/> -->

Tuesday, 29 April 2008


MWSOEMON.EXE - MyWebSearch Spyware

Mwsoemon.exe installs with a newer variant of the MyWebSearch spyware program. Generally, a browser helper object called mwsbar.dll will install at the same time.The toolbar does add search features but the search results you see will be hijacked to mywebsearch.com. WebSearch Toolbar is an Internet Explorer search toolbar that installs adware and spyware. WebSearch Toolbar changes your browser settings. This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy. Browser hijackers are malicious programs that change a user's web browser settings, usually altering designated default start and search pages. In addtion a browser hijacker can modify nearly every aspect of a web browser including adding bookmarks, and redirecting search traffic to alternative sites.

* mwsoemon.exe - My Web Search Bar for Internet Explorer, email clients, and messenger clients.
* mwsoestb.dll - My Web Search Plugin Loader

MWSOEMON shown on the task manager ( Press Ctrl-Alt-Del ), then try to end the task of the process mwsoemon.

Typical infected files locations:

* c:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
* c:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
* c:\program files\mywebsearch\bar\2.bin\mwsbar.dll
* c:\program files\mywebsearch\srchastt\2.bin\mwssrcas.dll

Typical Infected folders:

* c:\program files\mywebsearch
* c:\program files\mywebsearch\bar
* c:\program files\mywebsearch\srchastt
* c:\program files\mywebsearch\bar\2.bin
* c:\program files\mywebsearch\srchastt\2.bin

Uninstall Myway MySpeedbar from Start Button : Control Panel > Add/Remove programs. It might be called 'My Search Bar', 'MyWay Speed Bar' or 'My Web Search Bar', Click 'Remove' for what you find. Also remove 'Fun Web Products Easy Installer' if it is present.

Registry (Hijackthis analsysis) Entries made by MWSOEMON:

* O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\\HBHOSTIE.DLL
* O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
* O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\\HBHOSTIE.DLL
* O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE

If not you can remove them manually by running Regedit and find MWSOEMON and delete the key. Try searching for LSvr; LTDMgr; websearch; WebSearch Email Plugin. Or 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run' and delete the values called 'WebSavingsfromEbates', 'websearch' and 'couponsandoffers'.

Restart computer.

Use the Find (Start Button : Search) and locate file MWSOEMON.EXE and delete it. Try to locate and delete websearch1.exe; MWSOEMON.EXE; MWSSRCAS.DLL; Toolbar.dll.

Browse your computer c: drive "Program Files\mywebsearch\" folder and remove it.

HijackThis is a useful tool, that lists all installed browser add-on, buttons, startup items and allows you to inspect, and optionally remove selected items. The program can create a backup of your original settings and also ignore selected items. Additional features include a simple list of all startup items, default start page, online updates and more. Intended for advanced users.

Download HijackThis

Background : WebSavings is installed from the vendors site or when installing other applications, such as the Morpheus file sharing program. Installation of Web Savings From Ebates Software. WebSavings is a shopping tool that open pop-up windows. It can also uninstall other software components that interfere with WebSavings.

Sumber: http://www.techspot.com/vb/all/windows/t-36086-MyWebSearch-has-me--.html

No comments: