Karl`s PC Help Forums

Problem with Yieldmanager.com.
victor - 22-2-2008 at 16:09

Every time I open Yahoo mail Spybot comes up with this,is there an easy way to remove it.


victor - 22-2-2008 at 23:25

I reckon I put this in the wrong section could one of the mods please move it to the Virus Help please.


Dreamweaver - 22-2-2008 at 23:30

Quote:
Originally posted by victor
I reckon I put this in the wrong section could one of the mods please move it to the Virus Help please.


Sorted :)


victor - 22-2-2008 at 23:45

Thanks DW. waveysmiley


Dreamweaver - 22-2-2008 at 23:49

Quote:
Originally posted by victor
Thanks DW. waveysmiley



You know you are welcome :P:wave


LSemmens - 23-2-2008 at 12:01

Have you performed all the usual scans? AV, Spybot, AdAware, Ccleaner and such?


Pancake - 23-2-2008 at 23:15

The first thing I would get rid of is SpyBot SD and then...


Please download HijackThis to your desktop.. http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:Program FilesTrend MicroHijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:Program FilesTrend MicroHijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.


LSemmens - 24-2-2008 at 11:37

Interesting Pancake, why get rid of Spybot, I've always found it to work quite well?


Pancake - 24-2-2008 at 21:24

Quote:
Originally posted by LSemmens
Interesting Pancake, why get rid of Spybot, I've always found it to work quite well?


I like to go for the quick cure....No SpyBot....No message..:D


LSemmens - 25-2-2008 at 11:53

But that really doesn't resolve the underlying issue. Is there a nasty that has hijacked the Yahoo mail page, or is yeildmanager really an innocent pawn in this?

I know I'm questioning a lot, but I can normally understand your reasoning although I haven't your expertise. Your initial statement had me wondering whether my own security may have been at risk.


Pancake - 25-2-2008 at 21:45

Untill I see the HJT log I cant tell whats there.

Maybe with my comment about SpyBot I should have included the words"its a joke" for thats what it was.Its my fault for being misleading.Sorry.lips_sealed


victor - 25-2-2008 at 22:15

Quote:
Originally posted by Pancake
Untill I see the HJT log I cant tell whats there.

Maybe with my comment about SpyBot I should have included the words"its a joke" for thats what it was.Its my fault for being misleading.Sorry.lips_sealed


I am glad you said that Pancake you had me worried,Spy Bot is still installed.

Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09:27, on 25/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:PROGRA~1GrisoftAVGFRE~1avgemc.exe
C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSOUNDMAN.EXE
C:WINDOWSDit.exe
C:Program FilesMedionPowerCinemaMy_TVAgent.exe
C:Program FilesCommon FilesLogitechQCDriverLVCOMS.EXE
C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkUFind.exe
C:WINDOWSDitExp.exe
C:PROGRA~1GrisoftAVGFRE~1avgcc.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesJavajre1.6.0_03binjusched.exe
C:Program FilesAdobePhotoshop Album Starter Edition3.2Appsapdproxy.exe
C:Program FilesQuickTimeqttask.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesYahoo!MessengerYahooMessenger.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
C:Program FilesMicrosoft OfficeOfficeOSA.EXE
C:WINDOWSsystem32taskmgr.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://uk.search.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://uk.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://uk.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://uk.search.yahoo.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://uk.yahoo.com
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://www.aldi.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:Program FilesMicrosoft MoneySystemmnyside.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:PROGRA~1COMMON~1RealToolbarrealbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier2.1.615.5858swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:PROGRA~1COMMON~1RealToolbarrealbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [Dit] Dit.exe
O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [Agent] C:Program FilesMedionPowerCinemaMy_TVAgent.exe
O4 - HKLM..Run: [LVCOMS] C:Program FilesCommon FilesLogitechQCDriverLVCOMS.EXE
O4 - HKLM..Run: [Microsoft Works Update Detection] C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkUFind.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobePhotoshop Album Starter Edition3.2Appsapdproxy.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [Yahoo! Pager] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] C:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:Program FilesMicrosoft OfficeOfficeOSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Google Updater.lnk = C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:PROGRA~1Yahoo!Commonyhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:PROGRA~1Yahoo!Commonyhexbmesuk.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:Program FilesMicrosoft MoneySystemmnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra button: Medion-UK - {725E17C7-2B9A-42BA-AAE2-754FA08120BD} - http://www.medion.co.uk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:Program FilesYahoo!Commonyinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O17 - HKLMSystemCCSServicesTcpip..{37AE5662-C9A4-498D-931A-1B7BA84F4176}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgemc.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:Program FilesGoogleGoogle Desktop SearchGoogleDesktopManager.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe

--
End of file - 9956 bytes


Pancake - 25-2-2008 at 22:56

Nothing is showing up in that so it may well be just one odd file somewhere....

Download ewido anti-spyware from http://www.ewido.net/en/download/ and save that file to your desktop.

This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet.

  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.


    victor - 25-2-2008 at 23:27

    About to do the reboot but got to print out your instructions.


    victor - 26-2-2008 at 00:27

    You were right Pancake at the rate this is scanning I might as well go to bed, been running 45mins and it has done about a third of it.
    So far 274 infected objects and they are all medium risk tracking cookies.


    victor - 26-2-2008 at 02:27

    I followed your instructions to the letter.
    and after "Apply all actions" went to "Reports" that said no reports available so the save report button was inactive.

    I did look at the Cookie list and there was a YeildManager Cookie there.
    Upon opening my Yahoo mail now Spybot is finding Bad url but its changed in name to servedby. And it has not got Tagasaurus
    Maybe useful to know it only comes up the first time I open Yahoo mail after booting up.

    I will try another ewido scan tomorrow unless you say different,and do "report" before "Apply all actions"


    Pancake - 26-2-2008 at 02:46

    Yes re-do the scan and also run this as well...



    Ok.Lets begin with [color=red]ComboFix.exe[/color].
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    When the tool is finished, it will produce a report for you. Please post the "C:ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.


    LSemmens - 26-2-2008 at 14:33

    Thanks for the clarification, PK, you seem to be on my wavelength with humour, which is why I have managed to cause offence in the past, by an inappropriate comment at the wrong time. In this case, a novice may have just accepted that SB is the problem and delete it, which may be unfortunate.


    victor - 26-2-2008 at 23:45

    Spybot flag had reverted back to Yeildmanager Tagasaurus this morning.

    Did second ewido run. Report attached although nothing found.

    I am about to go through combofix.


    victor - 27-2-2008 at 22:39

    Hi Pancake.I did not get round to using Combofix, put of by an earthquake (there is an excuse you can't use every day)
    I hope I have discovered the problem I should have mentioned that I had downloaded the latest version of Spybot S&D and had forgotten this myself until today.
    So I went to the Spybot forum and found someone with the the same problem I only hope that this is the answer.
    Spybot * configuration *block all pages silently

    If it is thanks for your help if not as Arni says "I will be back"


    Pancake - 27-2-2008 at 23:06

    Ok.No problem