ad.yieldmanager.com

V

verdad

New member
HI,

Whenever I connect to the net, I get a message from Zone Alarm that ad.yieldmanager.com it stopped the yieldmanager.com from connecting to the net.

I scanned the computer with Spy-Bot, Ad-Aware and AVG antivirus but they detected nothing. Anyone having an idea what it is and how to remove it? Nothing on the net that is useful...Just a lot of people asking for help, but no help given.

Saludos,

Diego
 
hi verdad,

need a hjt log as a starting point. from the sticky:

* Downloads:
* Please make sure you have the latest version. HJT 1.99.1
* http://www.downloads.subratam.org/hijackthis.zip
* If you are unfamiliar with zip programs get HijackThis.exe here:
* http://www.merijn.org/files/HijackThis.exe

* First put hijackthis into a permanent folder.
* Do this first - go to C: and create a new permanent folder.
Example C:\AntiSpyWare or C:\hijackthis
* This is necessary to ensure you have backups should anything go wrong.
* Then put (or download - choose "save" not "run") the hijackthis.exe file in this folder.
If you downloaded a zipped HJT file unzip it to the permanent folder so you have C:\hijackthis\hijackthis.exe.
* Example of the wrong way:
C:\DOCUME~1\Name\LOCALS~1\Temp\Temporary Directory for hijackthis.zip\HijackThis.exe
* Running hjt from the wrong folder may delay assistance as your helper will have to ask for a new log.

If in doubt use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.

* Double click HijackThis.exe.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
* Click that, save the log somewhere, and copy/paste in this topic
a) The HJT log

shelf life
 
HI shelf life, here is my log

Logfile of HijackThis v1.99.1
Scan saved at 12:11:57 AM, on 31/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htmlkit.com/assistant/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
I have noticed that Zone Alarm blocks connection when I open my Operamail account.

I have a screendump of ZA blocking it. Tried to attach it here:
 
hi verdad,


that screenshot didnt show up. lets try this first:

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-------------------------------------------------
start>settings>Control Panel> click the Internet options icon

Next:

Click on Delete Cookies.

Click on Delete Files, Make sure Delete all offline content is checked and then click on OK
---------------------------------------------------
click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

shelf life
 
Done Attached is the screendump

Hi shelf life. I did as per your instructions. I do have Firefox, however, not the IE, if that may be of help.

Attached is (hopefully) the screendump which is now within the limits for posting. Hope you can see it enough to see the message from Zone Alarm. I zipped the gif.

Thanks for your help, by the way.
 
ZA Warning screendump

Attached is the ZA Warning when I connect to Operamail site. You can see in the left bottom corner, the browser's tab, saying Opera...

This only happens when I go there. It also invokes Java. For a second a little coffee cup turns up in the Startup bar, the bottom right corner. Then, when ZA blocks it, Java disappears.

So I am guessing here that it may be some kind of Java applet that I could have downloaded when I recklessly opened one spam email in Operamail. I wanted to delete it but made a mistake and clicked on the wrong thing. As the message opened, a Java turned up in the Startup bar. Since then, yieldmanager is turning up trying to go on the net.

ZA is doing great blocking it but I can't find the file to delete it.
 
hi verdad,

got it thanks. try this:with firefox open go to tools>options>privacy tab>under private data click on "clear now" place a checkmark next to all except saved passwords then click on "clear private data now" this is for the latest version of ffox 2.0.0.1

shelf life
 
hi Diego,

maybe the operamail website uses java. that cup icon is the java control/options- it popsup when using java, in any case hows it going on that end?
 
HI shelf life,

Hapy New Year. Here same old story. I don't know about Operamail, but I haven't seen the little cup before.

I dare not suggest I send you the suspicious message. It looks like the code in the title, and in the message itself. Maybe it gets active by clicking on the title. I were a hacker not wanting to have my malicious code recognised easilly, java would be the way to go. Almost every fool on the internet, me leading the way, has it on.

It is frustrating to be unable to find what is that is connecting to a site out of my box...

Any suggestions are most welcome.
 
Yes,

It's just a typewriter with some extra features for me. Hence short hjt report. Below are both reports:

AVG report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:36:04 PM 3/01/2007

+ Scan result:



Nothing found.



::Report end

Hijack report:

Logfile of HijackThis v1.99.1
Scan saved at 8:39:27 PM, on 3/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htmlkit.com/assistant/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
And I've just confirmed my suspicions. It only gets active if I turn the cookies on and open operamail page. Now, I am sure that's not the operamail's problem because I have never had this problem until I opened accidentally that email message.
 
My pc is also infected by ad.yieldmanager.com

My pc is also infected by ad.yiedmanager.com. I run spybot and Hijackthis still get infected.

In my case: I use firefox & IE. when I open firefox the ad pop using IE. I need to keep my IE to access some secure site.

I also hope we can do to the bottom of this w/o reformat my HD (That the only cure that my friend told me).

Please let me know if I can help you all

Regards,
bondul
 
hi Diego,

try this: put a exception to ad.yieldmanager.com
for example: with firefox open (iam in linux now, may be different in windows)go to edit(or tools)>preferences>privacy tab>cookies tab>
put a check next to allow site to set cookies
put a check next to from the originating website only
click the exceptions button in the field copy/paste:

ad.yieldmanager.com
then click on block.
the same can be done IE, havent really configured it in along time i use it to attract malware and go with defaults settings.
------------------------------
see if that works, if not try this;
open up the cookie control again click on clear cookies
next go straight to the website (opermail) where you get the warnings in ZA, allow it
click on view cookies and add the new cookies to the exception list like you did with ad.yeild.manager (dont add any from opermail)

shelf life
 
Hi shelf life,

It is slightly different in FF for windows. So I turned ZA spyware protection off and opened operamail. Attached is the list of cookies caught after that. I did not connect to any other sites after that. I'll also run hjt, AVG spyware, ad-aweare and spy-bot. Will now post hjt and any other log if other software detects something.

Diego
 
Shelf life,

Here's the log, but as you can see, very little is going on.

Logfile of HijackThis v1.99.1
Scan saved at 9:13:46 PM, on 5/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htmlkit.com/assistant/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
You must log in or register to reply here.
Back
Top