maxwebsearch browser hijacker will not remove

Try ADWCleaner again and then run ESET's online scanner: http://www.eset.com/us/online-scanner/

Part of your problem is that maxwebsearch came out in 2013.

Davis
thanks for getting back.   I'm finishing running ADW Cleaner and ESET on line.  Nothing was found.

However, while I was waiting for anyone to answer i did run Spyware Hunter 4 and it found 36 including 4 instances of maxwebserarch and 32 other pieces of malware.

I did not clear them with Spyware Hunter because I'm not sure of it's reliability.  Plus they want $40 for it, ($10 if you refuse the offer for $40, that seems to be a giveaway.

But the point is Spyware Hunter did list 4 instances of maxwebsearch and the others have not.

What can I do next?

Dan

Suggest using Malwarebytes Anti-Malware perform another “Threat Scan” scan to verify that there are no remaining threats http://malwaretips.com/blogs/maxwebsearch-com-removal/

Do check the shortcut
e.g. The argument that MaxWebSearch.com uses in order to hijack your browser will have similarity to below and remove it manually, by editing the shortcut`s target line.:
http://maxwebsearch.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=&ts=

Do delete all the cookies before a complete removal (or the rerun), and do it all in browsers (not only IE)  installed in your machine http://blog.yoocare.com/maxwebsearch-com-redirect-removal-guide/

Do show all hidden files, such as
Under Advanced settings, click Show hidden files and folders, uncheck Hide protected operating system files (Recommended) and then click OK.

Do a check and remove all the malicious files (be careful as touching registry)
%AppData%\Local\[random].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “ProxyEnable” = “1″

As a whole also consider checking (and deleting) any files or folders related to MaxWebSearch.com and mainly those falls under folder path like %ProgramFiles%, %AppData%, %ProgramData% or %LocalAppData%

There is another called Emsisoft Anti-Malware also used for such hijacker removal, you may want to consider it later http://www.bleepingcomputer.com/virus-removal/remove-webssearches.com-browser-hijacker

Thanks

I have followed the suggestions, some of them several times.  Used the Bleeping Computer tutorial and ran Emsisoft anti malware and I'm still stuck with the maxwebsearch.com hijacker.

Have you any experienece using Process Explorer to trace it and kill it?

Thanks

Dan

If the infection occurred within the last 2 weeks, we may be able to evict it.  First, check the Windows\Tasks folder for entries that might cause a reinfection and delete any that are suspicious.
Next, shut down the PC, turn it back on, and, while the manufacturers logo is on the screen, start hitting F8 like a madman.  When you are prompted, choose repair my computer.  Login with the appropriate language & keyboard, then the users login and password.  Choose System Restore from the choices.  Make sure it is from before the infection and that it is labeled as a Windows update and/or critical update and let it rip.  If you need to, click the show more restore points to get to one old enough.  Let it finish, pray a little, and reboot even if it says it failed.

Do you still have the output textfile from your AdwCleaner attempt?
It should be at C:\AdwCleaner[XX].txt depnding on how may time it has run.  
Can you attach the output of the first run you made as a .txt file (Use the attach file in the post)

In terms of clean up there are probably two choices from your description.

Surgical precision - taking out just the MaxWebSearch components by excising them from the files they've hidden around itself.
or
Brute force - probably some collateral damage, cookies and passwords may get lost and you may have to restore a few settings from their defaults to how you like them.

The first will take some time (probably, will know more once the AdwCleaner log is available) the second one is quick.

A repair my computer -> System restore , as I outlined, restores 85-90% of the core Windows files and the registry.  It is extremely powerful and effective.  The problem with normal system restores is that a memory resident virus/Trojan will reinfect during rebooting.

Also check the hosts file locates on C:\Windows\System32\Drivers\etc\hosts. Compare (post) hosts files and (pre) hosts backup files. Open both of them notepad and then make sure the hosts file is in accordance with the hosts backup file. Do check out the changes made by this PUP add on (under virus characteristic), those artefact should not be around as well.
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=7707987#none

also do disable the System Restore Utility to remove the infected files before the removal takes place else it can be restore too. there is this tool as well though I know you have tried almost all but if it is worth a try, you may consider it again
http://trojan-killer.net/maxwebsearch-com-browser-hijacker-removal/

process explorer only kill process in memory running it is not going to removed it though, furthermore the add on is going to ride on the iexplorer process. but it good o ascertain this pesty add on trails and hunt it down - manually though. Here is an example (not maxwebsearch) http://www.howtogeek.com/school/sysinternals-pro/lesson3/

It's a client computer and I think it's been in there a long time.  Their free Norton had expired a year ago and they had no protection for a long time.

Attached is the first ADW Cleaner report run on 2/10.  There have been several runs after this one.

Since this first run, I've uninstalled AVG, Norton, McAfee--all out of date.  I've tried many other tools and hunting in the registry for maxwebsearch.

Really appreciate the help.

Dan
AdwCleaner-R0-.txt

Strangely AdwCleaner has left most of the BHO hooks alone, there's also a trojan respawner hiding in Chrome which is reloading on launch.  There's probably a stealth component hiding some of the active components too.  It does look from this brief log as if your user is keen on installing software bundled with "added value extras" (!).

It's probably worth uninstalling Chrome and then in SafeMode del everything (including hidden and system files) below UserProfileName\AppData\Local\Google\Chrome.  Then reboot and put Chrome back from a fresh download.


Otherwise I'm going to suggest for expediency we hit it hard with Combofix
You'll need to disable any active AV scanning temporarily while it runs though all the component parts.

This will reset much of their browser settings including stored passwords and log them out of "remember me" logged in sites.

Download from the "ComboFix Download Link"  on this page http://www.bleepingcomputer.com/combofix/how-to-use-combofix

With real-time scanning off run from desktop

Allow plenty of time to complete - expect it to look as if it is hanging but you will gradually see it check though each of the checks.

*and make sure if they use them they have the most recent JRE and Flash versions installed.*

Can you similarly upload the logfile produced at the end with an update on how things are going?

Been off to service calls, back for lunch, and out most of the afternoon.  Will work with Combofix this evening and let you know.

Thanks

Dan

Try running SPYBHOREMOVER from securityxploded.com

another is trojan killer in my last post.
So far the two below is also desired for consideration

SUPERAntiSpyware - provides the ability to prevent the changes to your home page. You can set this option in the Preferences section under the Hi-Jack Protection tab. You may instruct SUPERAntiSpyware to alert you if another application attempts to change your Internet Explorer home page
http://www.superantispyware.com/superantispywarefreevspro.html

Spybot - scan selected or all drives for viruses. Also it has its own web proxy server that protects your system against malicious websites and cookies. If this feature is enabled it acts as the default system proxy and access to the Internet will use the Spybot proxy
http://www.safer-networking.org/private/compare/

Masq

I've run Combofix, in safe mode file attached.

I still have maxwebsearch.com on IE.

Thanks Dan

Sorry you shouldn't have run it in Safe Mode, that was to remove the Chrome issue.  Combofix really needs to have all the system services running and Safe Mode stops that.
Can you run it in normal mode and then post the output log.

OK will do.

While waiting I started Process Explorer, I found the phrase "maxwebsearch" as part of the command line for C:\program files\internet explorer\iexplorer.exe"http://maxwebsearch.com/********

Can this lead me to a place to edit out "maxwebsearch"?

I'm rerunning combofix now.

"Can this lead me to a place to edit out "maxwebsearch"?"
Yes, see if you can find the entry in Autoruns and uncheck it.

Run the Combofix scan in normal mode first though.

We're gradually peeling away its cover and forcing it into the open so we can squash it!

likely the shortcut is as

Do check the shortcut
e.g. The argument that MaxWebSearch.com uses in order to hijack your browser will have similarity to below and remove it manually, by editing the shortcut`s target line.:
http://maxwebsearch.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=&ts=

Also you may want to check the attached esp the "The following registry elements have been created:" sectionchanges.txt

Attached is the Combofix run in normal mode.

I'm now looking for the AutoRun reference.

Thanks Dan

Not attached Dan :(

Sorry

Trying a second time.
ComboFix.txt

OK that looks good, let's have a look in the registry now for MaxWebSearch

Can you download SystemLook? - get the right version for your Home Pro system - 32bit Windows 7 here - 64bit Windows 7 here.

Run this and because we're looking for registry entries in the search box paste

:regfind
MaxWebSearch

Select allOpen in new window

Then click 'Look' and attach the output

System Look is giving me "Script Required".  Will not run.

Tried running as Administrator.  That didn't work.

set it up like this

I apologize for not knowing that.  Thanks for telling me.

The scan is running now.

Here is the scan. Nothing found.

I've done several finds in regedit for maxwebsearch, max*, * websearch

All with nothing.  This confirms it again.  

How about a HiJack this scan?
SystemLook.txt

SystemLook is useful as it looks further than the Find command in RegEdit & no news is good news!

OK let's look at HJT - it looks a lot like all that's needed now is to clean up IE and make sure the system reboots without respawning anything

Attached is the latest HJT report.

Hope this gets us there.

Thanks.

Dan
hijackthis.log

OK HJT looks clean - or at least shows all the files that have been cleaned up
You should delete all these redundant entries that point to bad files that have been quarantined or deleted.
HJT-Orphan-Entries.txt

It looks like you have already reset IE to its defaults but if you haven't done that since the final cleanup you should once again.

In order:
- Final check there is nothing in Control Panel\All Control Panel Items\Programs and Features that you don't recognize

- In IE Internet Options > Advanced Tab > Reset button, check "Delete personal settings"

- Run AdwCleaner once more and check under the Files tab that there are no suspicious entires, clean if necessary

- Run a Full scan with MBAM

- If you want a final check then HitmanPro (Free 30 day trial) is built as a "second opinion" tool.

(You can download and run Hitman for free and see if it finds anything else.  If it does there's an option to activate a free 30 day trial (per installed computer) during this time it will work as the full version and remove anything it finds for you.)

Then I think we should be done!

If so the next stage is some education for your user on how to stay safe on the Net :)HJT-Orphan-Entries.txt

MASQ   thanks for all your help on this.  You guys at EE are the best.

However, after following all your suggestions, including clearing the HJT list you suggested. I still get the maxwebsearch.com page over riding my IE or Firefox.  AdwCleaner, Malwarebytes come up with nothing.

Attached is a screenshot of ie.exe running with the properties from process explorer.  Maxwebsearch is obvious still in the system somewhere.


A thought.  Have we cleared the prefetch?  Is that worth considering?

Still struggling

dan
e-exchange-1.jpg

Did you use Hitman?
Can you use SystemLook to hunt for 6D315B49

According to that picture, its a scheduled task.  If you go to C:\Windows\Tasks, you ought to be able to delete it.

Davis is right
It's hiding in Task Scheduler

Start Button
Type "Task Scheduler" in the search box and hit enter
Wait for the TS window to open
Maximise
Click on Task Scheduler Library
Highlight all the unknown or MaxWebSearch entries and delete

Now run MSConfig and check the Startup Tab for any other instances.

Hitman showed zero threats.

Here is the SystemLook Screen

How did you come up with 6D315B49?


checking out scheduled tasks now.



Dan

DavisMcCarn
Looking at windows\tasks.  Nothing obvious as maxwebsearch.  Should I see that?  Or just delete the whole txt file?

In task scheduler there were several undefined.  one of those was 6D315B49.  I deleted it.

Checked start up in MSConfig and no sign of maxwebsearch or the 6D315D49 and still getting maxwebsearch.com.

I think I'll take out more of the unknown is Task Scheduler.

That's the first part of the Hex code for the task UUID

My bad, I should have thought of this when you first mentioned it showed up in ProcExp!

You'll probably have to reset IE and your other browsers again :(

I think we're on the right track.  Firefox opens to Google now, and not maxwebsearch.

IE still goes to maxwebsearch.

I'm getting a pop up "windows cannot find c:\users\haggetts\appdata\roaming\5.exe.  Make sure you have typed the name correctly and then try again".

GOT IT!!!

While I wait for you I try different things that I think are safe and worth a try.

while waiting, I opened  free Avast's browser cleaner and deleted all add ons for IE.  All there was four safe add ons.  I deleted all but the Avast add on.  And then it opens to Google.  Shut down and reboot and Google is still the homepage.  Go to a couple Google searches and the home page holds.

I'm going to clean all my tools off and see if it holds the homepage like it should.

I'm still getting the AppData\roaming\5.exe error.  There is an Avast message that comes up at the same time referencing a website.  But I didn't catch it.  I'll capture the next time it comes up.

Thanks for hanging with me on this one.  One of the tougher I've had, but I learned a lot.  Thanks.

Not a problem, if you look for 5.exe in the registry and remove it we should be done :)

Ran both a regedit and SystemLook for 5.exe.

here is where it takes me .  You're right you get a better look with SystemLook.


Should I delete all that?

NO!  
None of the files listed in SystemLook are relevant they are all wildcard filenames that end 5.exe but are not actually 5.exe - deleting them will damage your dot Net installation.

Do you just get one reference to 5.exe with regedit? (is that the window underneath in your screenshot?)  That's what I was expecting to see.  It's a redundant registry entry to run '5.exe' but you've removed the target as it was redirecting IE.

Here is the screen with both the pop up and the Avast warning in lower right corner.

I'll not touch the registry.

Both browsers are working fine.  I'm cleaning and doing Windows, java and flash updates with out a problem.


Should I be worried about this Avast message?  I think some kind of malware is calling out on the web.

There's just the 5.exe entry to remove from the registry, Regedit and Find "5.exe" should locate the entry that's calling it.

If you don't want to do this to the registry directly you could also find & disable it with Autoruns (and maybe even with MSConfig from the Startup tab).

On the second issue

If you hit "More details" on the Avast pop-up you can get the full path to the culprit file but it looks like a rogue file pretending to be the legitimate windows file winsta.exe (never legitimately found in the Program Files folder!)  I'm guessing another visitor your user invited in unintentionally.

With the path identified then boot to SafeMode and try deleting it -  I doubt you'll be able to unlock it in normal Windows.

Then it's time for another full AV scan with latest definition files.

I'm going after the 5.exe first

 I've looked in MS Config, the registry, and the directory AppData\roaming\5.exe and I'm really not seeing anything I dare to delete.  So I really don't know what I'm looking for.

I'v e searched in Autoruns, and Process explorer.  find nothing under "5.exe"

Both of these only come up on the start up.  Once I close them  I never see them again until the next reboot.

OK if 5.exe doesn't appear in the registry there's another program being called at startup that's trying to launch it.

Run MSConfig and in the Startup tab see if there's anything you don't recognise, do the same with Autoruns and the Logon tab - you may need to maximise the Autoruns window and extend the ImagePath header to see the full path.

Anything suspicious uncheck (or if you're worried post a screenshot first)

If you don't see anything then in MSConfig click 'Disable all'

Then restart and see if it's no longer trying to launch 5.exe - if it's fixed then it's a question of adding the startup task back in a few at a time until you find the culprit.

Turned off all in MS Config start up,  Checked AutoStart "login" & Everything, did not find the 5.exe or anything suspicious.

Rebooted and got the same error message with everything in start up off.

Can you show me the Autoruns Logon tab?

NB bedtime here ... :)

Here is the top half of the login tab.

OK, time for another malware remover.
http://thisisudax.org/downloads/JRT.exe

Place on desktop, right-click and "Run as administrator"

Another log to copy post at the end please.

Attached is the JRT report.

I usually run JRT, right after C Cleaner when I clean a pc.  This is the 3rd or 4th time I've run it.

Dan
JRT.txt

Had to make one of those business calls that tweakers hate.  I took the pc back to the client.  He needed it to do invoices and other business book work.  He was satisfied with the way it worked; much better then before.  We got rid of the malware and popups.  It was much better then when we started.  But the 5.exe and the other still popup up.

But thank you for your help, your patience and teaching me some new tricks.  it was fun to work with you.

I just saw in today's EE monthly blog that you were a VIP with EE.  I feel lucky to have got you on my case.  Hope we get to work on another some time.

Excellent job, Good teacher, very patient.