Need help removing MyStart from Firefox

system · July 3, 2012, 3:17am

I’ve been unable to remove the MyStart by Incredibar from Firefox. It doesn’t show up as an add-on (I think it once did, but I removed several things recently), nor under programs to be removed. It hijacks my searches, but has no other apparent symptoms.

What I’ve done:

Manually removed any clearly related registry entry.
Removed a few files I managed to track down.
Reset all related entries in Firefox’s config file. These keep getting restored, somehow.

I’ve scanned with Avast (full, paid version of Avast’s internet security suite), IObit ASC’s malware removal tool, and Malwarebytes (free version). I’ve also used some of the recommended tools for producing logs, and I’ll attach those logs in subsequent posts.

system · July 3, 2012, 3:18am

OTL Logs

system · July 3, 2012, 3:20am

Malwarebytes log and ASW log

system · July 3, 2012, 3:21am

IObit ASC logs

mchain · July 3, 2012, 11:50am

IObit is a bit less than reputable as software.
http://www.mywot.com/en/scorecard/iobit.com
Read the user comments below; you may think to remove this software.

Suggest not running other software unless malware expert asks you to.

system · July 3, 2012, 6:24pm

I didn’t load this software in reaction to this threat - I’ve been using IObit for a couple of years. I’ve seen the recent allegations (none of which are yet of threat to consumers), and if they hold up, I won’t be buying any future versions. However, the product I already paid for is still part of my toolkit. I’ve seen nothing to indicate the software is harmful - just that the company is not entirely ethical and doesn’t deserve my further business.

Pondus · July 3, 2012, 6:29pm

the full IObit story here…
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

mchain · July 3, 2012, 6:54pm

Hi gpseymour,

I’ve gone and notified a malware expert to have a look at your logs.

So help is forthcoming soon.

Please do not take any offense at the posts re IObit software. They are only for your information. Last link from Pondus shows IObit detection rate is 20%, so whether you keep it on your system is up to you.

No offense intended.

system · July 3, 2012, 7:57pm

I don’t really use it for the detection. It’s primarily there for defragging and that sort of thing. It was inexpensive and helps me clean up a few things my other utilities don’t. Avast is my primary anti-malware software, and I break out MBAM when I run into a problem Avast doesn’t clean. I was surprised when neither of them saw the MyStart script as malware, since it’s cloaked and self-reinstalling.

essexboy · July 4, 2012, 1:01pm

Let me know if this cures it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL SRV:64bit: - [2012-05-08 15:13:58 | 000,185,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater) IE - HKU\S-1-5-21-3891824407-3261176998-3753983406-1003\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found IE - HKU\S-1-5-21-3891824407-3261176998-3753983406-1003\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012-05-29 12:54:08 | 000,000,000 | ---D | M] [2012-05-29 15:38:41 | 000,000,000 | ---D | M] (We-Care Reminder) -- C:\Users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\4l5w0c8m.default\extensions\wecarereminder@bryan O2:64bit: - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found. O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension64.dll () O2:64bit: - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found. O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found. O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll () O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found. O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
:Files
C:\Program Files\Web Assistant

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

system · July 5, 2012, 1:04pm

Ran the fix and quick scan. Log attached.

essexboy · July 5, 2012, 1:26pm

Could you confirm that it has all gone ?

system · July 5, 2012, 3:33pm

I haven’t seen any evidence of it yet. I’ll re-post to this topic if it shows up.

Thanks!

essexboy · July 5, 2012, 3:42pm

Once you are happy then run OTL and hit the cleanup button to remove the programme ;D

system · July 5, 2012, 4:49pm

I went in and checked the about:config file in Firefox. Incredibar once again has about 25 entries there. I’m going to reset all of those and see if they reappear.

essexboy · July 5, 2012, 4:52pm

They are probably in the user is file which my tools do not look in

system · July 5, 2012, 4:59pm

Okay, I reset all of those entries, but as soon as I restart Firefox, they are returned to their prior state. Something is still out there keeping these active. Should I run the cleanup at this point, anyway?

essexboy · July 5, 2012, 5:02pm

No could you run a fresh OTL quick scan and I will locate the js file

system · July 5, 2012, 5:33pm

Thanks for your hard work on this. Here’s the new scan.

essexboy · July 5, 2012, 5:51pm

OK one more go. Could you post the log that pops up at the end please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
:Files
C:\Users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\ke1vycyf.default\user.js

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Need help removing MyStart from Firefox

Announcements