HI,

Whenever I connect to the net, I get a message from Zone Alarm that ad.yieldmanager.com it stopped the yieldmanager.com from connecting to the net.

I scanned the computer with Spy-Bot, Ad-Aware and AVG antivirus but they detected nothing. Anyone having an idea what it is and how to remove it? Nothing on the net that is useful...Just a lot of people asking for help, but no help given.

Saludos,

Diego

hi verdad,

need a hjt log as a starting point. from the sticky:

* Downloads:
* Please make sure you have the latest version. HJT 1.99.1
* http://www.downloads.subratam.org/hijackthis.zip
* If you are unfamiliar with zip programs get HijackThis.exe here:
* http://www.merijn.org/files/HijackThis.exe

* First put hijackthis into a permanent folder.
* Do this first - go to C: and create a new permanent folder.
Example C:\AntiSpyWare or C:\hijackthis
* This is necessary to ensure you have backups should anything go wrong.
* Then put (or download - choose "save" not "run") the hijackthis.exe file in this folder.
If you downloaded a zipped HJT file unzip it to the permanent folder so you have C:\hijackthis\hijackthis.exe.
* Example of the wrong way:
C:\DOCUME~1\Name\LOCALS~1\Temp\Temporary Directory for hijackthis.zip\HijackThis.exe
* Running hjt from the wrong folder may delay assistance as your helper will have to ask for a new log.

If in doubt use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.

* Double click HijackThis.exe.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
* Click that, save the log somewhere, and copy/paste in this topic
a) The HJT log

shelf life

Logfile of HijackThis v1.99.1
Scan saved at 12:11:57 AM, on 31/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htmlkit.com/assistant/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have noticed that Zone Alarm blocks connection when I open my Operamail account.

I have a screendump of ZA blocking it. Tried to attach it here:

hi verdad,


that screenshot didnt show up. lets try this first:

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-------------------------------------------------
start>settings>Control Panel> click the Internet options icon

Next:

Click on Delete Cookies.

Click on Delete Files, Make sure Delete all offline content is checked and then click on OK
---------------------------------------------------
click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

shelf life

Hi shelf life. I did as per your instructions. I do have Firefox, however, not the IE, if that may be of help.

Attached is (hopefully) the screendump which is now within the limits for posting. Hope you can see it enough to see the message from Zone Alarm. I zipped the gif.

Thanks for your help, by the way.

Attached is the ZA Warning when I connect to Operamail site. You can see in the left bottom corner, the browser's tab, saying Opera...

This only happens when I go there. It also invokes Java. For a second a little coffee cup turns up in the Startup bar, the bottom right corner. Then, when ZA blocks it, Java disappears.

So I am guessing here that it may be some kind of Java applet that I could have downloaded when I recklessly opened one spam email in Operamail. I wanted to delete it but made a mistake and clicked on the wrong thing. As the message opened, a Java turned up in the Startup bar. Since then, yieldmanager is turning up trying to go on the net.

ZA is doing great blocking it but I can't find the file to delete it.

hi verdad,

got it thanks. try this:with firefox open go to tools>options>privacy tab>under private data click on "clear now" place a checkmark next to all except saved passwords then click on "clear private data now" this is for the latest version of ffox 2.0.0.1

shelf life

Done that shelf life.

You can call me Diego. It feels bizarre being called verdad.

:cool:

hi Diego,

maybe the operamail website uses java. that cup icon is the java control/options- it popsup when using java, in any case hows it going on that end?

HI shelf life,

Hapy New Year. Here same old story. I don't know about Operamail, but I haven't seen the little cup before.

I dare not suggest I send you the suspicious message. It looks like the code in the title, and in the message itself. Maybe it gets active by clicking on the title. I were a hacker not wanting to have my malicious code recognised easilly, java would be the way to go. Almost every fool on the internet, me leading the way, has it on.

It is frustrating to be unable to find what is that is connecting to a site out of my box...

Any suggestions are most welcome.

hi Diego,

download, install update and scan with avg anti-spyware.
when its done scanning you can save the log file somewhere. please post the saved avg log in next reply. also rescan and post another hjt log, the first one looks mighty short.

avg-antispyware 30 day trial version:
http://free.grisoft.com/doc/avg-anti-spyware-free/lng/us/tpl/v5

java coffee cup:
http://www.java.com/en/download/help/5000021000.xml

Yes,

It's just a typewriter with some extra features for me. Hence short hjt report. Below are both reports:

AVG report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:36:04 PM 3/01/2007

+ Scan result:



Nothing found.



::Report end

Hijack report:

Logfile of HijackThis v1.99.1
Scan saved at 8:39:27 PM, on 3/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htmlkit.com/assistant/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

And I've just confirmed my suspicions. It only gets active if I turn the cookies on and open operamail page. Now, I am sure that's not the operamail's problem because I have never had this problem until I opened accidentally that email message.

I ran the AVG spyware again and it came clean again, just as the first one.

My pc is also infected by ad.yiedmanager.com. I run spybot and Hijackthis still get infected.

In my case: I use firefox & IE. when I open firefox the ad pop using IE. I need to keep my IE to access some secure site.

I also hope we can do to the bottom of this w/o reformat my HD (That the only cure that my friend told me).

Please let me know if I can help you all

Regards,
bondul

hi Diego,

try this: put a exception to ad.yieldmanager.com
for example: with firefox open (iam in linux now, may be different in windows)go to edit(or tools)>preferences>privacy tab>cookies tab>
put a check next to allow site to set cookies
put a check next to from the originating website only
click the exceptions button in the field copy/paste:

ad.yieldmanager.com
then click on block.
the same can be done IE, havent really configured it in along time i use it to attract malware and go with defaults settings.
------------------------------
see if that works, if not try this;
open up the cookie control again click on clear cookies
next go straight to the website (opermail) where you get the warnings in ZA, allow it
click on view cookies and add the new cookies to the exception list like you did with ad.yeild.manager (dont add any from opermail)

shelf life

Hi shelf life,

It is slightly different in FF for windows. So I turned ZA spyware protection off and opened operamail. Attached is the list of cookies caught after that. I did not connect to any other sites after that. I'll also run hjt, AVG spyware, ad-aweare and spy-bot. Will now post hjt and any other log if other software detects something.

Diego

Shelf life,

Here's the log, but as you can see, very little is going on.

Logfile of HijackThis v1.99.1
Scan saved at 9:13:46 PM, on 5/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htmlkit.com/assistant/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Attaching another printscreen as another suspicious cookie turned up. members.commissionmonster.com

Ad-aware has not even detected those cookies, including yieldmanager.

What puzzles me is the fact that the yieldmanager.com site seems to be down, yet cookie appears, confirming that something on my pc established the contact.

Spy-bot just came clean as well. Log attached.

Awaiting further instructions.

hi Diego,

thanks for the info. cookies are pretty harmless. your computer isnt really establishing the contact. when you view a website its very likely that the content including ads, links, graphics etc are pulled from other servers other than just the site your viewing. just have Ffox set to clear cookies when you exit it.
heres a screenshot of cookies i got after viewing and clicking a few links to read some items on my startpage yahoo:

Hi shelf life,

So, if I understand you correctly, there's nothing on my computer? If that is what you are saying, the ZA message leaves me with doubts, as it is clearly saying that my computer is trying to connect back to yieldmanager. From it I assumed that there's something on my pc actively trying to connect to a site I have no intention to visit.

If I have nothing, then the cookie is maybe trying to communicate back with the originating site in a way that sets ZA off? Puzzling as yieldmanager.com is not active site either.

What do you think is going on then? How do we explain the ZA message?

hi Diego,

ok lets try a online scan with panda even though all else looks ok. also download and run atf cleaner which is a good app to have and use regularly.

panda:
http://www.pandasoftware.com/products/activescan.htm

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send (use a fake e-mail)
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
-----------------------------------------
atfCleaner:
ATF Cleaner by Atribune.


http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.


Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
------------------------------------------
just to make sure: the adyieldmanager warning in ZA only pops up when you are going to operamail? and not randomly at other times?

shelf life

shelf life,

Panda wants IE, I use FF. So I cleaned the pc with ATF Cleaner and scanned it again with Ad-Aware, Spy-bot, Hijack this and AVG (antivirus and anti-spyware). Everything clean, as always.

Yes, ZA only alerts me that my computer was prevented from connecting to the yieldmanager.com when I open operamail.

Maybe those bad people monitor public email systems and then send cookies to everyone connected. That would explain how they manage to mimic names and addresses of some people I actually have contact with.

It is a bit FF fault as well. They did away with the "Accept cookies for the originating site only", in FF 2, but available in 1.5. FF guys are getting slack lately...

If there are more things we can do to find out if there's something on my pc, let me know. And thanks for your help so far.

I did put yieldmanager.com in "Exceptions", in FF, but that did not prevent my pc from trying to connect to it, as soon as I opened operamail.

If I didn't know better, I'd think that maybe free operamail has those trackers and things...

hi Diego,

sorry for the delay. no luck with that. your computer according to the scan is clean. maybe a thrid party website is envoking the cookie when at the operamail site. i did read there privacy policy:

"Opera Web Mail contains links to other sites. Opera Software is not responsible for the privacy practices or the content of such Web sites."

is that the free version of ZA you use or one of the other packages?

shelf life

I am using the trial version of the ZA Pro. You are probably right. One of their third party links must be leading to yieldmanager. As long as I do not connect to operamail, I do not have the ZA alert. Even with cookies on.

hi Diego,

Your computer is clean. the notice from ZA must be part of the protection or blocking of known web sites or ad servers. the best i figure is the cookie is envoked by a server on the operamail website which raises aflag with ZA for whatever reason.

shelf life

shelf life,

I think that is probably the fair assessment. We couldn't find anything anyway. Thanks for your assistance and guidance. I guess we can let moderators close this trail now. Best wishes,

Diego