TechSpot

Please look and help me remove

By skinnerdipn
Mar 25, 2008
  1. Sorry, I misunderstood the directions. Attached are my 3 logs. Thank you!
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. kritius

    kritius TS Guru Posts: 2,084

    Please turn on your antivirus software if you had it turned off, if you have none then get some immediately

    Please download ONE of the following antivirus programs and install it.
    Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
    Reboot if it fixed anything.

    DELDOMAINS

    Download Deldomains.
    • Save it to your desktop.
    • Right-click DelDomains.inf and select: Install (no need to restart)
    • You may not see any noticeable changes or prompts; this is normal.
    Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

    Fix entries with HijackThis
    • open hijackThis and select do a system scan only
    • Put a check next to the following items (if still there)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
    O2 - BHO: (no name) - {0EFAE17D-F6C4-4ED1-9D6B-23A5F0700039} - C:\WINDOWS\system32\mllml.dll (file missing)
    O2 - BHO: (no name) - {149DB272-8FF3-4CF5-99D9-B0AED9F8C9F2} - C:\WINDOWS\system32\vtsqr.dll (file missing)
    O2 - BHO: (no name) - {1FB3BD37-6FF8-4E1A-AD7C-DD714701E777} - C:\Program Files\OSLO3071b2.USB\qawi89104.dll (file missing)
    O2 - BHO: (no name) - {4238BDCB-2F20-7CF9-5113-5300CBC0DBEC} - C:\WINDOWS\system32\kur.dll (file missing)
    O2 - BHO: (no name) - {B7E0DBDE-06FC-4551-BC75-AF64EE91B5BF} - C:\WINDOWS\system32\vtsqp.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A88C5DFC-9E01-4029-85B7-595BB5175D6C}: Domain = domain.invalid

    • Close all browser windows including this one
    • Select fix checked

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.

    Run HijackThis again an post a fresh log.

    In your next post you should have,
    1)Kaspersky scan
    2)Fresh HJT scan
     
  4. skinnerdipn

    skinnerdipn TS Rookie Topic Starter

    after what you said

    I did what you suggested, and Kaspersky showed some things, the mail was clean and so was the second one listed.

    Thank you!!
     
  5. kritius

    kritius TS Guru Posts: 2,084

    Do the above.

    Go to add/remove programs and uninstall anything that looks like,
    MyWaySearch

    Then,

    I would like to view a list of currently installed software applications on you're PC. How to provide as follows:

    Run HJT and click on Open the Misc Tools section.
    • Click Open Uninstall Manager...
    • Click Save list... and save it to your Desktop.
    • Attach the file uninstall_list.txt into your next reply.

    Run HJT again and select do a system scan only,
    • Put a check next to the following items if still there
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
    O2 - BHO: (no name) - {5EC004CE-E1DD-46BF-8892-8E35296BA493} - C:\WINDOWS\system32\ddayx.dll (file missing)

    • Close all browser windows including this one
    • Select fix checked

    Please download the Killbox and save it to the desktop.
    • Now please run Killbox.
    • Select "Delete on Reboot" and "All files"
    • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    C:\WINDOWS\SYSTEM32\aqVreo01\aqVreo011065.exe
    C:\WINDOWS\SYSTEM32\TFTP392

    • Go to the File menu, and choose "Paste from Clipboard".
    • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again..

    If your computer does not restart automatically, please restart it manually.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Run the kaspersky scan again

    Run HijackThis again and post a fresh log

    In your next post you ahould have,

    1)HijackThis unistall list
    2)Fresh Kaspersky Scan
    3)Fresh HijackThis scan
    4)Antivirus turned on or one installed


    This thread is for the use of skinnerdipn only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. skinnerdipn

    skinnerdipn TS Rookie Topic Starter

    I did all you said... I do have Trend Micro Internet Security running and I did download AVG Antivirus...

    Thank you!
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Go to add/remove programs and remove the following,

    HijackThis 2.0.0
    LiveReg (Symantec Corporation)
    LiveUpdate 2.0 (Symantec Corporation)
    Viewpoint Media Player


    Reboot if required,

    The next thing that I need you to do for me is to download and install the correct version of HijackThis for me,

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete post the log in your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

    This thread is for the use of skinnerdipn only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. skinnerdipn

    skinnerdipn TS Rookie Topic Starter

    AFter getting HJT 2.02

    I could be really wrong... but the myway bar thing... it's on my IP's website as an option to get mail, have a personal page... etc... and I noticed in my installed programs list (via add/remove programs) there is listed as "Frontier Browser Assistant" and below that as "Frontier Search Helper"... I don't recall ever putting them on there, but I'm guessing they came with the software when we installed the High speed?

    The Frontier bar doesn't show up on firefox but does come up on IE... and the yahoo bar, I've removed it via the add/remove option, removed it via IE, and it's still showing up on the HJT report.

    I don't know if that was something you wanted gone also or not, but I am thinking the Frontier has to do with the Myway...

    Thank you!
     
  9. skinnerdipn

    skinnerdipn TS Rookie Topic Starter

    I'm not sure... maybe we're getting somewhere?

    I uninstalled the Frontier web/tool bar. I don't see the Yahoo tool bar coming up anymore. I rebooted after that.

    I ran AVG antivirus, it only found one thing, Trojan.small (shows cleaned)
    I ran Trend Micro Internet Security, and it found 5 Troj_generic.adv, 4 Cryp_tap2. I asked it to delete all of them.

    I re-booted and am re-running both programs, see if anything else comes up. I am also going to rerun the online scan too... do you want any more logs at this point?

    Thank you for your help!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...