give the wrong symptoms, get the wrong solutions.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top