MyWay.MyWebSearch virus in the Locked Registry Keys

Hi peku006,

Here is the log from OTS.

Thanks

condor

[Registry - Safe List]
File C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\4f99sura.default\searchplugins\askcom.xml not found.
Registry value HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}\ not found.
< End of fix log >
OTS by OldTimer - Version 3.1.19.4 fix logfile created on 01282010_070945
 
Hi condor

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :regfind
MyWebSearch
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Thanks peku006
 
Hi peku006,

I have run Systemlook and OTM several times over the past few days (as you showed me in earlier posts) and have narrowed the initiating factor down to “something” in the IE files which directs IE to h**p://go.microsoft.com/fwlink/?LinkId=69157 or 54896.
This immediately generates the Registry entry
“R1 – HKLM \Software\Microsoft\Internet Explorer\Main\ “etc,
as appeared in the first HJT log you had me run on Page 1, and also the entry Spybot initially found at the “toolbar” address “A4AA.”

I confirmed the problem as initiating in IE by uninstalling/deleteing IE8. This stopped the infection. When I re-installed IE8 the problem came back even though I had added the “bad” http address to the IE Restricted Web Site list, and Custom Blocking the “A4AA” address in Spyblaster. So there appear to be some files I was unable to delete before I did the re-install of IE8.

I uninstalled IE8 again yesterday and have had no re-infection since. It seems if I no longer use IE I will not re-infect the computer.

I don’t know if it is significant, but after IE had been uninstalled WinPatrol intercepted a file called “Research” supposedly from Microsoft IE trying to install itself.

Perhaps there is some way to clean up the remnants of the IE files which would also include wherever the virus is lurking?

Here is the Systemlook file you requested which seems to be OK.

Thanks again for all your help.

condor

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:14 on 31/01/2010 by Admin (Administrator - Elevation successful)

========== regfind ==========

Searching for "MyWebSearch"
No data found.

-=End Of File=-
 
Hi condor

all the logs look good...I have to say that in my view, we are ready ,I can not help you any more if the problem is due to IE

Thanks peku006
 
You must log in or register to reply here.
Back
Top