1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Found odd program in program files

Discussion in 'Virus & Other Malware Removal' started by Filewasp, Oct 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    The file is called "Myway" wnen you open it the folder is called "Mybar" when you open that there are four folders: 1.bin
    Cache History Settings The first folder when opened has an uninstall readme file that looks like this:

    ; myBar uninstall inf
    ; Copyright (c) 2002, 2003 My Way

    [version]
    Signature="$Chicago$"
    AdvancedINF=2.0

    [Uninstall]
    DelReg=myBar.Del.Reg,DelUninstallKey

    [DelUninstallKey]
    HKLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall"

    [myBar.Del.Reg]
    HKCR,"CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}"
    HKCR,"CLSID\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}"
    HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}"
    HKCR,"CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}"
    HKCR,"CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}"
    HKLM,"SOFTWARE\Microsoft\Internet Explorer\Toolbar","{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}"
    HKCU,"Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser","{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}"
    HKCU,"Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser","ITBarLayout"
    HKCU,"Software\Microsoft\Internet Explorer\Toolbar\WebBrowser","{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}"
    HKCU,"Software\Microsoft\Internet Explorer\Toolbar\WebBrowser","ITBarLayout"
    HKCR,"MyWayToolBar.NetscapeStartup.1"
    HKCR,"MyWayToolBar.NetscapeStartup"
    HKCR,"CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}"
    HKCU,"Software\Netscape\Netscape Navigator\Automation Startup","MyWayToolBar.NetscapeStartup.1"
    HKCR,"MyWayToolBar.NetscapeShutdown.1"
    HKCR,"MyWayToolBar.NetscapeShutdown"
    HKCR,"CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}"
    HKCU,"Software\Netscape\Netscape Navigator\Automation Shutdown","MyWayToolBar.NetscapeShutdown.1"
    HKCR,"MyWayToolBar.SettingsPlugin.1"
    HKCR,"MyWayToolBar.SettingsPlugin"
    HKCR,"CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}"
    HKCR,"CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}"
    HKCR,"CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}"
    HKCR,"CLSID\{615067A3-4ACF-4674-86F7-E0650B1257BB}"
    HKCR,"MyWay.PopSwatterBarButton.1"
    HKCR,"MyWay.PopSwatterBarButton"
    HKCR,"CLSID\{D6C8ACD2-C524-4dd9-87BE-84E6E01FEE63}"
    HKCR,"CLSID\{465BB38F-2B83-43e1-BDE1-5F413D014350}"
    HKCR,"MyWay.PopSwatterSettingsControl.1"
    HKCR,"MyWay.PopSwatterSettingsControl"
    HKCR,"CLSID\{25642629-2705-43d4-ADDE-68922C0E6BA7}"

    Me again: One of the other folders provides a http: address as follows-

    http://barcfg.myway.com/cfg/speedbar/mySpeedbarCfg2.jsp?p NQ&s s4&v 1.0.6.3&e d357&r 38&l 9&a 919944DB-B2F1-481C-83C9-5850F9480996&n 2003100923=003346E6
    Copy and pasted into the browser (it is huge!) it partially looks like the following:
    [PopSwatterBegin] stopEvents=^blur^load^focus^unload^activate^mouseout^mousemove^mouseover^deactivate^mouseenter^mouseleave^mousewheel^losecapture^beforeunload^propertychange^beforedeactivate^readystatechange^ editurl=http://bfc.myway.com/popSwatter/edit.html?v=1 removeurl=javascript:window.open('http://speedbar#13#barrem.html?b=popswatter&ptnrS=NQ','mysrm','scrollbars,resizable,width=320,height=150').focus() helpurl=http://help.popswatter.com/ tafurl=http://www.popswatter.com/spreadtheword/PSSpreadTheWord.jsp [PopSwatterEnd] [FunProductsBtn] b0=#19#funtools4.bmp c0=FunProductsMenu s0=0x1900 t0=Fun Tools [FunProductsMenu] n=5 t=1 d0=SmileyCentralBtn d1=MailStampBtn d2=MySignatureBtn s3=4 t4=Remove This Button... u4=javascript:window.open('#15#barrem.html?#4#&b=funproducts','mysrm','scrollbars,resizable,width=320,height=150').focus() [SmileyCentralBtn] b0=#19#smiley4.bmp s0=0x1817 t0=Smiley Central a0=Insert a smiley into an email message x0=MyWay.HTMLMenu\SmileyCentralBtn

    Is this a legit popup blocker? or should I delete the main folder? I did a search for myway and it is legit site. Confused in Seattle.
     
  2. mamabear

    mamabear

    Joined:
    Mar 10, 2003
    Messages:
    59
    Ad-aware should clean that out. You can download it here

    majorgeeks

    Make sure you use "webupdate" before you scan - a new ref file was released today.

    This link will explain how to configure AAW and run your first scan.

    AAW Reference Guide
     
  3. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    Thanks but could you tell by looking at it if it was a spyware kind of file? I ran adaware and it passed me.
     
  4. Die Hard

    Die Hard

    Joined:
    Apr 5, 2003
    Messages:
    267
    Filewasp :)

    I guess you haven´t installed it,this is the content of the .inf- file,right?

    MyBar toolbar is ,as mambear said, detected by AdAware. I wouldn´t recommend installing it.You would have troubles with persistant popups.

    Die Hard :)
     
  5. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    As I was saying I can adaware and it didn't detect it at all. MyBar does not show up in add remove either.
     
  6. Die Hard

    Die Hard

    Joined:
    Apr 5, 2003
    Messages:
    267
    Filewasp :)

    It´s strange it doesn´t show up in your AdAware6 181 log.

    Please check that your using the latest reference-file,
    01R226 19.10.2003 and you have your settings according to this:

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, copy your log-file and post it here and let´s have a look at it.

    Die Hard :)
     
  7. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    This is my hijack this report: I loaded spybot, removed stuff, reboot to safe mode, deleted a bunch of stuff and then loaded spybot and ran it and deleted more! My resourses went from 57% to 77%! Thanks to: flman1

    Logfile of HijackThis v1.97.3
    Scan saved at 2:56:07 PM, on 10/19/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\CCPXYSVC.EXE
    C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r1.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com;<local>
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\uyb9y1qa.slt\prefs.js)
    O2 - BHO: (no name) - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Personal Firewall\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~4\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
    O4 - HKCU\..\Run: [IM] C:\PROGRAM FILES\EARTHLINKIM\aim.exe -cnetwait.odl
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ali: C:\PROGRA~1\INTERN~1\PLUGINS\NPAlice.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37879.3388888889
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.uniden.com/CFIDE/classes/CFJava.cab
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Looks good! (y)
     
  9. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Did I miss something, or was this done via PM?
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  11. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/173140

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice