1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] I would like to delete the MySearch Bar

Discussion in 'Virus & Other Malware Removal' started by Artemus69, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Artemus69

    Artemus69 Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    8
    My system has the MySearch Bar installed. I cannot uninstall it using Add/Remove Programs, though it does appear in the list.

    I have run SpyBot and Hijack This. The Hijack This log is listed below. Please help!

    Logfile of HijackThis v1.97.2
    Scan saved at 6:54:28 PM, on 9/28/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Chris\My Documents\Download\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = "windowsupdate";<local>
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PROPERTY] C:\RECOVERY\PROPERTY.EXE
    O4 - HKLM\..\Run: [jinit] c:\temp\prop.exe /s
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Concur Expense Applets - https://etravel.usps.gov/eworkplace/Applets/cnqr_ie.cab
    O16 - DPF: XMS - https://etravel.usps.gov/eworkplace/Applets/xms_ie.cab
    O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - http://eagnmnsu1f0:8080/jinitiator/1217575w.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1767a73c2a691ed8d705/netzip/RdxIE6.cab
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://aceportal.usps.gov/msrdp.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37605.4428125
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://56.217.194.248/ReportPage/ReportDisplay/activeXViewer/activexviewer.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any entries relating to MySearchbar in the Scanlog. Is the only place you are seeing it in Add/Remove programs? If so, it is just an "orphan" entry and can be removed by running regedit and right clicking and deleting the entry under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


    Can you shed any light on these entries in the Scanlog?


    O4 - HKLM\..\Run: [PROPERTY] C:\RECOVERY\PROPERTY.EXE
    O4 - HKLM\..\Run: [jinit] c:\temp\prop.exe /s

    It is NEVER proper for a legitimate startup to be started from a "temp" folder.
     
  3. Artemus69

    Artemus69 Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    8
    Would the registry item to delete be the "My Way Speed Bar Uninstall" item?

    Regarding property.exe: I have no idea what it is supposed to be. In C:/Temp I see a prop.exe install program, but I didn't want to run it myself. Perhaps I should delete it?
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Yup, that's it.

    As for Prop.exe, would you please send me a copy of the for analysis?
    If it's indeed an all new baddie, we'd want to forward copies to the developers ASAP!

    We'd appreciate it! :)
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Since you don't know what those files are, you should check and "fix" them with HijackThis. This will remove the registry startup call for them.

    After you've sent off a copy to Tony, you can either delete them or simply rename them (eg: property.xxx) to ensure they don't get started again from some other process.

    In any case it is a good practice to routinely clean the temp folder. This is not meant as a permanent location for executable programs, and can lead to future conflicts if the wrong things remain there.
     
  6. Artemus69

    Artemus69 Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    8
    I have sent two files to Tony:
    prop.exe that was in my C:\Temp folder
    property.exe that was in my C:\Recovery folder

    I have renamed both files as *.xxx

    Regarding the MySearch problem - it appears to be solved.
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Good to hear, and I'll mark this as "resolved". We'll be interested to hear what Tony comes up with.
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Not much so far, unfortunately. They don't immediately strike me as viral in nature, but I could of course be mistaken.

    Examination of the file tells us that it comprises the GLBS version of the "Wise Installation System"(Wise installer), which is usually not something which your average trojan uses.

    I also found the string "Demo installations only run on the computer they were created on", which also *appears* to indicate it's legitimate, but you never know...

    You did well to rename them. Just keep an eye on things and see whether everything continues to work normally.
     
  9. Artemus69

    Artemus69 Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    8
    A potential clue : I work for the US Postal Service and have a VPN connection to our intranet. The properties of the prop.exe file say it is copyright "USPS" with a description of "Item: Check Configuration". Is it possible that this is designed in some way to set up my VPN connection?
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    That would explain it; however the installation procedure went awry leaving a startup pointing to the temp folder. That was probably only meant to runonce and disappear.

    Which one is the setup file and which one is the normal executable?
     
  11. Artemus69

    Artemus69 Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    8
    Both files are setup files. Prop.exe is dated 2/6/2002 and Property.exe is dated 11/27/2001. They are almost the same size.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    In that case I can't understand why they should be routinely starting up. I would just save them some place and delete the HijackThis entries for them.
     
  13. Artemus69

    Artemus69 Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    8
    I have deleted them and have had no problems so far. I want to thank Tony and the Dormouse for all their help.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Resolved] delete MySearch
  1. Fellipe
    Replies:
    0
    Views:
    295
  2. Hambuga
    Replies:
    4
    Views:
    451
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168175

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice