Solved

maxwebsearch browser hijacker will not remove

Posted on 2015-02-11
54
167 Views
Last Modified: 2015-02-16
on a windows 7 home pro I have the browers high jacker maxwebsearch.com

I have cleaned with C Cleaner, JWT, ADW Cleaner, HitmanPro, Combofix.  I have followed some youtube suggestions for clearing it in the registry and can't find it there.  I have opened the hosts file and looked for it and I have run Avast boot scan.  Nothing clears it.

I have turned off all the add ons, reset Internet explorer many times and it keeps coming right back.

Any more ideas?
0
Comment
Question by:DwEckert
  • 26
  • 19
  • 4
  • +2
54 Comments
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40606186
Try ADWCleaner again and then run ESET's online scanner: http://www.eset.com/us/online-scanner/

Part of your problem is that maxwebsearch came out in 2013.
0
 

Author Comment

by:DwEckert
ID: 40606627
Davis
thanks for getting back.   I'm finishing running ADW Cleaner and ESET on line.  Nothing was found.

However, while I was waiting for anyone to answer i did run Spyware Hunter 4 and it found 36 including 4 instances of maxwebserarch and 32 other pieces of malware.

I did not clear them with Spyware Hunter because I'm not sure of it's reliability.  Plus they want $40 for it, ($10 if you refuse the offer for $40, that seems to be a giveaway.

But the point is Spyware Hunter did list 4 instances of maxwebsearch and the others have not.

What can I do next?

Dan
0
 
LVL 61

Expert Comment

by:btan
ID: 40607189
Suggest using Malwarebytes Anti-Malware perform another “Threat Scan” scan to verify that there are no remaining threats http://malwaretips.com/blogs/maxwebsearch-com-removal/

Do check the shortcut
e.g. The argument that MaxWebSearch.com uses in order to hijack your browser will have similarity to below and remove it manually, by editing the shortcut`s target line.:
http://maxwebsearch.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=&ts=

Do delete all the cookies before a complete removal (or the rerun), and do it all in browsers (not only IE)  installed in your machine http://blog.yoocare.com/maxwebsearch-com-redirect-removal-guide/

Do show all hidden files, such as
Under Advanced settings, click Show hidden files and folders, uncheck Hide protected operating system files (Recommended) and then click OK.

Do a check and remove all the malicious files (be careful as touching registry)
%AppData%\Local\[random].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “ProxyEnable” = “1″

As a whole also consider checking (and deleting) any files or folders related to MaxWebSearch.com and mainly those falls under folder path like %ProgramFiles%, %AppData%, %ProgramData% or %LocalAppData%

There is another called Emsisoft Anti-Malware also used for such hijacker removal, you may want to consider it later http://www.bleepingcomputer.com/virus-removal/remove-webssearches.com-browser-hijacker
0
 

Author Comment

by:DwEckert
ID: 40607687
Thanks

I have followed the suggestions, some of them several times.  Used the Bleeping Computer tutorial and ran Emsisoft anti malware and I'm still stuck with the maxwebsearch.com hijacker.

Have you any experienece using Process Explorer to trace it and kill it?

Thanks

Dan
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40607756
If the infection occurred within the last 2 weeks, we may be able to evict it.  First, check the Windows\Tasks folder for entries that might cause a reinfection and delete any that are suspicious.
Next, shut down the PC, turn it back on, and, while the manufacturers logo is on the screen, start hitting F8 like a madman.  When you are prompted, choose repair my computer.  Login with the appropriate language & keyboard, then the users login and password.  Choose System Restore from the choices.  Make sure it is from before the infection and that it is labeled as a Windows update and/or critical update and let it rip.  If you need to, click the show more restore points to get to one old enough.  Let it finish, pray a little, and reboot even if it says it failed.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40607771
Do you still have the output textfile from your AdwCleaner attempt?
It should be at C:\AdwCleaner[XX].txt depnding on how may time it has run.  
Can you attach the output of the first run you made as a .txt file (Use the attach file in the post)

In terms of clean up there are probably two choices from your description.

Surgical precision - taking out just the MaxWebSearch components by excising them from the files they've hidden around itself.
or
Brute force - probably some collateral damage, cookies and passwords may get lost and you may have to restore a few settings from their defaults to how you like them.

The first will take some time (probably, will know more once the AdwCleaner log is available) the second one is quick.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40607779
A repair my computer -> System restore , as I outlined, restores 85-90% of the core Windows files and the registry.  It is extremely powerful and effective.  The problem with normal system restores is that a memory resident virus/Trojan will reinfect during rebooting.
0
 
LVL 61

Expert Comment

by:btan
ID: 40607869
Also check the hosts file locates on C:\Windows\System32\Drivers\etc\hosts. Compare (post) hosts files and (pre) hosts backup files. Open both of them notepad and then make sure the hosts file is in accordance with the hosts backup file. Do check out the changes made by this PUP add on (under virus characteristic), those artefact should not be around as well.
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=7707987#none

also do disable the System Restore Utility to remove the infected files before the removal takes place else it can be restore too. there is this tool as well though I know you have tried almost all but if it is worth a try, you may consider it again
http://trojan-killer.net/maxwebsearch-com-browser-hijacker-removal/

process explorer only kill process in memory running it is not going to removed it though, furthermore the add on is going to ride on the iexplorer process. but it good o ascertain this pesty add on trails and hunt it down - manually though. Here is an example (not maxwebsearch) http://www.howtogeek.com/school/sysinternals-pro/lesson3/
0
 

Author Comment

by:DwEckert
ID: 40607880
It's a client computer and I think it's been in there a long time.  Their free Norton had expired a year ago and they had no protection for a long time.

Attached is the first ADW Cleaner report run on 2/10.  There have been several runs after this one.

Since this first run, I've uninstalled AVG, Norton, McAfee--all out of date.  I've tried many other tools and hunting in the registry for maxwebsearch.

Really appreciate the help.

Dan
AdwCleaner-R0-.txt
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40607932
Strangely AdwCleaner has left most of the BHO hooks alone, there's also a trojan respawner hiding in Chrome which is reloading on launch.  There's probably a stealth component hiding some of the active components too.  It does look from this brief log as if your user is keen on installing software bundled with "added value extras" (!).

It's probably worth uninstalling Chrome and then in SafeMode del everything (including hidden and system files) below UserProfileName\AppData\Local\Google\Chrome.  Then reboot and put Chrome back from a fresh download.


Otherwise I'm going to suggest for expediency we hit it hard with Combofix
You'll need to disable any active AV scanning temporarily while it runs though all the component parts.

This will reset much of their browser settings including stored passwords and log them out of "remember me" logged in sites.

Download from the "ComboFix Download Link"  on this page http://www.bleepingcomputer.com/combofix/how-to-use-combofix

With real-time scanning off run from desktop

Allow plenty of time to complete - expect it to look as if it is hanging but you will gradually see it check though each of the checks.

*and make sure if they use them they have the most recent JRE and Flash versions installed.*

Can you similarly upload the logfile produced at the end with an update on how things are going?
0
 

Author Comment

by:DwEckert
ID: 40608253
Been off to service calls, back for lunch, and out most of the afternoon.  Will work with Combofix this evening and let you know.

Thanks

Dan
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40609038
Try running SPYBHOREMOVER from securityxploded.com
0
 
LVL 61

Expert Comment

by:btan
ID: 40609159
another is trojan killer in my last post.
So far the two below is also desired for consideration

SUPERAntiSpyware - provides the ability to prevent the changes to your home page. You can set this option in the Preferences section under the Hi-Jack Protection tab. You may instruct SUPERAntiSpyware to alert you if another application attempts to change your Internet Explorer home page
http://www.superantispyware.com/superantispywarefreevspro.html

Spybot - scan selected or all drives for viruses. Also it has its own web proxy server that protects your system against malicious websites and cookies. If this feature is enabled it acts as the default system proxy and access to the Internet will use the Spybot proxy
http://www.safer-networking.org/private/compare/
0
 

Author Comment

by:DwEckert
ID: 40609483
Masq

I've run Combofix, in safe mode file attached.

I still have maxwebsearch.com on IE.

Thanks Dan
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40609490
Sorry you shouldn't have run it in Safe Mode, that was to remove the Chrome issue.  Combofix really needs to have all the system services running and Safe Mode stops that.
Can you run it in normal mode and then post the output log.
0
 

Author Comment

by:DwEckert
ID: 40609497
OK will do.

While waiting I started Process Explorer, I found the phrase "maxwebsearch" as part of the command line for C:\program files\internet explorer\iexplorer.exe"http://maxwebsearch.com/********

Can this lead me to a place to edit out "maxwebsearch"?

I'm rerunning combofix now.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40609585
"Can this lead me to a place to edit out "maxwebsearch"?"
Yes, see if you can find the entry in Autoruns and uncheck it.

Run the Combofix scan in normal mode first though.

We're gradually peeling away its cover and forcing it into the open so we can squash it!
0
 
LVL 61

Expert Comment

by:btan
ID: 40609719
likely the shortcut is as
Do check the shortcut
e.g. The argument that MaxWebSearch.com uses in order to hijack your browser will have similarity to below and remove it manually, by editing the shortcut`s target line.:
http://maxwebsearch.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=&ts=
Also you may want to check the attached esp the "The following registry elements have been created:" sectionchanges.txt
0
 

Author Comment

by:DwEckert
ID: 40609734
Attached is the Combofix run in normal mode.

I'm now looking for the AutoRun reference.

Thanks Dan
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40609748
Not attached Dan :(
0
 

Author Comment

by:DwEckert
ID: 40609845
Sorry

Trying a second time.
ComboFix.txt
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40609900
OK that looks good, let's have a look in the registry now for MaxWebSearch

Can you download SystemLook? - get the right version for your Home Pro system - 32bit Windows 7 here - 64bit Windows 7 here.

Run this and because we're looking for registry entries in the search box paste
:regfind
MaxWebSearch

Open in new window


Then click 'Look' and attach the output
0
 

Author Comment

by:DwEckert
ID: 40609906
System Look is giving me "Script Required".  Will not run.

Tried running as Administrator.  That didn't work.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40609921
set it up like this
This will search the registry for any instances of MaxWebSearch
0
 

Author Comment

by:DwEckert
ID: 40609933
I apologize for not knowing that.  Thanks for telling me.

The scan is running now.
0
 

Author Comment

by:DwEckert
ID: 40609940
Here is the scan. Nothing found.

I've done several finds in regedit for maxwebsearch, max*, * websearch

All with nothing.  This confirms it again.  

How about a HiJack this scan?
SystemLook.txt
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40609965
SystemLook is useful as it looks further than the Find command in RegEdit & no news is good news!

OK let's look at HJT - it looks a lot like all that's needed now is to clean up IE and make sure the system reboots without respawning anything
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:DwEckert
ID: 40610276
Attached is the latest HJT report.

Hope this gets us there.

Thanks.

Dan
hijackthis.log
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40610567
OK HJT looks clean - or at least shows all the files that have been cleaned up
You should delete all these redundant entries that point to bad files that have been quarantined or deleted.
HJT-Orphan-Entries.txt

It looks like you have already reset IE to its defaults but if you haven't done that since the final cleanup you should once again.

In order:
- Final check there is nothing in Control Panel\All Control Panel Items\Programs and Features that you don't recognize

- In IE Internet Options > Advanced Tab > Reset button, check "Delete personal settings"

- Run AdwCleaner once more and check under the Files tab that there are no suspicious entires, clean if necessary

- Run a Full scan with MBAM

- If you want a final check then HitmanPro (Free 30 day trial) is built as a "second opinion" tool.

(You can download and run Hitman for free and see if it finds anything else.  If it does there's an option to activate a free 30 day trial (per installed computer) during this time it will work as the full version and remove anything it finds for you.)

Then I think we should be done!

If so the next stage is some education for your user on how to stay safe on the Net :)HJT-Orphan-Entries.txt
0
 

Author Comment

by:DwEckert
ID: 40610947
MASQ   thanks for all your help on this.  You guys at EE are the best.

However, after following all your suggestions, including clearing the HJT list you suggested. I still get the maxwebsearch.com page over riding my IE or Firefox.  AdwCleaner, Malwarebytes come up with nothing.

Attached is a screenshot of ie.exe running with the properties from process explorer.  Maxwebsearch is obvious still in the system somewhere.

From Process Explorer when running Internet Explorer.
A thought.  Have we cleared the prefetch?  Is that worth considering?

Still struggling

dan
e-exchange-1.jpg
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40610966
Did you use Hitman?
Can you use SystemLook to hunt for 6D315B49
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40610976
According to that picture, its a scheduled task.  If you go to C:\Windows\Tasks, you ought to be able to delete it.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40610989
Davis is right
It's hiding in Task Scheduler

Start Button
Type "Task Scheduler" in the search box and hit enter
Wait for the TS window to open
Maximise
Click on Task Scheduler Library
Highlight all the unknown or MaxWebSearch entries and delete

Now run MSConfig and check the Startup Tab for any other instances.
0
 

Author Comment

by:DwEckert
ID: 40610991
Hitman showed zero threats.

Here is the SystemLook Screen

How did you come up with 6D315B49?

e-exchange-2.jpg
checking out scheduled tasks now.



Dan
0
 

Author Comment

by:DwEckert
ID: 40610995
DavisMcCarn
Looking at windows\tasks.  Nothing obvious as maxwebsearch.  Should I see that?  Or just delete the whole txt file?
0
 

Author Comment

by:DwEckert
ID: 40611004
In task scheduler there were several undefined.  one of those was 6D315B49.  I deleted it.

Checked start up in MSConfig and no sign of maxwebsearch or the 6D315D49 and still getting maxwebsearch.com.

I think I'll take out more of the unknown is Task Scheduler.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40611009
That's the first part of the Hex code for the task UUID

My bad, I should have thought of this when you first mentioned it showed up in ProcExp!

You'll probably have to reset IE and your other browsers again :(
0
 

Author Comment

by:DwEckert
ID: 40611032
I think we're on the right track.  Firefox opens to Google now, and not maxwebsearch.

IE still goes to maxwebsearch.

I'm getting a pop up "windows cannot find c:\users\haggetts\appdata\roaming\5.exe.  Make sure you have typed the name correctly and then try again".
0
 

Author Comment

by:DwEckert
ID: 40611054
GOT IT!!!

While I wait for you I try different things that I think are safe and worth a try.

while waiting, I opened  free Avast's browser cleaner and deleted all add ons for IE.  All there was four safe add ons.  I deleted all but the Avast add on.  And then it opens to Google.  Shut down and reboot and Google is still the homepage.  Go to a couple Google searches and the home page holds.

I'm going to clean all my tools off and see if it holds the homepage like it should.

I'm still getting the AppData\roaming\5.exe error.  There is an Avast message that comes up at the same time referencing a website.  But I didn't catch it.  I'll capture the next time it comes up.

Thanks for hanging with me on this one.  One of the tougher I've had, but I learned a lot.  Thanks.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40611060
Not a problem, if you look for 5.exe in the registry and remove it we should be done :)
0
 

Author Comment

by:DwEckert
ID: 40611085
Ran both a regedit and SystemLook for 5.exe.

here is where it takes me .  You're right you get a better look with SystemLook.

E-exchange-3.jpg
Should I delete all that?
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40611152
NO!  
None of the files listed in SystemLook are relevant they are all wildcard filenames that end 5.exe but are not actually 5.exe - deleting them will damage your dot Net installation.

Do you just get one reference to 5.exe with regedit? (is that the window underneath in your screenshot?)  That's what I was expecting to see.  It's a redundant registry entry to run '5.exe' but you've removed the target as it was redirecting IE.
0
 

Author Comment

by:DwEckert
ID: 40611173
Here is the screen with both the pop up and the Avast warning in lower right corner.

I'll not touch the registry.

Both browsers are working fine.  I'm cleaning and doing Windows, java and flash updates with out a problem.

E-Exchange-4.jpg
Should I be worried about this Avast message?  I think some kind of malware is calling out on the web.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40611183
There's just the 5.exe entry to remove from the registry, Regedit and Find "5.exe" should locate the entry that's calling it.

If you don't want to do this to the registry directly you could also find & disable it with Autoruns (and maybe even with MSConfig from the Startup tab).

On the second issue

If you hit "More details" on the Avast pop-up you can get the full path to the culprit file but it looks like a rogue file pretending to be the legitimate windows file winsta.exe (never legitimately found in the Program Files folder!)  I'm guessing another visitor your user invited in unintentionally.

With the path identified then boot to SafeMode and try deleting it -  I doubt you'll be able to unlock it in normal Windows.

Then it's time for another full AV scan with latest definition files.
0
 

Author Comment

by:DwEckert
ID: 40611226
I'm going after the 5.exe first

 I've looked in MS Config, the registry, and the directory AppData\roaming\5.exe and I'm really not seeing anything I dare to delete.  So I really don't know what I'm looking for.

I'v e searched in Autoruns, and Process explorer.  find nothing under "5.exe"

Both of these only come up on the start up.  Once I close them  I never see them again until the next reboot.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40611253
OK if 5.exe doesn't appear in the registry there's another program being called at startup that's trying to launch it.

Run MSConfig and in the Startup tab see if there's anything you don't recognise, do the same with Autoruns and the Logon tab - you may need to maximise the Autoruns window and extend the ImagePath header to see the full path.

Anything suspicious uncheck (or if you're worried post a screenshot first)

If you don't see anything then in MSConfig click 'Disable all'

Then restart and see if it's no longer trying to launch 5.exe - if it's fixed then it's a question of adding the startup task back in a few at a time until you find the culprit.
0
 

Author Comment

by:DwEckert
ID: 40611406
Turned off all in MS Config start up,  Checked AutoStart "login" & Everything, did not find the 5.exe or anything suspicious.

Rebooted and got the same error message with everything in start up off.

e-explorer-5.jpg
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40611420
Can you show me the Autoruns Logon tab?

NB bedtime here ... :)
0
 

Author Comment

by:DwEckert
ID: 40611433
Here is the top half of the login tab.

E-explorer-6.jpg
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40611735
OK, time for another malware remover.
http://thisisudax.org/downloads/JRT.exe

Place on desktop, right-click and "Run as administrator"

Another log to copy post at the end please.
0
 

Author Comment

by:DwEckert
ID: 40612010
Attached is the JRT report.

I usually run JRT, right after C Cleaner when I clean a pc.  This is the 3rd or 4th time I've run it.

Dan
JRT.txt
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 500 total points
ID: 40613100
Sorry for the delay - long day!

JRT just listed Bing and Windows Live.

Assume 5.exe and Winsta.exe are still making an appearance?

Need to look deeper still, can you run the right bit-version of FRST and upload both the files produced?

That should get us Winsta and might just point out where 5.exe is getting called.
0
 

Author Comment

by:DwEckert
ID: 40613525
Had to make one of those business calls that tweakers hate.  I took the pc back to the client.  He needed it to do invoices and other business book work.  He was satisfied with the way it worked; much better then before.  We got rid of the malware and popups.  It was much better then when we started.  But the 5.exe and the other still popup up.

But thank you for your help, your patience and teaching me some new tricks.  it was fun to work with you.

I just saw in today's EE monthly blog that you were a VIP with EE.  I feel lucky to have got you on my case.  Hope we get to work on another some time.
0
 

Author Closing Comment

by:DwEckert
ID: 40613533
Excellent job, Good teacher, very patient.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Suggested Solutions

Read about achieving the basic levels of HRIS security in the workplace.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now