Deleting MyWay.MyWebSearch

[carlos3o]

My operating system is Windows XP. After running Spybot Search & Destroy I always find a PUPS threat with the name MyWay.MyWebSearch.
Spybot seems to fix it every time but the next time I run it, it´s still there.
I have scanned my hard drive for both MyWay and MyWebSearch and found nothing. There are no programs with those names in the Add/Remove list of the Control Panel. My AVG antivirus hasn´t detected anything either. I have tried SuperAntiSpyware too but I keep getting the message when I run Spybot. I will appreciate any help you can offer. I am copying the DDS.txt file below and attaching a zip file with Attach.txt and ark.txt. Thank you in advance.


DDS (Version 1.1.0) - NTFSx86
Run by Jesus Narino at 17:02:32.57 on Sat 12/27/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.282 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jesus Narino\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = https://portal.cuny.edu/portal/site/...-content=LOGIN
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {9356217D-BEBD-48D7-830F-FB0AD753CC96} = 64.105.124.156 64.105.159.251
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jesusn~1\applic~1\mozilla\firefox\profiles\tkrxnin4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.att.net/|https://webauth.att.net/auth/webmail/login?action=Login&url=http%3A%2F%2Fwebmail.att.net%2Fwmc%2Fv%2Fwm%2F48187D040000F65B00002D7C2221612556%2F%3Fcmd%3DList%26sid%3Dc0|http://ed2k.2x4u.de/index.html
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npoctoshape.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\octoshape streaming services\jesus narino\octoprogram-l03-n00-u00-c00_0711200_000\npoctoshape.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-17 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-17 26824]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-7 127768]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-8-4 394952]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-29 611664]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-17 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-17 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-17 76040]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S1 ntiomin;ntiomin; []
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\133.tmp []

=============== Created Last 30 ================

2008-12-27 01:14 <DIR> --d----- c:\program files\SyncToy 2.0
2008-12-26 18:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-26 18:36 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-26 18:36 <DIR> --d----- c:\docume~1\jesusn~1\applic~1\SUPERAntiSpyware.com
2008-12-26 02:36 0 a------- c:\windows\system32\538.tmp
2008-12-16 22:13 <DIR> --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2008-12-27 17:02 175,138,848 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-27 03:04 2,051,372 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-10-27 08:39 78,932 a------- c:\windows\hpfins05.dat
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-22 15:39 25,000 a------- c:\docume~1\jesusn~1\applic~1\GDIPFONTCACHEV1.DAT
2008-09-13 02:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat

============= FINISH: 17:03:27.10 ===============

[tetonbob]

Hi -

Not much jumping out in those logs. What exactly is Spybot finding? Do you have the most recent version, and are the definitions current?

Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results (not full report) to clipboard and paste that back here please.

[carlos3o]

Hi,

Thank you for your response. I have the latest version of Spybot Search & Destroy (1.6.0.31) and I update it every time I run it, which is almost daily. The problem encountered by Spybot is "MyWay.MyWebSearch", and the Kind is PUPSC (1 entry). I see from the results that the problem is related to IE toolbar and I want to say that although I use Internet Explorer now and then my browser of choice is Mozilla Firefox.
Here are the results, as requested by you. Thank you again,

Hint of the Day: Click the bar at the right of this to see more information! ()


MyWay.MyWebSearch: [SBI $B267ADF3] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-1202660629-1965331169-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2007-08-04 unins000.exe (51.41.0.0)
2008-08-24 unins001.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-11-04 Includes\Adware.sbi (*)
2008-12-22 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-12-22 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-12-22 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2008-12-16 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-16 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2008-12-10 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-12-23 Includes\Trojans.sbi (*)
2008-12-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

[tetonbob]

Hi -

There would appear to be differing information on that registry entry. This item is Open to debate, because it uses the Ask.com search engine.

http://www.systemlookup.com/search.p...EE4931A4AA+&s=

You have this installed:

ZoneAlarm
ZoneAlarm Spy Blocker

The toolbar appears to be orphaned, though,

Quote:

TB: {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - No File

meaning it's harmless...one option is to uninstall the ZoneAlarm Spy Blocker, but if it's missing files, it might not uninstall.

More info here:

http://forums.zonelabs.com/zonelabs/...ssage.id=74483

http://forums.zonelabs.org/zonelabs/...d=47515#M47515

Personally, I dumped ZoneAlarm a while back when they included this opt-out toolbar installation which most users don't require, and seems designed to improve their cash flow.

http://www.benedelman.org/spyware/ask-toolbars/


You can set that item to ignore in the results section of the Spybot scan (right click menu)...or, disable TeaTimer, and run this registry fix:

Using Internet Explorer, Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.
• See this link for a tutorial

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[-HKEY_USERS\S-1-5-21-1202660629-1965331169-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Reboot, rescan....when you re-enable TeaTimer, if it notifies you of this change, accept it.

[carlos3o]

Hi,

Problem solved! I followed your instructions to disable TeaTimer, ran Regedit4, rebooted, enabled TeaTimer again and ran a scan and everything looks fine now; in fact, I´ve run several scans and no problems have been found. Thank you for your help and have a happy, healthy 2009!

[tetonbob]

Excellent! Glad to have helped.



Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.