How do I remove HTML FRAMER Virus?

Hi legalsrl,

I will give thata tryand get back to you shortly.
Thanks for the prompt attention to this matter.

Chuck

No probs Chuck,

let me know how you get on
Cheers
Si

No Luck.

I installed, updated and scanned 2x with Super Spy.

It did not find it or repair it.

Chuck

OK,

Can you go to http://www.hijackthis.de and download HiJackThis

Run it, then save a log file, post the log file results through the analyser and post a link to the results here

I'll have a look at them
Cheers
Si

OK,

http://www.hijackthis.de/#anl

Chuck

Hi Chuck,

That link doesn't work, save the log file by using the attach file bit at the bottom of this page and I'll run it here

Cheers
Si

This is the log file.

Chuck

Your hijackthis log is showing entries belonging to a variant of wareout infection.

Try Fixwareout and show us the logfiles.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

It seems you have Windows Defender, SUPERAntispyware, Spybot S&D, PrevX, AVG and Symantec all running with realtime protection there.
It is not a good idea to have more than one antivirus/antispyware with realtime protection. They will just conflict with each other and causes problems, you only need one antivirus and one antispyware with real time protection.


You also have a rogue program installed there. You might like to download and run RogueRemover, it will remove ESpywareRemoval.
http://www.malwarebytes.org/rogueremover.php


Please fix these entries in Hijackthis:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)  
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)  
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)  
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} - http://imgfarm.com/images/nocache/community/x8NotifierInitialSetup1.0.0.12.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD6DC87-7598-4449-A2E3-FDB2B3A98D64}: NameServer = 85.255.113.196,85.255.112.113  
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C3564DF-1C23-4F4A-95F3-BFF56F1F0D4D}: NameServer = 85.255.113.196,85.255.112.113  
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4520735-568C-42F0-A74D-6209A2EF20C9}: NameServer = 85.255.113.196,85.255.112.113  
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE01A4D5-EB9E-4C39-912A-42B3E9965AD7}: NameServer = 85.255.113.196,85.255.112.113

OK,

I did not know that i was running all that stuff. My nephew and his friends seem to have gotten at the computer and I guess that they tried to fix it!

It seems like we are making a lot of progress though.

Thanks,

Chuck

Did you run Fixwareout yet?

You need to delete this service --> SpywareRemovalSysGuardService
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop SpywareRemovalSysGuardService
sc delete SpywareRemovalSysGuardService


Let us know how the pc is going, if problem persists we can run other tools.

Sorry when I  try to run from the command prompt I get the following message:
 
The specified service does not exist as an installed service.

Chuck

Okay, alternative route;

Fix this below entry in Hijackthis, that will disable/stopped that service, Hijackthis can only delete a service once it's stopped.
O23 - Service: System Guard(SpywareRemoval) (SpywareRemovalSysGuardService) - Unknown owner - C:\Program Files\ESpywareRemoval\SysGuard.exe (file missing)


then open the Misc Tools section in hijackthis, click on "Delete an NT Service" tab
and enter the service --> SpywareRemovalSysGuardService

OK,

I will give it a try.

Thanks,

Chuck

OK,
It seems that we have gotten our wires crossed somewhere along the line.
I am posting a Hijack this log. I do nothave the line that you refferenced.
Thanks,

Chuck

<<<I do nothave the line that you refferenced.>>>

The 023 line is no longer present in the Hijackthis log which means; the service "SpywareRemovalSysGuardService" has been disabled, or the service has been disabled and deleted.

Hijackthis will only show enabled services(the 023 entries) so if a service is not showing it means it has been disabled or that the service no longer exists.
Is that log after you let hijackthis fix that entry? when hijackthis fix an 023 entry it disables that service and therefore will no longer show up in the log.

rpggamergirl:

OK,

Let me review my situation at this point since it seems that we are getting sidetracked. My AVG showes that I still have the Frammer virus.I am still getting random web pages poping up at odd intervals, and the performance on this box seems to be sluggish.
I attached the lattest hijack this Log just 2 posts ago. I does not seem to show any problems that woould account for this.
How do you suggest that we proceed?

Chuck

Chuck,
I need to know if you've run Fixwareout.
You did not answer my question when I asked if you've run Fixwareout.exe The fixwareout log that you posted was not a fixwareout log but a RogueRemover log.

Please run Fixwareout and we'll start from there, as the sign of fixwareout was showing in your original log.

rpggamergirl:,

Thanks for staying with me on this. I have included the text of the report here, which has just been run.




Username "Chuck" - 04/17/2008  7:29:35

[Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
 
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows\CurrentVersion\Run]
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,

72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6

b,00
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avg

cc.exe /STARTUP"
"Windows Defender"="\"C:\\Program

Files\\Windows Defender\\MSASCui.exe\" -hide"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows\CurrentVersion\Run\AutorunsDisabled]
"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"
"Verizon_McciTrayApp"="C:\\Program

Files\\Verizon\\McciTrayApp.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\W

indows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.

exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot

- Search & Destroy\\TeaTimer.exe"
"AdwareAlert"="C:\\Program

Files\\AdwareAlert\\AdwareAlert.exe -boot"
"WMPNSCFG"="C:\\Program Files\\Windows

Media Player\\WMPNSCFG.exe"
"SUPERAntiSpyware"="C:\\Program

Files\\SUPERAntiSpyware\\SUPERAntiSpyware.ex

e"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\W

indows\CurrentVersion\Run\AutorunsDisabled]
"FreeRAM XP"="\"C:\\Program Files\\YourWare

Solutions\\FreeRAM XP Pro\\FreeRAM XP

Pro.exe\" -win"
....
Hosts file was reset, If you use a custom hosts

file please replace it...
~~~~~ End report ~~~~~

This is most likely a problem with some bad code on a specific website.  I doubt that you have anything to worry about in regards to html/framer. You can report it to AVG to let them know you are getting it and maybe they'll fix thier freeware.  Bite the bullet and buy Symantec's Internet security product or see if your ISP offers free threat protection and dump AVG.

Good luck and have a good day.

Maybe you can try Kaspersky's online scan, though it doesn't remove any viruses that it finds, you can then remove it manually if any.

Sorry, but I won't be able to access internet for a week so I won't be able to post for at least a week. You'll be in good hands with other experts helping you.
I'll check back after 8 days and hopefully you found the solution by then.

Good luck!

rpggamergirl:,

Thanks again for the rply. I'll try your suggestions and keep plugging away.
If things don't work out i'll see you back here when you get back. In the mean time, I hope that you have a good trip.

CKStern

I had a great week, thanks.

Any luck? did you run an online kaspersky scan?

rpggamergirl:,

Sorry for the delay but i have been away
 I am now having allsots of conflicts with AVG and Symantic Anti Virus. I can't sem to get rid of the AGV or The Syman tic. I know thati am probably just suffering from Brain Freeze.

Thanks for your patience.

Chuck..

Hi rpggamergirl:,

I have printed out your instructions and will go through the process. Thanks again for all your help. This whole process is getting to be a bit overwhelming. Your instructions are great, clear and to the point.


Chuck

Hi Chuck,

Good luck with the AVG and Symantec uninstallations.
Keep us posted, thanks.

Hi rpggamergirl:,

I have uninstalled both Norton and AVG. I installed Avast. Seems to have solved the problem.
The only problem that i have remaing is Outlook is still looking for and AVG dll,. But that is another problem altogether.
This has been a battle and I thank yiou for all your help. Your instructions were to the poiny and easy to follw, great job and thanks again.

Chuck.

Great job, Outstanding. My thanks for all the help.