Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello! Before I begin my question, please note that I do have AdAware and Spybot Search & Destroy, and have ran both numerous times and cannot remove "MyWebSearch"
Anyway...my main annoyance is that I am trying to help my 14 year old get this crap off her computer and it won't remove. I have gone to Add/Remove programs, and when I find "MyWebSearch" and try to remove, I get a script error. I am assuming this is intentional since it does not want to be removed for obvious reasons. I have taken a copy of my log file for Hijackthis. Please tell me which are safe to remove. There may be more than just MyWebsearch. Seems that my kid has gotten all kinds of weird toolbars and hijacked search engines things going on. I have already removed LOP.com but I don't know if the registry removed it. Also....I am assuming that mwsoemon.exe is part of MyWebSearch, so that will not let me delete it either. Please help. thank you!!
Logfile of HijackThis v1.97.7
Scan saved at 3:11:11 PM, on 1/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\QUICKENW\QAGENT.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\mrtMngr.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Justine\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Documents and Settings\Justine\Desktop\BPS Popup and Cookie Shield\PopupShield.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://rimmel.ai-media.com/save/makeover.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/PopSwatterInitialSetup1.0.0.5.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai.net/7/19/7125/1290/ftp.coupons.com/v7/brix7ie.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/178d29384ea22b5d0704/netzip/RdxIE601.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} - http://tdmy.com/180/webinstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=200322518
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/test/ACNePlayer.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
well the reason that it keep coming up is because it is in your startup, it reinstalls on every startup, so go to your start menu, go to run, type msconfig, then go to start up and look for something around the lines of "mywebsearch" then remove the app from add/remove programs and restart
0 
also check www.symantec.com
and
www.pchell.com
for removeale tools and instructions on many other browser hijackers.
0
Thanks guys, but isn't there someone here who can look at a logfile and tell me what to remove. Josh, I was able to remove the program from start-up, however....that program (MyWebSearch) is still under ADD/REMOVE programs and it will not uninstall it. When you go to uninstall, it asks if you want to unistall it, then you click YES and it gives a script error. To me, that means that there is no way to get this out of add/remove. I have to manually delete it somehow.
Rick, that is the reason I came here and not Symantec or the other. I see people posting logfiles and they are getting help. I don't want to be told to go elsewhere. No offense. I have already checked Norton, and they don't tell you how to remove it.Thank you!!
0
now that it is not in startup anymore, when you open IE is the search bar still there? if it is go to veiw, toolbars, and uncheck it, it shouldn't be startin up anymore so you should be ok in that aspect as long as it doesn't load, if i was you i would search on yahoo.com for a uninstall of that program, sometimes you can find them on sites that people had the same problem, and i know you came here to have your hijack file read, but i don't like the program, there is no need for it, i can see everything i want without it...
0 
