MyStart Seach ToolBar/Virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dood1emom, Aug 26, 2012.

  1. dood1emom

    dood1emom Private E-2

    Hey MajorGeeks-

    My Dad opened an infected email and MyStart Search has attached itself to IE8. I have not attempted to remove "IncrediMail 2.0" (some webposts also say to look for "Web Assistant 2.0" but it's not in the Add/Remove list) via Control Panel and it appears in Manage Addons - Search Providers - MyStart Search as "unavailable" instead of Enable/Disable. Three new icons are now on dad's desktop that are part of the infection: "IncrediMail," "Speed up your computer," and "Email Animations". I've simply reset Bing as the default search engine and now checked "Prevent Programs from Suggesting Changes to My Default Search Provider."

    Windows Automatic Updates has been turned off & I can't turn back on via the Windows Security Center. Accessing thru Control Panel via System - Automatic Updates says it's already turned on.

    It's an older XP MCE SP3 system. Attaching logs. Thanks a million for help.

    doodlemom
     

    Attached Files:

    dood1emom, Aug 26, 2012
    #1
  2. dood1emom

    dood1emom Private E-2

    Here is the mglogs zip & two screen shots of what's going on. Also, I think the AzureBay stuff is a screensaver program the boys installed. thanks again,

    doodlemom
     

    Attached Files:

    dood1emom, Aug 26, 2012
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to put this PC into Normal Startup mode. You must not use MSconfig as a long term startup manager!!!!

    You have multiple security programs installed. AVG, Microsoft Security Client and also left overs from Symantec. You need to uninstall Microsoft Security Client now and then also check if anything from Symantec is still installed because there is a service showing related to Symantec.

    Who put the below in the hosts file?
    O1 - Hosts: 65.60.57.74 l2authd.lineage2.com
    O1 - Hosts: 216.107.250.194 update.nprotect.com
    O1 - Hosts: 216.107.250.194 nprotect.lineage2.com


    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Register System Files
      • Repair WMI
      • Repair Windows Updates
      • Repair MSI (Windows Installer)
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below very old version of software:
    J2SE Runtime Environment 5.0 Update 6

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\WINDOWS\Tasks\ConfigExec.job
C:\WINDOWS\Tasks\DataUpload.job
C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Disabled (Startup Manager)]
"MSMSGS"=-
"MSMSGS (1)"=-
"MSMSGS (2)"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"MSC"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\Disabled (Startup Manager)]
"QuickTime Task"=-
"TkBellExe"=-
"ArcSoft Connection Service"=-
"QuickTime Task (1)"=-
"TkBellExe (1)"=-
"QuickTime Task (2)"=-
@=""
"TkBellExe (2)"=-
[HKEY_USERS\S-1-5-21-2540848344-3709570441-596819307-1007\Software\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"=-
[HKEY_USERS\S-1-5-21-2540848344-3709570441-596819307-1007\Software\Microsoft\Windows\CurrentVersion\run\Disabled (Startup Manager)]
"MSMSGS"=-
"MSMSGS (1)"=-
"MSMSGS (2)"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 28, 2012
    #3
  4. dood1emom

    dood1emom Private E-2

    Worked thru list. Will clean up his startup programs via HiJack This when I have more time!

    Cleaned up Hosts file

    OTM program asked, but did not reboot. I exited the program. (I think I ran it as admin on his system).

    Windows Updates seem to be coming in now. Looks like AVG is running properly. MyStart Search is still appearing the the dropdown area of searchbox. In Manage Addons it is still appearing as "unavailable" but there is a "remove" button. (did not do yet!) Those pesky new icons are still on desktop and IncrediMail still appears on All Programs Menus (there's an installer, but I haven't messed with it). Incredimail also is in the Add/Remove Programs list.

    Attached OTM & MGlogs files. Thanks a million,

    dood1emom
     
    dood1emom, Aug 29, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. I suggest you read the below. My favorite tool for this is AutoRuns

    Dealing with Startup Process



    You did not attach anything.
     
    chaslang, Aug 30, 2012
    #5
  6. dood1emom

    dood1emom Private E-2

    Ok started working thru his startup programs via AutoRun. Second try to attach those pesky logs I ran a few days ago. For what it's worth, I did try to install Spybot & it won't install - message is "Access is Denied". I don't know if indicative of the virus or something to do with his AVG antivirus which I did disable.

    Thanks for help!
    doodlemom
     

    Attached Files:

    dood1emom, Sep 6, 2012
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note that if you do not want Incredimail then just unninstall it.

    It appears that the OTM fix did not run properly. Also it may be the Windows Repair did not run properly and this could have been due to AVG. Please uninstall AVG and then reboot. After reboot, rerun the last fix from message #3 beginning with the Windows Repair step thru to the end and then attach new logs.
     
    Last edited: Sep 8, 2012
    chaslang, Sep 8, 2012
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds