PDA

View Full Version : connect to ad.yieldmanager.com virus



orion1
2008-05-04, 19:18
When I logon to my mail yahoo account without fail I get a pop-up window with title " Connect to ad.yieldmanager.com ".

If I do not cancel out of this window my Internet Exporer browser remains locked up.

This is tremendously annoying.

This pop-up window surfaces on other websites as well, however, it is not consistent.

It does show up in my yahoo mail without fail.

More specifically, it shows up whenever I send any kind of message, either new message or forward message. It is as if this virus is keeping track of all my actions on the computer or at least on my activities in my yahoo mail account and other websties.

To date I have not seen it show up on my gmail account.


For your information, I went to another malware removal website late last year and spent about three months working with a person that could not resolve the issue. This person gave up and suggested I go to another website for help.

I do need help from someone competent.

In advance, thanks for the assistance.

steamwiz
2008-05-06, 01:14
Hi

Do you have a link to the other website you received help on ? it will save going over the same ground twice ...

I would also like to see some logs ...

Download ...

HiJackThis log - Trend Micro HijackThis 2.0.2
Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" and Paste (http://www.webmasternow.com/copyandpaste.html) the entire contents of the log (no attachments) into your next post.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System

THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam

orion1
2008-05-06, 14:43
HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:19, on 2008-05-05
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\abaez\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fnsr%3D1%26ui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.microsoft.com/kb/315194/en-us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "D:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://www.academicplanet.com
O15 - ESC Trusted Zone: http://www.advanta.com
O15 - ESC Trusted Zone: http://localization.att.com
O15 - ESC Trusted Zone: http://www.bitdefender.com
O15 - ESC Trusted Zone: http://documents.bmc.com
O15 - ESC Trusted Zone: http://www.bmc.com
O15 - ESC Trusted Zone: http://www.coxenterprises.com
O15 - ESC Trusted Zone: http://seeker.dice.com
O15 - ESC Trusted Zone: http://www.dolda2000.com
O15 - ESC Trusted Zone: http://www.drivercleaner.net
O15 - ESC Trusted Zone: http://www.ebizq.net
O15 - ESC Trusted Zone: http://www.emausa.com
O15 - ESC Trusted Zone: http://www.expedia.com
O15 - ESC Trusted Zone: www.fidelity.com (http://www.fidelity.com)
O15 - ESC Trusted Zone: http://www.goamplify.com
O15 - ESC Trusted Zone: http://www.hartlandpublications.com
O15 - ESC Trusted Zone: http://www.insight.org
O15 - ESC Trusted Zone: http://turbotax.intuit.com
O15 - ESC Trusted Zone: http://www.irs.gov
O15 - ESC Trusted Zone: http://www.landsend.com
O15 - ESC Trusted Zone: http://www.lockheedmartinjobs.com
O15 - ESC Trusted Zone: http://www.marriott.com
O15 - ESC Trusted Zone: http://multimedia.mmm.com
O15 - ESC Trusted Zone: http://macromedia.mplug.org
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://download.nvidia.com
O15 - ESC Trusted Zone: http://www.nzone.com
O15 - ESC Trusted Zone: http://event.on24.com
O15 - ESC Trusted Zone: http://www.pandasecurity.com
O15 - ESC Trusted Zone: http://www.pandora.com
O15 - ESC Trusted Zone: http://www.psk12.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://www.itil.techweb.com
O15 - ESC Trusted Zone: http://expoq.unisfair.com
O15 - ESC Trusted Zone: http://www.webservertalk.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135326653031
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://aldine-platoweb.aldine.k12.tx.us/Pathways/pway_iis.dll/PWLN/02040611/fullcab/pwlninst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ITISSYSMANAGEMENT.COM
O17 - HKLM\Software\..\Telephony: DomainName = ITISSYSMANAGEMENT.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ITISSYSMANAGEMENT.COM
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ITISSYSMANAGEMENT.COM
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BGS_SDService - BMC Software, Inc. - D:\Program Files\BMC Software\Patrol3\BEST1\7.2.10\bgs\bin\BGS_SDservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: PATROL Console Server (cserver) - BMC Software, Inc. - D:\Program Files\BMC Software\Patrol7\bin\Windows-x86\cserver.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: PatrolAgent - BMC Software, Inc. - D:\Program Files\BMC Software\Patrol3\bin\PatrolAgent.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SmartSockets RTserver (rtserver) - Unknown owner - D:\Program Files\BMC Software\common\smartsockets\bin\Windows-x86\rtserver.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware ACE\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 11861 bytes


MBAM log:

Malwarebytes' Anti-Malware 1.11
Database version: 721
Scan type: Quick Scan
Objects scanned: 41240
Time elapsed: 8 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Combofix does not run on my system, it used to run on my system. My systems uses Windows Server 2003 Enterprise Edition.

I tried running combofix in Safe Mode as well as multi-user mode and I get a pop-up window stating it does not run on my operating system.

Right now I cannot remember or find the website where I spent from December thru March working on this problem, however, sooner or later I'll remember it or find it through google and let you know.

Thanks for the help.

steamwiz
2008-05-06, 17:45
HI

Your hijackthis log is essentially clean, I would question though, all the entries in the trusted zone ...

Putting a website in the trusted zone is like giving your house keys to a stranger & then going on holiday, any website in the trusted zone can download & run anything on your computer without asking you first ...

Windows Server operating systems are geared to-wards the commercial sector, we are here to help individuals with their home computers, many of the programs we use are not compatible with server systems, as this is no doubt part of a business setup, you should get your IT dept to sort it out for you ...

just one entry in the Malwarebytes log is the smallest Malwarebytes log I've seen ... if you were using XP or Vista I would suggest installing IE-Spyad & the MVPS hosts file ... but I'm not sure of their compatibility with Windows Server 2003 ... you could check them out ... other than that I'm sorry but I have no other suggestions ...

steam

orion1
2008-05-07, 04:06
I am sorry to perceive non-cooperation.

With the aim of getting a solution to my problem, and perhaps make a comment or two for you to ponder on, read on...

Getting offensive gives a bad image to your forum and to you.

Jumping to conclusions is very, very, very bad, in particular, when you are a volunteer.

Perhaps, some day you may appreciate the value of the benefit of the doubt and ask questions.

The fact is that I am a Systems Management specialist ( in other words, I am just another computer guy ) , as a result, at home, I use servers as my computers because I need them to learn and practice.

And I am not a specialist on viruses.

If you do not mind, pass on my issue to another specialist who is willing to work with another peer and help as professional courtesy or advertise this thread to your teammates and see if someone knows of a website where virus specialists are willing to help other computer guys that do not happen to be or care to be a virus specialist.

Bottom line, all I am looking for is a person to help me solve an annoying virus type problem.

Best wishes to you in your career.

Respectfully,
Orion1

tashi
2008-05-07, 05:04
Getting offensive gives a bad image to your forum and to you.


Nope, you are the one who is offensive orion1, this topic is closed.

Thank you for volunteering your valuable time steamwiz.