Yieldmanager

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Tezab_42, Oct 3, 2005.

  1. Tezab_42

    Tezab_42 Private E-2

    hi guys iv got a big problem with this spyware im usin
    XP pro
    IE6 [i think]

    the popups appear when i use IE ok i know to change to Mozilla, but i wanna get rid of the spyware off this first.

    The popups titled ad.yieldmanager

    Anyone got this problem? how do i delete it? Please help

    Thankyou for your time
     
  2. Tezab_42

    Tezab_42 Private E-2

    o yea forgot to mention iv run

    Adaware
    Spybot
    AVG

    and they havent picked it up :(
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run the steps below.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  4. Tezab_42

    Tezab_42 Private E-2

    here followed the steps, Thankyou for helping
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No you have not! Please see step 1 of the cleaning process. Did you skip anything else?

    Also read the instructions on installing and running HijackThis properly again. You are running it directly from the ZIP file which is exactly what I requested you not do. The below shows how you are running it:

    C:\DOCUME~1\TERRYB~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    Is the below ProxyServer setting something you setup?

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 81.86.136.163:808
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After addressing what I said in my previous message please continue with below.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Look in Add/Remove programs for QuickSearch Search Bar and uninstall if found.

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\?ti2evxx.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O2 - BHO: (no name) - {943D6970-8598-C61F-E01E-FC7A91C30D99} - C:\WINDOWS\system32\qoetwe.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll (file missing)
    O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKCU\..\Run: [Ltuzq] C:\WINDOWS\system32\?ti2evxx.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\Program Files\QuickSearch <--- the whole folder
    C:\WINDOWS\system32\qoetwe.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    We may also need to address that ProxyServer setting you had but I need to know your answer to my question first.
     
  7. Tezab_42

    Tezab_42 Private E-2

    hello, sorri system restore check is now done.
    Tryed this step:'Add/Remove programs for QuickSearch Search Bar and uninstall if found'
    then clicked delete but an error occured couldnt find...

    C:\PROGRA~1\QUICKS~1\QUICKS~1.DLL

    continued with your advise deleted the processes using HJT then booted in safe mode to find the files you requested to delete, neither of them was there?

    now do i continue with the steps you requested? or what shall i do?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just continue all the way thru with all steps. Then post the follow up HJT log and let me know how things are working.
     
  9. Tezab_42

    Tezab_42 Private E-2

    Since following the steps, no pops ups have appeared so far. Thankyou very much.

    Althought Google toolbar & Quicksearch are still in the add/remove program list? is there a way to delete these?

    Heres the new HJT file as requested...
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Google Toolbar is something you chose to install. Are you saying you no longer want it?

    Did you try uninstalling both of these using Add/Remove programs? What happens?

    Are you familiar with using the Registry Editor (regedit)?


    You may be able to just use the below to get rid of QuickSearch if uninstall did not work.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixQS.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixQS.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.


     
    Last edited: Oct 5, 2005
  11. Tezab_42

    Tezab_42 Private E-2

    chaslang wrote:

    Google Toolbar is something you chose to install. Are you saying you no longer want it?

    Did you try uninstalling both of these using Add/Remove programs? What happens?


    Yes i try uninstalling it using add/remove progams, once clicked nothing happens [as if i didnt even click remove]


    I did the Quicksearch regedit, worked perfectly, no longer in add/remove programs.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I'm not exactly sure how Google words their software name in the registry, but let's give the below a try.

    First run HijackThis and have it fix the below lines:
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixGT.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixGT.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
     
  13. Tezab_42

    Tezab_42 Private E-2

    hmm i tryed it but no luck im afraid :(

    got any other ideas?
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I assume the HJT part worked???

    Run regedit and navigate to the below key and tell me how google toolbar is worded (word for word with any spacing).

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
     
  15. Tezab_42

    Tezab_42 Private E-2

    yep the HJT worked, but not that code :(
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    In my last message I said:
    Did you not understand what this means?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds