[Resolved] I would like to delete the MySearch Bar

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Artemus69

Thread Starter
Joined
Sep 28, 2003
Messages
8
My system has the MySearch Bar installed. I cannot uninstall it using Add/Remove Programs, though it does appear in the list.

I have run SpyBot and Hijack This. The Hijack This log is listed below. Please help!

Logfile of HijackThis v1.97.2
Scan saved at 6:54:28 PM, on 9/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\My Documents\Download\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = "windowsupdate";<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PROPERTY] C:\RECOVERY\PROPERTY.EXE
O4 - HKLM\..\Run: [jinit] c:\temp\prop.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Concur Expense Applets - https://etravel.usps.gov/eworkplace/Applets/cnqr_ie.cab
O16 - DPF: XMS - https://etravel.usps.gov/eworkplace/Applets/xms_ie.cab
O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - http://eagnmnsu1f0:8080/jinitiator/1217575w.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1767a73c2a691ed8d705/netzip/RdxIE6.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://aceportal.usps.gov/msrdp.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37605.4428125
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://56.217.194.248/ReportPage/ReportDisplay/activeXViewer/activexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Dec 9, 2000
Messages
45,855
I don't see any entries relating to MySearchbar in the Scanlog. Is the only place you are seeing it in Add/Remove programs? If so, it is just an "orphan" entry and can be removed by running regedit and right clicking and deleting the entry under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Can you shed any light on these entries in the Scanlog?


O4 - HKLM\..\Run: [PROPERTY] C:\RECOVERY\PROPERTY.EXE
O4 - HKLM\..\Run: [jinit] c:\temp\prop.exe /s

It is NEVER proper for a legitimate startup to be started from a "temp" folder.
 

Artemus69

Thread Starter
Joined
Sep 28, 2003
Messages
8
Would the registry item to delete be the "My Way Speed Bar Uninstall" item?

Regarding property.exe: I have no idea what it is supposed to be. In C:/Temp I see a prop.exe install program, but I didn't want to run it myself. Perhaps I should delete it?
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Originally posted by Artemus69:
Would the registry item to delete be the "My Way Speed Bar Uninstall" item?
Yup, that's it.

As for Prop.exe, would you please send me a copy of the for analysis?
If it's indeed an all new baddie, we'd want to forward copies to the developers ASAP!

We'd appreciate it! :)
 
Joined
Dec 9, 2000
Messages
45,855
Since you don't know what those files are, you should check and "fix" them with HijackThis. This will remove the registry startup call for them.

After you've sent off a copy to Tony, you can either delete them or simply rename them (eg: property.xxx) to ensure they don't get started again from some other process.

In any case it is a good practice to routinely clean the temp folder. This is not meant as a permanent location for executable programs, and can lead to future conflicts if the wrong things remain there.
 

Artemus69

Thread Starter
Joined
Sep 28, 2003
Messages
8
I have sent two files to Tony:
prop.exe that was in my C:\Temp folder
property.exe that was in my C:\Recovery folder

I have renamed both files as *.xxx

Regarding the MySearch problem - it appears to be solved.
 
Joined
Dec 9, 2000
Messages
45,855
Good to hear, and I'll mark this as "resolved". We'll be interested to hear what Tony comes up with.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Not much so far, unfortunately. They don't immediately strike me as viral in nature, but I could of course be mistaken.

Examination of the file tells us that it comprises the GLBS version of the "Wise Installation System"(Wise installer), which is usually not something which your average trojan uses.

I also found the string "Demo installations only run on the computer they were created on", which also *appears* to indicate it's legitimate, but you never know...

You did well to rename them. Just keep an eye on things and see whether everything continues to work normally.
 

Artemus69

Thread Starter
Joined
Sep 28, 2003
Messages
8
A potential clue : I work for the US Postal Service and have a VPN connection to our intranet. The properties of the prop.exe file say it is copyright "USPS" with a description of "Item: Check Configuration". Is it possible that this is designed in some way to set up my VPN connection?
 
Joined
Dec 9, 2000
Messages
45,855
That would explain it; however the installation procedure went awry leaving a startup pointing to the temp folder. That was probably only meant to runonce and disappear.

Which one is the setup file and which one is the normal executable?
 

Artemus69

Thread Starter
Joined
Sep 28, 2003
Messages
8
Both files are setup files. Prop.exe is dated 2/6/2002 and Property.exe is dated 11/27/2001. They are almost the same size.
 
Joined
Dec 9, 2000
Messages
45,855
In that case I can't understand why they should be routinely starting up. I would just save them some place and delete the HijackThis entries for them.
 

Artemus69

Thread Starter
Joined
Sep 28, 2003
Messages
8
I have deleted them and have had no problems so far. I want to thank Tony and the Dormouse for all their help.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top