Help - Search - Members
Full Version: security system and ad yield manager
Kaspersky Lab Forum > English User Forum > Virus-related issues
CindyR
I'm having a great deal of trouble with these two problems. Please help!!

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

I've run KIS 2009 without these problems being detected.
CindyR
I'm having a great deal of trouble with these two problems. Please help!!

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

I've run KIS 2009 without these problems being detected.
norwegian
Try the settings for a scan as follows

Settings-Threats and Exclusions-Threats-Settings-Check the box "other malware"

then

Settings-Full Scan-Settings-Additional-Heuristic analysis-deep scan
and the option
Rootkit scan-Deep scan

Then attempt a full scan and see if that helps with detection. The "other malware" category should detect what is actually spyware you have been infected with.

Also once done can you do the following for the experienced people here to look at

Support-Support tools-Create system state report, then once completed, "view" will show the folder you need to upload to the next post here for the team to look at.
richbuff
Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete
scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
CindyR
i'm sorry RichBuff, I'm not quite sure what you mean by Run script, While I feel comfortable with using computers, I'm not tech savvy enough to know the inner workings so much. Elementary step by step please....

edit:del quote.


richbuff
QUOTE
instructions linked in pinned topics at top of this forum page,
Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.
CindyR

Hi Richbuff, I executed the script and followed the instructions. See attached Combolog. BTW the problem still exists with my email page being diverted to the search page. The System security problem seems to be gone.


QUOTE(richbuff @ 25.01.2009 02:51) *
Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.

richbuff
Run this one:
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up it to a filehost such as http://rapidshare.com/ Then, Private Message me the download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware
from system volume information files.

Scan with SuperAntiSpyware: http://www.superantispyware.com/ and post it's log, but please don't fix anything until the log is reviewed.
CindyR
I've completed your instructions and will post the log from SuperAntispyware.com.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/26/2009 at 10:54 PM

Application Version : 4.25.1012

Core Rules Database Version : 3730
Trace Rules Database Version: 1700

Scan type : Complete Scan
Total Scan Time : 00:39:13

Memory items scanned : 824
Memory threats detected : 0
Registry items scanned : 7723
Registry threats detected : 0
File items scanned : 31484
File threats detected : 62

Adware.Tracking Cookie
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@youporn[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@adtrafficstats[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@virusremover2008-offer[1].txt
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ads.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.atdmt.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.doubleclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
ads.revsci.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.tribalfusion.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
freecodesource.advertserve.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.statcounter.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.zedo.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@atdmt[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@richmedia.yahoo[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@interclick[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@2o7[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bravenet[1].txt

edit: del quote.
richbuff
You can delete those, and delete the C:\qoobox\quarantine and C:\quarantine.zip if they are still extant.
CindyR
Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??
CindyR
QUOTE(CindyR @ 28.01.2009 01:56) *
Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??



I have attached a new AVZ log as you requested.
richbuff
Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('G.exe','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('G.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a fresh, new Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete
scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
CindyR
I've done as you've directed, here's the logfile.

edit: del quote.
richbuff
Uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware
from system volume information files.

Delete AVZ and combofix quarantine folders if they are still extant, and if you come across them. Post back and confirm Combofix uninstalled, and Windows system restore was turned off, then reboot.
CindyR
Combofix uninstalled, System restore has been turned off, rebooted, Scan done w KIS then System restore turned back on.
CindyR
Hi Richbuff, I continue to have the same problem with ad yield manager diverting me to a search result page when I check my Yahoo email. see attached AVZ. I've been trying to attach a screen print of the search page but I'm having trouble doing it. Is this a virus or spyware??? Why are we having such a hard time getting rid of i? SuperAntispyware finds and removes it temporarily but it comes right back.
Baz^^
Hi,

What exactly does SAS find? (give the location of the object it detects)
CindyR
QUOTE(Baz^^ @ 31.01.2009 02:12) *
Hi,

What exactly does SAS find? (give the location of the object it detects)



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2009 at 06:53 PM

Application Version : 4.25.1012

Core Rules Database Version : 3737
Trace Rules Database Version: 1706

Scan type : Complete Scan
Total Scan Time : 00:35:16

Memory items scanned : 788
Memory threats detected : 0
Registry items scanned : 7724
Registry threats detected : 0
File items scanned : 31546
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@cache.trafficmp[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@trafficmp[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@chitika[1].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt
C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[1].txt
B3llit0
All those are are cookies that you're getting from the advertisements, as revealed by the path and by the detection name (Adware.tracking cookie). Those are safe to delete. Advertisers like to remember which ads you've seen. Users usually don't like that. smile.gif
CindyR
QUOTE(B3llit0 @ 31.01.2009 13:36) *
All those are are cookies that you're getting from the advertisements, as revealed by the path and by the detection name (Adware.tracking cookie). Those are safe to delete. Advertisers like to remember which ads you've seen. Users usually don't like that. smile.gif



But I'm getting ad yield manager diverting me away from my Yahoo email. I can't read my email without being hijacked to another page!!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.