Know "startsearches" anyone?

[Ove]

I am running MSAS and it has removed a lot of spyware.
However, my homepage is still hijacked. The page which is
forcing itself to my screen is: www.startsearches.net. My
computer is also unreasonably slow. I am an amateur at
this, so I do not know if this is very informative, but I
could certainly do with some input.Thanks anyone
ove

 

[Andre Da Costa]

From Andy:
I suspect you have something installed from fun web
products if thats the case you should remove this as soon
as possible.

Open 'Add/Remove Programs' in the Control Panel. Select
the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar'
(MyWay) or 'My Web Search Bar' (MyWeb) entry and
click 'Remove'. For the MyWeb variant, be sure to also
remove 'Fun Web Products Easy Installer'.



The products related to this are :

MY WEB SEARCH BROWSER
MYWEBSEARCH
SMILEYCENTRAL
CURSOR MANIA
FUN BUDDY ICONS H
HISTORYSWATTER
MY INFO
MY MAIL NOTIFIER
MY MAIL SIGNATURE
MY MAIL STAMP
MY FUN CARDS
MY MAIL STATIONARY
POPSWATTER
POPULARSCREENSAVERS
SEARCH ASSISTANT

MyWeb is a IE toolbar providing search features, and a
homepage-/search-hijacker, targeted at the sites run by
MyWay.


If you can remove this from the add/remove screen You can
then reset your home page (Internet Options->General-

Start Page) if it has been changed, and search settings

(Internet Options->Programs->Reset web settings).


Regards Andy

 

[AndyManchesta]

Hi Ove


Theres a good chance you have malware installed thats
causing this slowdown plus the startsearch page.


First press alt,control and delete and go to task manager
Go to the processes page and check for any of these,

Check for these:


Securityiguard
popuper.exe
shnlog.exe
intmon.exe
intmonp.exe
wp.exe
bsw.exe
Virtual Maid
Search Maid

(If you do find any 'end process' for each found and
check add/remove screen if you find search maid,virtual
maid or security iguard and remove them)




Run a virus scan at any of these sites:




Trend Micro

http://housecall.antivirus.com/


Panda

http://www.pandasoftware.com/activescan/co...n_principal.h
tm

Symantecs Security Check & Virus scanner

http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym






Download Microworlds Escan :

ftp://ftp.microworldsystems.com/download/tools/mwav.exe



There's nothing to install, Save to your desktop

Double click to run eScan's Mwav scan
It will self extract

Select all local drives & make sure you scan all files,
press 'SCAN' and when it is completed, anything found
will be displayed in the lower pane.


This may take awhile, let it finish

****If prompted that a Virus was found and you need to
purchase the product to remove the malware, just close
out the prompt and let it continue scanning,Theres no
need to buy we just want to see where the malware is*****


In the Virus Log Information Pane

Left click and Highlight all the info in the Lower pane---
Use "CTRL and the C" keys on your Keyboard to copy all
found in the lower pane and Paste the results back



Download Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip


Unpack it to its own folder (either c/drive or desktop)
choose to run a scan and save the logfile.When the scan
finishes it will open the results in notepad.


Post the results for Escan & Hijack This and it will be
alot easier to see whats causing you the problems,I think
you might have a trojan (maybe smitfraud) but the results
from the 2 scanners will show whatever it is.

You can post the results on here or email them(Theres
alot of people on the forum who can help you with the log
if its needed.Andre,Ron,Frank,Bill and many more
including myself so hopefully between us we can fix
whatever is causing this

Regards Andy

 

[Alan]

Before following the steps below, open your prefetch
folder, located at c:\windows\prefetch. No removal tool,
neither adware nor spybot to my knoledge, delete the
files that the program creates in the prefetch folder.

The easiest thing to do is simply delete all the files in
the folder. If you have an application that shreds
files, USE IT to destroy all these files. DO NOT delete
the folder entirely though. The prefecth folder contains
precompiled code that a program written using the .NET
Framework creates to lessen the overall size of the
compiled program. Once a spyware program that hijacks
your web browser has created a file in your prefetch
folder, you system will be re-infected each time you
launch your web browser! Not a good thing.

If you are using IE, follow these steps to restore your
homepage to what you want it to be:

1. Select the 'Tools' drop-down menu, select 'Advanced
Tools', and finally select 'Browser Hijack Settings
Restore.'

2. Click the 'Change restore setting to a new URL...'
link and type in the correct URL. And Click on
the 'Restore this setting now' link.

3. Make certain to look at all the settings. I'm
willing to bet that you might have been infected with a
variant of ABetterInternet, which usually changes more
than just your start page. One thing to do is look
closely at a page, if it is full of oddly placed
hyperlinks, then you might still be infected. Pay close
attention to the 'Search Page' and 'Search Assistant'
settings, as these are likely to have been modified.

I have to commend Microsoft for not changing the
functionality that Giant Company, the company Microsoft
bought to acquire Giant AntiSpyware, put into these easy
to use steps to restore one's web browser to what they
were before infection. I'd like to ask Microsoft not to
change the functionality, but a redesign on the GUI for
this feature would make it much easier to use (i.e. the
links to change the setting and restore the setting are
out in nevernever land if the program is enlarged to fill
the screen).

On a parting note I'd like to see a big change to MSAS.
I feel it would be a big improvement to both the program
and to our privacy and security if MSAS delects and
deletes files that a spyware/malware program has created
and stored in the prefetch folder. There's nothing worse
than deleting the offending program only to have it rear
its ugly head when the file in the prefetch folder is
accessed by your web browser or some other program.

Alan

 

[AndyManchesta]

Good work alan

I wasnt sure what this malware was so was going to review
the logs to play it safe.


Temp Files & Prefetch Folder (XP Users)

You can either manually delete them or use this batch
file that I created to do it. All you need to do is
download the file called prefetch.bat to your Desktop and
then double click on it. Theres also one to delete .tmp
files in your Temp folder

Download from here :

http://andymanchesta.com/Downloads/prefetch.bat

http://andymanchesta.com/Downloads/del_temp.bat


You will see the command prompt come up shortly and
disappear. That's it.


Regards Andy

 

[Alan]

I forgot to mention, if you are not using a firewall, get
one. You can download the free copy of Zonelab's Zone
Alarm from download.com, or use the firewall that comes
with XP. If you already have a virus protection program,
then you can get a copy of a firewalll program at your
local computer retialer (i.e. Best Buy, Circuit City,
CompUSA, etc.). If you want to include a firewall and
virus protection in one, these can also be found at your
local computer retailer.

Make certain to look at the reviews at
www.pcmag.com/category2/0,1738,22,00.asp and
http://reviews.cnet.com/2001-3680_7-0.html?tag=ont.su
before making your mind what you want to use. The main
reason to buy a firewall is for the free upgrades for 1
year, which can be extended by purchasing a new 1 year
subscription.

Alan