CindyR

security system and ad yield manager

21 posts in this topic

I'm having a great deal of trouble with these two problems. Please help!!

 

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

 

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

 

I've run KIS 2009 without these problems being detected.

Share this post


Link to post
Share on other sites

I'm having a great deal of trouble with these two problems. Please help!!

 

Ad yield manager continually diverts me to a search engine results page when I try to attempt to open my Yahoo email making it impossible to read my email.

 

Just today started having trouble with Security System appearing in my task bar and with continual pop ups saying my computer is infected with spyware and then attempts to run a antispyware/antivirus program that is not mine. Please help.

 

I've run KIS 2009 without these problems being detected.

sysinfo.zip

Share this post


Link to post
Share on other sites

Try the settings for a scan as follows

 

Settings-Threats and Exclusions-Threats-Settings-Check the box "other malware"

 

then

 

Settings-Full Scan-Settings-Additional-Heuristic analysis-deep scan

and the option

Rootkit scan-Deep scan

 

Then attempt a full scan and see if that helps with detection. The "other malware" category should detect what is actually spyware you have been infected with.

 

Also once done can you do the following for the experienced people here to look at

 

Support-Support tools-Create system state report, then once completed, "view" will show the folder you need to upload to the next post here for the team to look at.

Edited by norwegian

Share this post


Link to post
Share on other sites

Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\Users\Rivera\AppData\Local\Temp\~tmpa.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review and follow these instructions carefully.

 

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

 

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

 

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.

Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete

scanning and this is normal.

 

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

 

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.

Share this post


Link to post
Share on other sites

i'm sorry RichBuff, I'm not quite sure what you mean by Run script, While I feel comfortable with using computers, I'm not tech savvy enough to know the inner workings so much. Elementary step by step please....

 

edit:del quote.

 

 

 

Edited by richbuff

Share this post


Link to post
Share on other sites
instructions linked in pinned topics at top of this forum page,
Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.

Share this post


Link to post
Share on other sites

 

Hi Richbuff, I executed the script and followed the instructions. See attached Combolog. BTW the problem still exists with my email page being diverted to the search page. The System security problem seems to be gone.

 

 

Top of this forum page, three Important topics pinned at top, instructions are linked in the first topic; and the middle topic, if you click it, scroll down a little bit, "How to create and execute..." > "By using the built in..." > "Executing an AVZ script" > those are where the detailed instructions are located.

log.txt

Share this post


Link to post
Share on other sites

Run this one:

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up it to a filehost such as http://rapidshare.com/ Then, Private Message me the download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

 

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware

from system volume information files.

 

Scan with SuperAntiSpyware: http://www.superantispyware.com/ and post it's log, but please don't fix anything until the log is reviewed.

Share this post


Link to post
Share on other sites

I've completed your instructions and will post the log from SuperAntispyware.com.

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 01/26/2009 at 10:54 PM

 

Application Version : 4.25.1012

 

Core Rules Database Version : 3730

Trace Rules Database Version: 1700

 

Scan type : Complete Scan

Total Scan Time : 00:39:13

 

Memory items scanned : 824

Memory threats detected : 0

Registry items scanned : 7723

Registry threats detected : 0

File items scanned : 31484

File threats detected : 62

 

Adware.Tracking Cookie

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@youporn[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@adtrafficstats[2].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\rivera@virusremover2008-offer[1].txt

.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

ads.adbrite.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.atdmt.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

ad.yieldmanager.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.doubleclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

ads.revsci.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.specificclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.tribalfusion.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

freecodesource.advertserve.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.fastclick.net [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.statcounter.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.insightexpressai.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.zedo.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

media.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adrevolver.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.trafficmp.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

.adopt.euroclick.com [ C:\Users\Rivera\AppData\Roaming\Mozilla\Firefox\Profiles\k04r0ghk.default\cookies.txt ]

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@atdmt[2].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@richmedia.yahoo[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@interclick[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@2o7[2].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[2].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bravenet[1].txt

edit: del quote.

Edited by richbuff

Share this post


Link to post
Share on other sites

You can delete those, and delete the C:\qoobox\quarantine and C:\quarantine.zip if they are still extant.

Share this post


Link to post
Share on other sites

Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??

Share this post


Link to post
Share on other sites
Richbuff, I really thought that things had cleared up, but the ad.yield manager problem is still there. I was able to use my email for a little while and then it came back. Help??

 

 

I have attached a new AVZ log as you requested.

sysinfo.zip

Share this post


Link to post
Share on other sites

Run this script, instructions linked in pinned topics at top of this forum page, PC will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('G.exe','');
QuarantineFile('F:\autorun.inf','');
DeleteFile('F:\autorun.inf');
DeleteFile('G.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a fresh, new Combofix log, please review and follow these instructions carefully.

 

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

 

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

 

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.

Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete

scanning and this is normal.

 

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

 

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.

Share this post


Link to post
Share on other sites

I've done as you've directed, here's the logfile.

edit: del quote.

log.txt

Edited by richbuff

Share this post


Link to post
Share on other sites

Uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

 

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware

from system volume information files.

 

Delete AVZ and combofix quarantine folders if they are still extant, and if you come across them. Post back and confirm Combofix uninstalled, and Windows system restore was turned off, then reboot.

Share this post


Link to post
Share on other sites

Combofix uninstalled, System restore has been turned off, rebooted, Scan done w KIS then System restore turned back on.

Share this post


Link to post
Share on other sites

Hi Richbuff, I continue to have the same problem with ad yield manager diverting me to a search result page when I check my Yahoo email. see attached AVZ. I've been trying to attach a screen print of the search page but I'm having trouble doing it. Is this a virus or spyware??? Why are we having such a hard time getting rid of i? SuperAntispyware finds and removes it temporarily but it comes right back.

sysinfo.zip

Share this post


Link to post
Share on other sites

Hi,

 

What exactly does SAS find? (give the location of the object it detects)

Edited by Baz^^

Share this post


Link to post
Share on other sites
Hi,

 

What exactly does SAS find? (give the location of the object it detects)

 

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 01/30/2009 at 06:53 PM

 

Application Version : 4.25.1012

 

Core Rules Database Version : 3737

Trace Rules Database Version: 1706

 

Scan type : Complete Scan

Total Scan Time : 00:35:16

 

Memory items scanned : 788

Memory threats detected : 0

Registry items scanned : 7724

Registry threats detected : 0

File items scanned : 31546

File threats detected : 6

 

Adware.Tracking Cookie

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@cache.trafficmp[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@ad.yieldmanager[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@trafficmp[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@chitika[1].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@questionmarket[2].txt

C:\Users\Rivera\AppData\Roaming\Microsoft\Windows\Cookies\Low\rivera@insightexpressai[1].txt

 

Share this post


Link to post
Share on other sites

All those are are cookies that you're getting from the advertisements, as revealed by the path and by the detection name (Adware.tracking cookie). Those are safe to delete. Advertisers like to remember which ads you've seen. Users usually don't like that. :)

Share this post


Link to post
Share on other sites
All those are are cookies that you're getting from the advertisements, as revealed by the path and by the detection name (Adware.tracking cookie). Those are safe to delete. Advertisers like to remember which ads you've seen. Users usually don't like that. :)

 

 

But I'm getting ad yield manager diverting me away from my Yahoo email. I can't read my email without being hijacked to another page!!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.