Need help removing MyStart from Firefox

[gpseymour]

I've been unable to remove the MyStart by Incredibar from Firefox. It doesn't show up as an add-on (I think it once did, but I removed several things recently), nor under programs to be removed. It hijacks my searches, but has no other apparent symptoms.

What I've done:

- Manually removed any clearly related registry entry.
- Removed a few files I managed to track down.
- Reset all related entries in Firefox's config file. These keep getting restored, somehow.

I've scanned with Avast (full, paid version of Avast's internet security suite), IObit ASC's malware removal tool, and Malwarebytes (free version). I've also used some of the recommended tools for producing logs, and I'll attach those logs in subsequent posts.

[gpseymour]

OTL Logs

[gpseymour]

Malwarebytes log and ASW log

[gpseymour]

IObit ASC logs

[mchain]

IObit ASC logs

IObit is a bit less than reputable as software.
http://www.mywot.com/en/scorecard/iobit.com
Read the user comments below; you may think to remove this software.

Suggest not running other software unless malware expert asks you to.

[gpseymour]

IObit ASC logs

IObit is a bit less than reputable as software.
http://www.mywot.com/en/scorecard/iobit.com
Read the user comments below; you may think to remove this software.

Suggest not running other software unless malware expert asks you to.

I didn't load this software in reaction to this threat - I've been using IObit for a couple of years. I've seen the recent allegations (none of which are yet of threat to consumers), and if they hold up, I won't be buying any future versions. However, the product I already paid for is still part of my toolkit. I've seen nothing to indicate the software is harmful - just that the company is not entirely ethical and doesn't deserve my further business.

[Pondus]

the full IObit story here...
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

[mchain]

Hi gpseymour,

I've gone and notified a malware expert to have a look at your logs.

So help is forthcoming soon.

Please do not take any offense at the posts re IObit software.  They are only for your information.  Last link from Pondus shows IObit detection rate is 20%, so whether you keep it on your system is up to you. 

No offense intended.

[gpseymour]

Hi gpseymour,

I've gone and notified a malware expert to have a look at your logs.

So help is forthcoming soon.

Please do not take any offense at the posts re IObit software.  They are only for your information.  Last link from Pondus shows IObit detection rate is 20%, so whether you keep it on your system is up to you. 

No offense intended.

I don't really use it for the detection. It's primarily there for defragging and that sort of thing. It was inexpensive and helps me clean up a few things my other utilities don't. Avast is my primary anti-malware software, and I break out MBAM when I run into a problem Avast doesn't clean. I was surprised when neither of them saw the MyStart script as malware, since it's cloaked and self-reinstalling.

[essexboy]

Let me know if this cures it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  SRV:64bit: - [2012-05-08 15:13:58 | 000,185,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater)
  IE - HKU\S-1-5-21-3891824407-3261176998-3753983406-1003\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found
  IE - HKU\S-1-5-21-3891824407-3261176998-3753983406-1003\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" =
  FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012-05-29 12:54:08 | 000,000,000 | ---D | M]
  [2012-05-29 15:38:41 | 000,000,000 | ---D | M] (We-Care Reminder) -- C:\Users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\4l5w0c8m.default\extensions\wecarereminder@bryan
  O2:64bit: - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
  O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension64.dll ()
  O2:64bit: - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
  O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
  O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
  O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
  O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
  
  :Files
  C:\Program Files\Web Assistant
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[gpseymour]

Ran the fix and quick scan. Log attached.

[essexboy]

Could you confirm that it has all gone ?

[gpseymour]

I haven't seen any evidence of it yet. I'll re-post to this topic if it shows up.

Thanks!

[essexboy]

Once you are happy then run OTL and hit the cleanup button to remove the programme 

[gpseymour]

I went in and checked the about:config file in Firefox. Incredibar once again has about 25 entries there. I'm going to reset all of those and see if they reappear.