security system and ad yield manager, KIS doesn't detect Options

[CindyR]

I'm having a great deal of trouble with these two problems. Please help!!

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

I've run KIS 2009 without these problems being detected.

[CindyR]

I'm having a great deal of trouble with these two problems. Please help!!

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

I've run KIS 2009 without these problems being detected.

Attached File(s)

 sysinfo.zip ( 94.23K ) Number of downloads: 4

 

[norwegian]

Try the settings for a scan as follows

Settings-Threats and Exclusions-Threats-Settings-Check the box "other malware"

then

Settings-Full Scan-Settings-Additional-Heuristic analysis-deep scan
and the option
Rootkit scan-Deep scan

Then attempt a full scan and see if that helps with detection. The "other malware" category should detect what is actually spyware you have been infected with.

Also once done can you do the following for the experienced people here to look at

Support-Support tools-Create system state report, then once completed, "view" will show the folder you need to upload to the next post here for the team to look at.

This post has been edited by norwegian: 24.01.2009 06:12

[richbuff]

Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:

CODE

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete
scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.

[CindyR]

i'm sorry RichBuff, I'm not quite sure what you mean by Run script, While I feel comfortable with using computers, I'm not tech savvy enough to know the inner workings so much. Elementary step by step please....

edit:del quote.




This post has been edited by richbuff: 25.01.2009 03:44

[richbuff]

instructions linked in pinned topics at top of this forum page,

Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.

[CindyR]

Hi Richbuff, I executed the script and followed the instructions. See attached Combolog. BTW the problem still exists with my email page being diverted to the search page. The System security problem seems to be gone.

Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.

Attached File(s)

 log.txt ( 14.71K ) Number of downloads: 2

 

[richbuff]

Run this one:

CODE

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up it to a filehost such as http://rapidshare.com/ Then, Private Message me the download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware
from system volume information files.

Scan with SuperAntiSpyware: http://www.superantispyware.com/ and post it's log, but please don't fix anything until the log is reviewed.

[CindyR]

I've completed your instructions and will post the log from SuperAntispyware.com.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/26/2009 at 10:54 PM

Application Version : 4.25.1012

Core Rules Database Version : 3730
Trace Rules Database Version: 1700

Scan type : Complete Scan
Total Scan Time : 00:39:13

Memory items scanned : 824
Memory threats detected : 0
Registry items scanned : 7723
Registry threats detected : 0
File items scanned : 31484
File threats detected : 62

Adware.Tracking Cookie
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@youporn[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@adtrafficstats[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@virusremover2008-offer[1].txt
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ads.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.atdmt.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.doubleclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ads.revsci.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.tribalfusion.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
freecodesource.advertserve.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.statcounter.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.zedo.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@atdmt[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@richmedia.yahoo[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@interclick[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@2o7[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bravenet[1].txt

edit: del quote.

This post has been edited by richbuff: 27.01.2009 10:51

[richbuff]

You can delete those, and delete the C:\qoobox\quarantine and C:\quarantine.zip if they are still extant.

[CindyR]

Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??

[CindyR]

Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??

I have attached a new AVZ log as you requested.

Attached File(s)

 sysinfo.zip ( 92.22K ) Number of downloads: 2

 

[richbuff]

Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:

CODE

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('G.exe','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('G.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a fresh, new Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete
scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.

[CindyR]

I've done as you've directed, here's the logfile.

edit: del quote.

This post has been edited by richbuff: 28.01.2009 06:26

Attached File(s)

 log.txt ( 15.5K ) Number of downloads: 3

 

[richbuff]

Uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware
from system volume information files.

Delete AVZ and combofix quarantine folders if they are still extant, and if you come across them. Post back and confirm Combofix uninstalled, and Windows system restore was turned off, then reboot.

[CindyR]

Combofix uninstalled, System restore has been turned off, rebooted, Scan done w KIS then System restore turned back on.

[CindyR]

Hi Richbuff, I continue to have the same problem with ad yield manager diverting me to a search result page when I check my Yahoo email. see attached AVZ. I've been trying to attach a screen print of the search page but I'm having trouble doing it. Is this a virus or spyware??? Why are we having such a hard time getting rid of i? SuperAntispyware finds and removes it temporarily but it comes right back.

Attached File(s)

 sysinfo.zip ( 91.67K ) Number of downloads: 1

 

[Baz^^]

Hi,

What exactly does SAS find? (give the location of the object it detects)

This post has been edited by Baz^^: 31.01.2009 03:12

[CindyR]

Hi,

What exactly does SAS find? (give the location of the object it detects)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2009 at 06:53 PM

Application Version : 4.25.1012

Core Rules Database Version : 3737
Trace Rules Database Version: 1706

Scan type : Complete Scan
Total Scan Time : 00:35:16

Memory items scanned : 788
Memory threats detected : 0
Registry items scanned : 7724
Registry threats detected : 0
File items scanned : 31546
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@cache.trafficmp[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@trafficmp[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@chitika[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[1].txt

[B3llit0]

All those are are cookies that you're getting from the advertisements, as revealed by the path and by the detection name (Adware.tracking cookie). Those are safe to delete. Advertisers like to remember which ads you've seen. Users usually don't like that.