Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Confirmed Yontoo and Possible Other Infection [Solved]


  • This topic is locked This topic is locked

#16
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
When I clicked ok, nothing happened. This program is still listed in the programs menu but without the icon. Next I tried to uninstall the Yahoo toolbar. This was loads of fun. The uninstaller ran for over 45 minutes, not doing anything. Finally I ended the process from the Task Manager. Next I updated Avast. The program updated and the engine and definitions were up to date. I'm waiting for computer to reboot so I can see if the Yahoo toolbar was actually removed or not.

As a side note, I've been using Eusing for almost a decade so I've elected to keep that program. I'll update the thread as soon as the PC comes back up.
  • 0

Advertisements


#17
Nutloaf

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Thanks for the update Velarie, not to worry about the uninstalls I will fix that. Leave the ESET scan for now I may ask you to run this again.

Please refrain from Eusing until we have finished here. You may find this interesting it's a reply to a Vista thread but still applies Microsoft

I'm off to beddie byes now and have to clear my next post, I would like that update after reboot and how the PC is running. Still slow?
  • 0

#18
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
So I rebooted and brought up the programs and features dialogue. Yahoo Toolbar still there and when I click on it and hit uninstall, it tells me to wait because another program is still uninstalling. Which was Yahoo . . .

What should I do?
  • 0

#19
Nutloaf

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
O.K wait that out and see what happens if nothing occurs try to uninstall again. Try the same with Mapsgalaxy the error may remove the entry.

If all fail then I will have to wait for clearance before I issue you with a fix. It's not serious. What is happening is some files have been removed which makes the uninstaller hang or produce errors. Installing the items again corrects the issue but I do not want you to do that with these items.

Is this O.K? :)
  • 0

#20
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Works for me. I'll try to uninstall again in the morning and repost.

Thanks for all your help! ;)
  • 0

#21
Nutloaf

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Hi Velarie it looks like you installed Malwarebytes correctly :thumbsup: This is meant as a standalone scanner only for you to update and run a scan once a week.

O.K we will fix a couple of issues with this post. You have Avast, Windows Defender and SUPERAntiSpyware installed, this may have something to do with performance issues. Avast covers Virus and Spyware and is all that is needed along with Windows Firewall. I would like you to uninstall SASpyware and disable Defender to see how this affects things.

I still see an issue with Chrome I'd like you to address. The Remote Viewer plugin is still enabled which is the default setting. It allows you remote access to another computer and vice versa. Having this enabled is a security risk, an exploit waiting to happen and needs to be disabled.

1. Uninstall SAS
  • Click Start then select Control Panel
  • In control panel click Uninstall a Program or Programs and Features and uninstall SUPERAntiSpyware

2. Disable Windows Defender
  • Click Start and in the search box type: CMD in the results right click CMD and Run as Administrator
  • At the command prompt (flashing cursor) copy and paste the following: sc stop WinDefend and press Enter
  • At the next command prompt copy and paste the following: sc config WinDefend start= disable and press Enter
  • Close CMD box

3. OTL Fix
Open OTL then Copy the entire text in the Quote box below, do not include the word QUOTE and Paste into the Custom Scans/Fixes box in OTL.

:COMMANDS
[CREATERESTOREPOINT]

:OTL
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll (Yahoo! Inc.)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O8 - Extra context menu item: Copy to &Lightning Note - Reg Error: Value error. File not found
O8 - Extra context menu item: Open with WordPerfect - Reg Error: Value error. File not found

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)


[2013/03/30 13:25:31 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ConsumerSoft
[2012/07/02 11:33:26 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\QuickScan
[2013/03/29 09:22:39 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\TuneUp Software
[2012/07/02 11:34:33 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\OpswatLogs
[2012/07/02 11:33:26 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\QuickScan

:REG
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN]
"Start Page"="http://www.google.com"

:FILES
C:\Program Files\Yahoo!

  • Then click Run Fix
  • Click O.K to Reboot.
  • An OTL fix log will be saved in the following location: C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log - Where mmddyyy _hhmmss is the date and time of fix.
  • Copy and Paste Fix Log into your next reply.

4. OPEN CHROME BROWSER

  • Plugins

  • In the Chrome Search Bar (top of the page with a star at the end) Copy and Paste the following: chrome://plugins/ and press Enter
  • Disable: Chrome Remote Desktop Viewer and uncheck the Always allow? box

    Settings

  • In the Chrome Search Bar Copy and Paste the following: chrome://settings/ and press Enter
  • Under On Start-Up check the box Open a specific page or set of pages and click the link Set Pages
  • In the StartUp pages box hover the mouse over Search Genio to highlight, now click the x to remove.
  • Copy and Paste the following into the Add a new page box: www.google.com and click O.K and close Chrome

5. Reset Windows Firewall
There are some AVG entries that I would like to clear
  • Click Start select Control Panel select Security then Windows Firewall
  • Click Change Settings select the Advanced tab and click Restore Defaults click Yes at the warning prompt

Things I want to see in your next post.
  • OTL fix.txt
  • How are the browsers behaving and PC in general?
  • Try once more with the Yahoo and Maps Galaxy uninstalls and get back to me on this.

  • 0

#22
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I'm on it. I'll update thread soon.
  • 0

#23
Nutloaf

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
:thumbsup: Thanking you :)
  • 0

#24
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I've been trying to accomplish all of this remotely through Logmein.com. I have retrieved the laptop to speed up this process.

O.K we will fix a couple of issues with this post. You have Avast, Windows Defender and SUPERAntiSpyware installed, this may have something to do with performance issues. Avast covers Virus and Spyware and is all that is needed along with Windows Firewall. I would like you to uninstall SASpyware and disable Defender to see how this affects things.


Little bit of history on this laptop - I just acquired it and when I started to clean it out was when I realized how infected and unprotected the system had been for some time. I installed Avast and started cleaning out the system, the steps having already been noted at the beginning of this thread. Generally speaking I use SAS once a week to check for spyware because in my own experience SAS removes more of it than MBAM. SAS does put a heavy drag on any system I've ever installed it on. I usually remove it from the Startup programs so that it only runs when I manually open and update the program. I find this is a happy medium. I just hadn't made it that far yet. However, until we're done with this process, I have uninstalled SAS.

I have no love for Windows Defender. Disabled.

Hi Velarie it looks like you installed Malwarebytes correctly This is meant as a standalone scanner only for you to update and run a scan once a week.


I've been using this site since 2005 and I have very few posts because I can generally find the answers or tools I need in other people threads. I have found the information in these forums and Bleepingcomputer.com to be very reliable. I started using MBAM around 2005 when I first found this site. As a web designer, often people come to me when they have computer problems (yes we know it's not even remotely the same, but . . .) so I have experience working on all kinds of systems and troubleshooting all kinds of problems. (Someday I might even be as geeky as you guys, lol.)

In the past I have suggested MBAM to people to help keep their systems clean, but in the last 2 or 3 years I noticed when running MBAM on my own (and other people's systems) that it almost never found any threats, even on infected systems. Then I started tracking the core and trace numbers each time I would update the program and I noticed that even though it went through the process of 'downloading' and 'installing' the updates, that often the core and trace numbers didn't change over long periods of time. Then I started having problems just installing the software, again on multiple computers with varying operating systems. That's when I quit using it.

I'm not saying MBAM is a bad program, I'm just saying in my own experience I'm not sure that I really trust it anymore. Any thoughts you have on this would be greatly appreciated.

I still see an issue with Chrome I'd like you to address. The Remote Viewer plugin is still enabled which is the default setting. It allows you remote access to another computer and vice versa. Having this enabled is a security risk, an exploit waiting to happen and needs to be disabled.


I will not disable Logmein.com because accessing this computer remotely is the entire reason it exists. I know that using any remote access software poses a huge security risk, but so does connecting to the internet. We do it anyway. As far as I have been able to discern, Logmein.com is one of the safest options available and I have been using them for almost a decade. However, as a precaution, the laptop is only on when I am connected to it. I call a human at the offsite location to setup, boot it and connect it to the internet. When I'm done using it, I call that human back and they disconnect it from the internet, power it down, and store it away. I imagine that's about as safe as I can be. Again, any thoughts you have would be greatly appreciated.

THIS PROCESS
1. Uninstalled SAS.
2. Tried to uninstall Maps Galaxy again. Produced same RunDLL error as pictured previously.
3. Tried to uninstall Yahoo Toolbar. This time it started the process over again as if I had never attempted to uninstall it. I let it run for 30 minutes and then ended the process. You said you have a fix for that so let's just use that.
4. When I tried to disable Windows Defender, I was unsure of the results. See attached pic. So I also went into Admin Tools/Services and verified that the service was stopped and changed the 'Startup Type' to disabled since it was still set to auto.
5. Ran OTL custom fix. Log below.

It took forever (almost 5 minutes) to shutdown and reboot, but I know I made several changes and there's the Yahoo Toolbar uninstall that never completed . . .

I'll get online now on the laptop, open some programs and see how things are running and then update the thread. Thank you for your patience with me.
  • 0

#25
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Command prompt results and OLT log attached.

Attached Thumbnails

  • windefend run as admin error.jpg

Attached Files


  • 0

Advertisements


#26
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
************************************************************************
OTL Custom Fix Log
************************************************************************
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Copy to &Lightning Note\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open with WordPerfect\ deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
C:\Users\owner\AppData\Roaming\ConsumerSoft\My Faster PC\backup folder moved successfully.
C:\Users\owner\AppData\Roaming\ConsumerSoft\My Faster PC folder moved successfully.
C:\Users\owner\AppData\Roaming\ConsumerSoft folder moved successfully.
C:\Users\owner\AppData\Roaming\QuickScan folder moved successfully.
C:\Users\owner\AppData\Roaming\TuneUp Software\TU2012\Backups folder moved successfully.
C:\Users\owner\AppData\Roaming\TuneUp Software\TU2012 folder moved successfully.
C:\Users\owner\AppData\Roaming\TuneUp Software folder moved successfully.
C:\Users\owner\AppData\Roaming\OpswatLogs folder moved successfully.
Folder C:\Users\owner\AppData\Roaming\QuickScan\ not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\\"Start Page"|"http://www.google.com" /E : value set successfully!
========== FILES ==========
C:\Program Files\Yahoo!\Companion\Installs\cpn0 folder moved successfully.
C:\Program Files\Yahoo!\Companion\Installs folder moved successfully.
C:\Program Files\Yahoo!\Companion\Data folder moved successfully.
C:\Program Files\Yahoo!\Companion folder moved successfully.
C:\Program Files\Yahoo!\Common folder moved successfully.
C:\Program Files\Yahoo! folder moved successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 06252013_115703
  • 0

#27
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I realized I skipped a couple steps -

After reviewing the plugins in Chrome, I decided to disable the Chrome Remote Desktop Viewer. I don't think I need it for Logmein.com. I verified in Chrome settings that Genio has in fact been removed and the only page 'set' is my beloved Google.

I also restored default settings for Windows Firewall.

Awaiting further instructions.
  • 0

#28
Nutloaf

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Thank you Velarie. I am awaiting approval for my next post :thumbsup:
  • 0

#29
Nutloaf

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Thank you very much for your explanations post it helps a lot to know what's happening at your end. I want you to run the Microsoft FixIt for Uninstall problems and run Eset again. I have ammended the instructions for ESET so it doesn't uninstall.

I will answer your questions in a later post. I want to make sure all is clean first :)

1. Microsoft FixIt

2. ESET Online Scan

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • Click the green ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
    then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
  • Make sure that the Remove Found Threats and Scan archives boxes are checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Copy the logfile Then click on: Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Things I want to see in your next post.
  • ESET results
  • How are things running now?

  • 0

#30
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I ran the Mircosoft FixIt program, selecting recommended and then uninstall. When it listed the programs, neither Maps Galaxy or Yahoo Toolbar showed up. I selected 'Not Listed' and then it prompted me for a product code?!? I looked in Programs and Features and both programs are still listed as being installed.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP