Please help with ad.yieldmanager and ad.xtendmedia removal

**TechieRanger** · 2012-11-01, 19:47

Thanks for letting me know that you will be out of town until November 4.

I understand your frustration, but please keep in mind that my responses are reviewed for accuracy by one of our experts - this is a team effort.

This is the first time we've seen a user experiencing that many issues with ESET. We wanted to make sure that everything has been tried before requesting a reset of Internet Explorer.

Please reset Internet Explorer settings by following the steps here. Then, try to run ESET online scanner again.

In your next reply, please provide the following:

ESET log.
Update on how your PC is running.

Regards,

Richard

**kristijotexan** · 2012-11-05, 14:20

ESET log:

C:\Users\Kristi\Downloads\Adaware_Installer.exe Win32/OpenCandy application
C:\_OTL\MovedFiles\10272012_102405\C_Windows\System32\drivers\etc\hosts Win32/Qhost trojan

**TechieRanger** · 2012-11-06, 00:20

Nice work

The ESET log looks fine.

I noticed errors that indicate problems with your hard drive.

Error - 10/24/2012 2:49:58 PM | Computer Name = Kristi-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 10/24/2012 2:50:01 PM | Computer Name = Kristi-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 10/25/2012 7:51:54 PM | Computer Name = Kristi-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 10/25/2012 7:51:58 PM | Computer Name = Kristi-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

I recommend that you backup any vital files from it as a precaution.

Run CHKDSK to check for disk errors

Click Start and type cmd in the search box, then right click on cmd (at the top), and click on Run as administrator.
At the command prompt, type the following command and then press Enter:

chkdsk c: /f /r
If you are prompted to schedule CHKDSK to run the next time the computer restarts, type y, and then press Enter to schedule the disk check.
Restart your computer to start the disk check.
Allow the utility to run.
When CHKDSK is done and you are back into normal mode, please follow the steps here to open the CHKDSK results.
Click on the Copy button and post the result in your next reply.

Next

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please provide the following:

CHKDSK results.
Security Check log.
Update on how your PC is running.

Regards,

Richard

**kristijotexan** · 2012-11-06, 04:10

OK, let's see what we've got now.

Here's chkdsk:

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 11/5/2012 8:39:16 PM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Kristi-PC
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is HP.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
330496 file records processed.

File verification completed.
687 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
413830 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
330496 file SDs/SIDs processed.

Cleaning up 826 unused index entries from index $SII of file 0x9.
Cleaning up 826 unused index entries from index $SDH of file 0x9.
Cleaning up 826 unused security descriptors.
Security descriptor verification completed.
41668 data files processed.

CHKDSK is verifying Usn Journal...
35559064 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
330480 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
136472074 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

720051199 KB total disk space.
173539712 KB in 260696 files.
165180 KB in 41669 indexes.
4 KB in bad sectors.
458007 KB in use by the system.
65536 KB occupied by the log file.
545888296 KB available on disk.

4096 bytes in each allocation unit.
180012799 total allocation units on disk.
136472074 allocation units available on disk.

Internal Info:
00 0b 05 00 29 9d 04 00 4b 6f 08 00 00 00 00 00 ....)...Ko......
17 ef 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 ....,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-11-06T02:39:16.000000000Z" />
<EventRecordID>534584</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Kristi-PC</Computer>
<Security />
</System>
<EventData>
<Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is HP.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
330496 file records processed.

File verification completed.
687 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
413830 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
330496 file SDs/SIDs processed.

Cleaning up 826 unused index entries from index $SII of file 0x9.
Cleaning up 826 unused index entries from index $SDH of file 0x9.
Cleaning up 826 unused security descriptors.
Security descriptor verification completed.
41668 data files processed.

CHKDSK is verifying Usn Journal...
35559064 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
330480 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
136472074 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

720051199 KB total disk space.
173539712 KB in 260696 files.
165180 KB in 41669 indexes.
4 KB in bad sectors.
458007 KB in use by the system.
65536 KB occupied by the log file.
545888296 KB available on disk.

4096 bytes in each allocation unit.
180012799 total allocation units on disk.
136472074 allocation units available on disk.

Internal Info:
00 0b 05 00 29 9d 04 00 4b 6f 08 00 00 00 00 00 ....)...Ko......
17 ef 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 ....,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
</EventData>
</Event>

Here's Security Check:
Results of screen317's Security Check version 0.99.54
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java(TM) 6 Update 23
Java version out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

I haven't noticed the pop up windows anymore. I do get the Google double click still where I can't use my browser back button.

Please let me know what I should do next.

**TechieRanger** · 2012-11-07, 21:21

CHKDSK has found bad sectors on your drive, but it's not much of a concern right now (typically a hard drive has 0 KB in bad sectors). CHKDSK marked them out so that they are unusable in the future.

Regardless of the drive's health status, you should be backing up your drive and keeping the backup current anyways.

If you are not having any other malware problems, it is time to do our final steps:

I'm pleased to let you know that the infections seem to have been taken care of!

Thank you for your patience, and performing all of the procedures requested. I would also like to take this opportunity to apologize for any delay that may have occurred.

Now, we need to do some house cleaning. You have out of date programs that leave you susceptible to future malware infections, so we will be updating those as well.

Step 1

Create a new, clean System Restore point
-------------
Create a new, clean System Restore point which you can use in case of future system problems:

Click Start > Right click on Computer, and select Properties.
Click on the System Protection link, located on the left hand side panel.
Press Create, type a name then press the Create button and once it's done press Close.

Now remove old, infected System Restore points:

Click Start > in the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
Select the C: drive and click OK.
Ensure the following boxes are checked:
- Recycle Bin
- Temporary Files
- Temporary Internet Files
Select the Clean Up System Files button.
Select the C: drive and click OK.
Select the More Options tab and under System Restore and Shadow Copies, click the Clean up button.
Select Delete, press Delete Files and OK to confirm.

Step 2

OTL CleanUp and Leftover Tool/Log Removal

Run OTL.exe

Click the green CleanUp! button on the OTL start screen.
Accept any prompts to let the program proceed.
This will remove any tools we used, including itself, and will require a reboot.

Leftover Tool/Log Removal

Please remove the following logs/tools left on your Desktop (Right click and delete them.):

SecurityCheck.exe
checkup.txt
AdwCleaner[R1].txt
AdwCleaner[S1].txt
ESETScan log.
MBAM log.
MBR.dat
MBR.zip

After deleting these, please empty your Recycle Bin. To do this navigate to your Desktop, right click on the Recycle Bin icon and select Empty Recycle Bin.

Step 3

Uninstall AdwCleaner

Double-click AdwCleaner.exe to run the tool.
Click Uninstall.
Confirm with yes.

Step 4

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

Please Verify your Java Version

If your version is out of date, install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Remove any older versions:

Click on Start > Control Panel.
Click on Programs and Features.
Select the following from the list:

Java(tm) 6 Update 23
Click the Uninstall button.

Step 5

Update Adobe Reader
Your version of Adobe Reader is out-of-date. There are serious security issues with older versions of Adobe Reader.
I'm not asking you to update the Adobe Acrobat installation, which can be quite costly. I am going to insist that you update your Adobe Reader software.
Then use the Reader for viewing PDF files... you can use the Acrobat software for your other needs.

Please download the current version of Adobe Reader.
Please UNCHECK the box for the: Free McAfee Security Scan.

Click the Download now button. If you don't already have Adobe DLM, you may recieve a prompt.
If prompted to install Adobe DLM, note that this software is not a requirement to obtain the latest Adobe Reader software.
The Adobe (DLM) Download Manager allows you to pick up where you left off, if your download process is interrupted. A good idea if you are using dial-up.
If you choose to install Adobe DLM, it will start the download automatically. Adobe DLM software removal instructions available here if wanted.
If not using Adobe DLM, click on the highlighted click here to download text to begin the Reader download.
Save the file to your desktop.
- Uninstall OLD Adobe Reader
- Please uninstall Adobe Reader before installing the latest version... Go to Start > Control Panel
- Double click on Add/Remove Programs... Locate:
  Adobe Reader...version to remove
- Click on Change/Remove to uninstall it. Once uninstalled, Close and exit Control Panel.
Click on the Adobe Acrobat Reader (AdbeRdrxx_en_US.exe) icon, on your desktop to install the new (free) version.
The Adobe Reader download file name will be different, depending on the language or OS chosen. xx in the name = version numbers.
The Adobe installer will check your system and begin the installation process. Use the default installation parameters.
When the installation is complete... Close and re-open your Internet browser.

Step 6

Update your AntiVirus Software

It is imperative that you update your antivirus software at least once a week. The best solution is to enable automatic updates. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.

Please see below for tips on how to better protect your computer from future malware infections.

--------------------------------------------------------------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Passwords
It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them and consider a password keeper, to keep all your passwords safe.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

- How Did I Get Infected In The First Place? by TonyKlein
- How to Prevent Malware by miekiemoes
- PC Safety and Security--What Do I Need?

Malwarebyte's Anti-Malware

Malwarebyte's Anti-Malware is an excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Emergency Recovery Utility NT

You should keep a copy of ERUNT installed as a means to create a complete backup of your registry and restore it when needed.

Make your Internet Explorer more secure

Please follow these instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next, press the Apply button and then the OK to exit the Internet Properties page.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop

WOT has an add-on available for both Firefox and IE.

SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here

Follow this list and keep your antivirus program and antispyware programs updated and scan with them on a regular basis. By doing so, your potential for being infected again will reduce dramatically.

Hopefully this should take care of your problems! Good luck.

Do you have any questions to ask? Please do not hesitate to do so.

Regards,

Richard

**oldman960** · 2012-11-16, 00:26

Since this issue appears to be resolved ... this Topic has been closed.

Thread: Please help with ad.yieldmanager and ad.xtendmedia removal

Thread Tools

Display

Posting Permissions