IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Closed TopicStart new topic
> security system and ad yield manager, KIS doesn't detect
CindyR
post 24.01.2009 05:03
Post #1


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




I'm having a great deal of trouble with these two problems. Please help!!

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

I've run KIS 2009 without these problems being detected.
Go to the top of the page
 
+Quote Post
CindyR
post 24.01.2009 05:06
Post #2


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




I'm having a great deal of trouble with these two problems. Please help!!

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

I've run KIS 2009 without these problems being detected.
Attached File(s)
Attached File  sysinfo.zip ( 94.23K ) Number of downloads: 4
 
Go to the top of the page
 
+Quote Post
norwegian
post 24.01.2009 06:10
Post #3


Posting guru
*************

Group: Members
Posts: 3790
Joined: 8.05.2005
From: Australia




Try the settings for a scan as follows

Settings-Threats and Exclusions-Threats-Settings-Check the box "other malware"

then

Settings-Full Scan-Settings-Additional-Heuristic analysis-deep scan
and the option
Rootkit scan-Deep scan

Then attempt a full scan and see if that helps with detection. The "other malware" category should detect what is actually spyware you have been infected with.

Also once done can you do the following for the experienced people here to look at

Support-Support tools-Create system state report, then once completed, "view" will show the folder you need to upload to the next post here for the team to look at.

This post has been edited by norwegian: 24.01.2009 06:12


--------------------
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
Go to the top of the page
 
+Quote Post
richbuff
post 24.01.2009 07:02
Post #4


Oldtimer
****************

Group: Moderators
Posts: 47367
Joined: 14.06.2007




Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete
scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
CindyR
post 24.01.2009 19:06
Post #5


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




i'm sorry RichBuff, I'm not quite sure what you mean by Run script, While I feel comfortable with using computers, I'm not tech savvy enough to know the inner workings so much. Elementary step by step please....

edit:del quote.




This post has been edited by richbuff: 25.01.2009 03:44
Go to the top of the page
 
+Quote Post
richbuff
post 25.01.2009 03:51
Post #6


Oldtimer
****************

Group: Moderators
Posts: 47367
Joined: 14.06.2007




QUOTE
instructions linked in pinned topics at top of this forum page,
Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
CindyR
post 26.01.2009 00:26
Post #7


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009





Hi Richbuff, I executed the script and followed the instructions. See attached Combolog. BTW the problem still exists with my email page being diverted to the search page. The System security problem seems to be gone.


QUOTE(richbuff @ 25.01.2009 02:51) *
Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.


Attached File(s)
Attached File  log.txt ( 14.71K ) Number of downloads: 2
 
Go to the top of the page
 
+Quote Post
richbuff
post 26.01.2009 06:01
Post #8


Oldtimer
****************

Group: Moderators
Posts: 47367
Joined: 14.06.2007




Run this one:
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up it to a filehost such as http://rapidshare.com/ Then, Private Message me the download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware
from system volume information files.

Scan with SuperAntiSpyware: http://www.superantispyware.com/ and post it's log, but please don't fix anything until the log is reviewed.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
CindyR
post 27.01.2009 08:03
Post #9


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




I've completed your instructions and will post the log from SuperAntispyware.com.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/26/2009 at 10:54 PM

Application Version : 4.25.1012

Core Rules Database Version : 3730
Trace Rules Database Version: 1700

Scan type : Complete Scan
Total Scan Time : 00:39:13

Memory items scanned : 824
Memory threats detected : 0
Registry items scanned : 7723
Registry threats detected : 0
File items scanned : 31484
File threats detected : 62

Adware.Tracking Cookie
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@youporn[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@adtrafficstats[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@virusremover2008-offer[1].txt
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ads.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.atdmt.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.doubleclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ads.revsci.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.tribalfusion.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
freecodesource.advertserve.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.statcounter.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.zedo.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@atdmt[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@richmedia.yahoo[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@interclick[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@2o7[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bravenet[1].txt

edit: del quote.


This post has been edited by richbuff: 27.01.2009 10:51
Go to the top of the page
 
+Quote Post
richbuff
post 27.01.2009 10:50
Post #10


Oldtimer
****************

Group: Moderators
Posts: 47367
Joined: 14.06.2007




You can delete those, and delete the C:\qoobox\quarantine and C:\quarantine.zip if they are still extant.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
CindyR
post 28.01.2009 02:56
Post #11


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??
Go to the top of the page
 
+Quote Post
CindyR
post 28.01.2009 04:22
Post #12


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




QUOTE(CindyR @ 28.01.2009 01:56) *
Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??



I have attached a new AVZ log as you requested.
Attached File(s)
Attached File  sysinfo.zip ( 92.22K ) Number of downloads: 2
 
Go to the top of the page
 
+Quote Post
richbuff
post 28.01.2009 04:49
Post #13


Oldtimer
****************

Group: Moderators
Posts: 47367
Joined: 14.06.2007




Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('G.exe','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('G.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a fresh, new Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete
scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
CindyR
post 28.01.2009 05:52
Post #14


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




I've done as you've directed, here's the logfile.

edit: del quote.


This post has been edited by richbuff: 28.01.2009 06:26
Attached File(s)
Attached File  log.txt ( 15.5K ) Number of downloads: 3
 
Go to the top of the page
 
+Quote Post
richbuff
post 28.01.2009 06:31
Post #15


Oldtimer
****************

Group: Moderators
Posts: 47367
Joined: 14.06.2007




Uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware
from system volume information files.

Delete AVZ and combofix quarantine folders if they are still extant, and if you come across them. Post back and confirm Combofix uninstalled, and Windows system restore was turned off, then reboot.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
CindyR
post 28.01.2009 07:59
Post #16


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




Combofix uninstalled, System restore has been turned off, rebooted, Scan done w KIS then System restore turned back on.
Go to the top of the page
 
+Quote Post
CindyR
post 31.01.2009 03:09
Post #17


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




Hi Richbuff, I continue to have the same problem with ad yield manager diverting me to a search result page when I check my Yahoo email. see attached AVZ. I've been trying to attach a screen print of the search page but I'm having trouble doing it. Is this a virus or spyware??? Why are we having such a hard time getting rid of i? SuperAntispyware finds and removes it temporarily but it comes right back.
Attached File(s)
Attached File  sysinfo.zip ( 91.67K ) Number of downloads: 1
 
Go to the top of the page
 
+Quote Post
Baz^^
post 31.01.2009 03:12
Post #18


Wrestling Champion
**************

Group: Moderators
Posts: 8799
Joined: 10.03.2007




Hi,

What exactly does SAS find? (give the location of the object it detects)

This post has been edited by Baz^^: 31.01.2009 03:12


--------------------
Kind Regards,

Baz (volunteer moderator/beta testing lead -- I don't work for Kaspersky
)
Go to the top of the page
 
+Quote Post
CindyR
post 31.01.2009 04:11
Post #19


Member
**

Group: Members
Posts: 13
Joined: 10.01.2009




QUOTE(Baz^^ @ 31.01.2009 02:12) *
Hi,

What exactly does SAS find? (give the location of the object it detects)



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2009 at 06:53 PM

Application Version : 4.25.1012

Core Rules Database Version : 3737
Trace Rules Database Version: 1706

Scan type : Complete Scan
Total Scan Time : 00:35:16

Memory items scanned : 788
Memory threats detected : 0
Registry items scanned : 7724
Registry threats detected : 0
File items scanned : 31546
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@cache.trafficmp[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@trafficmp[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@chitika[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[1].txt
Go to the top of the page
 
+Quote Post
B3llit0
post 31.01.2009 14:36
Post #20


Member
**

Group: Members
Posts: 44
Joined: 22.01.2009




All those are are cookies that you're getting from the advertisements, as revealed by the path and by the detection name (Adware.tracking cookie). Those are safe to delete. Advertisers like to remember which ads you've seen. Users usually don't like that. smile.gif


--------------------

     
     
     
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Closed TopicStart new topic

 



Lo-Fi Version Time is now: 18.04.2014 10:10