MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 10-03-05, 15:53
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Yieldmanager

hi guys iv got a big problem with this spyware im usin
XP pro
IE6 [i think]

the popups appear when i use IE ok i know to change to Mozilla, but i wanna get rid of the spyware off this first.

The popups titled ad.yieldmanager

Anyone got this problem? how do i delete it? Please help

Thankyou for your time
Reply With Quote
Sponsored links
  #2  
Old 10-03-05, 15:57
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Yieldmanager

o yea forgot to mention iv run

Adaware
Spybot
AVG

and they havent picked it up
Reply With Quote
  #3  
Old 10-03-05, 17:16
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #4  
Old 10-03-05, 17:43
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Yieldmanager

here followed the steps, Thankyou for helping
Attached Files
File Type: log hijackthis.log (7.0 KB, 12 views)
Reply With Quote
  #5  
Old 10-03-05, 20:22
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

Quote:
Originally Posted by Tezab_42
here followed the steps
No you have not! Please see step 1 of the cleaning process. Did you skip anything else?

Also read the instructions on installing and running HijackThis properly again. You are running it directly from the ZIP file which is exactly what I requested you not do. The below shows how you are running it:

C:\DOCUME~1\TERRYB~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

Is the below ProxyServer setting something you setup?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 81.86.136.163:808
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 10-03-05, 20:37
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

After addressing what I said in my previous message please continue with below.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Look in Add/Remove programs for QuickSearch Search Bar and uninstall if found.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\?ti2evxx.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
O2 - BHO: (no name) - {943D6970-8598-C61F-E01E-FC7A91C30D99} - C:\WINDOWS\system32\qoetwe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll (file missing)
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKCU\..\Run: [Ltuzq] C:\WINDOWS\system32\?ti2evxx.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\QuickSearch <--- the whole folder
C:\WINDOWS\system32\qoetwe.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

We may also need to address that ProxyServer setting you had but I need to know your answer to my question first.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 10-04-05, 06:58
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Yieldmanager

hello, sorri system restore check is now done.
Tryed this step:'Add/Remove programs for QuickSearch Search Bar and uninstall if found'
then clicked delete but an error occured couldnt find...

C:\PROGRA~1\QUICKS~1\QUICKS~1.DLL

continued with your advise deleted the processes using HJT then booted in safe mode to find the files you requested to delete, neither of them was there?

now do i continue with the steps you requested? or what shall i do?
Reply With Quote
  #8  
Old 10-04-05, 12:03
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

Just continue all the way thru with all steps. Then post the follow up HJT log and let me know how things are working.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 10-05-05, 06:51
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Yieldmanager

Since following the steps, no pops ups have appeared so far. Thankyou very much.

Althought Google toolbar & Quicksearch are still in the add/remove program list? is there a way to delete these?

Heres the new HJT file as requested...
Attached Files
File Type: log hijackthis.log (5.6 KB, 3 views)
Reply With Quote
  #10  
Old 10-05-05, 19:13
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

Google Toolbar is something you chose to install. Are you saying you no longer want it?

Did you try uninstalling both of these using Add/Remove programs? What happens?

Are you familiar with using the Registry Editor (regedit)?


You may be able to just use the below to get rid of QuickSearch if uninstall did not work.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixQS.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixQS.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Quote:
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\QuickSearch Toolbar]

__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 10-05-05 at 19:19..
Reply With Quote
Sponsored links
  #11  
Old 10-06-05, 06:35
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Yieldmanager

chaslang wrote:

Google Toolbar is something you chose to install. Are you saying you no longer want it?

Did you try uninstalling both of these using Add/Remove programs? What happens?


Yes i try uninstalling it using add/remove progams, once clicked nothing happens [as if i didnt even click remove]


I did the Quicksearch regedit, worked perfectly, no longer in add/remove programs.
Reply With Quote
  #12  
Old 10-06-05, 12:21
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

Okay! I'm not exactly sure how Google words their software name in the registry, but let's give the below a try.

First run HijackThis and have it fix the below lines:
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixGT.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixGT.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
Quote:
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GoogleToolbar]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Toolbar]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GoogleToolbar1]
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #13  
Old 10-06-05, 12:29
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Yieldmanager

hmm i tryed it but no luck im afraid

got any other ideas?
Reply With Quote
  #14  
Old 10-06-05, 14:06
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

I assume the HJT part worked???

Run regedit and navigate to the below key and tell me how google toolbar is worded (word for word with any spacing).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #15  
Old 10-06-05, 18:29
Tezab_42 Tezab_42 is offline
Private E-2
 
Join Date: Oct 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Yieldmanager

Quote:
Originally Posted by chaslang
I assume the HJT part worked???

Run regedit and navigate to the below key and tell me how google toolbar is worded (word for word with any spacing).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
yep the HJT worked, but not that code
Reply With Quote
Sponsored links
  #16  
Old 10-06-05, 18:35
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Yieldmanager

Quote:
Originally Posted by Tezab_42
yep the HJT worked, but not that code

In my last message I said:
Quote:
Run regedit and navigate to the below key and tell me how google toolbar is worded (word for word with any spacing).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
Did you not understand what this means?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 21:26.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger