ad.yieldmanager

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mangst, Aug 10, 2008.

  1. mangst

    mangst Private E-2

    Hi, I'm having a problem with my computer redirecting to a default google search page when it tries to load the homepage. It gives me the message "Sorry, we couldn't find http://ad.yieldmanager.com/st%3Fad_type." It also happens after searching for items on ebay.com. I think I've done everything requested in the "Read and Run Me First. Malware Removal Guide" through the end of Windows XP Cleaning Procedure including running superantispyware, spybot, malwarebytes anti-malware, combofix and mgtools. Problem is still present and I have attached 2 of the requested logs. Thanks.
     

    Attached Files:

  2. mangst

    mangst Private E-2

    Second set of attachments...
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 3
    Java 2 Runtime Environment, SE v1.4.2_03
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    After clicking Fix, exit HJT.



    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!



    Now let's flush the Java Cache
    • Click Start > Settings > Control Panel
    • Double click the Java icon (be patient, it may take a while to open)
    • Now click the General tab and under the Temporary Internet File area
    • Click the Settings button and then click the Delete Files... button.
    • In the next popup click OK.
    If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


    Now let's flush the Internet Explorer Cache
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • Now click the Delete Cookies button. And click OK to the prompt?
    • When it finishes Click OK.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  4. mangst

    mangst Private E-2

    I followed your directions and everything worked fine until the combofix.exe part. I created the CFscript.txt file, closed everything else and drug it to the combofix.exe. Both files were on my desktop. Once I drug it there, it started running and nothing else ever happened. I stopped it after a half hour and started the procedure over again. I ran it again and let it run over night. When I looked this morning, it was still running after about 10 hours. The c:combofix.txt file was never created. Should I move on to the next step?
    By the way, I'm getting the "internet explorer cannot find/load" whatever message on my old homepage where the advertisement should be, but it's not redirecting like it was before. Ebay also seems to be working. I don't mind the ads not loading, but just want to make sure everything is clean now.
    Please advise on moving forward and thanks so much for your help.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's do things a little differently using a tool to replace ComboFix. I'm also going to have you repeat a couple steps here just to be on the safe side. Make sure that you set your home page to www.majorgeeks.com as requested just for now. You can change it to what you want after we are all done with your cleanup.



    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!




    Now let's flush the Java Cache
    • Click Start > Settings > Control Panel
    • Double click the Java icon (be patient, it may take a while to open)
    • Now click the General tab and under the Temporary Internet File area
    • Click the Settings button and then click the Delete Files... button.
    • In the next popup click OK.
    If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.



    Now let's flush the Internet Explorer Cache
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • Now click the Delete Cookies button. And click OK to the prompt?
    • When it finishes Click OK.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. mangst

    mangst Private E-2

    The program looks like it ran fine and created the .txt file. The two files were deleted, but not sure where to find the registry key to see if it's been deleted.
     
  7. mangst

    mangst Private E-2

    Looks like everything ran okay, including deleting the registry key (found it). Ran CCleaner and MGTools and logs are attached.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not tell me how things are working. Please do!


    Also Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
  9. mangst

    mangst Private E-2

    I received a success message about adding the file to the registry. Things look to be working fine; I'm not being redirected when ads don't load. I am getting a message at my old homepage (www.comcast.net) where an advertisement typically is placed saying "internet explorer cannot...". Again, it's an ad and I could care less if it loads correctly as long as there's not a problem. I've had it with IE and will replace it will Mozilla shortly. Thanks so much for the help.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall this URL Assistant

    Then reboot and tell me how things are now.
     
  11. mangst

    mangst Private E-2

    Uninstalled the URL Assistant through control panel/add or remove programs and rebooted. Comcast.net still has the ad that didn't load. In Mozilla, the ad location says "failed to connect. Firefox can't establish a connection to the server at ad.yieldmanager.com. Niether site redirects though.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure what you mean by this? Are you saying you are going to www.comcast.net with FireFox or IE and getting a popup?

    What browser addons did you add to FireFox and IE? Perhaps you are just blocking cookies from ad.doubleclick.net or you have added ad.doubleclick.net to your Restricted Zone. Spybot will do the latter when you Immunize.
     
  13. mangst

    mangst Private E-2

    There's an advertisement on the right side of the website (www.comcast.net) (not a popup). It's a different ad at different times. Some of the ads load okay, some don't. In the ad's placeholder IE gives the message about "cannot load...". Mozilla gives the message about "failed to connect..." referring to ad.yieldmanager. The main reason it's still a concern is that this ad was what prompted my initial post. It showed the message mentioned above for a split second at comcast.net and then redirected to the google search page I discussed in the first post. Thanks again in advance for help.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You mean this area ad.jpg


    You need to answer my question about browser addons?
     
  15. mangst

    mangst Private E-2

    The ad is just above the image you attached. I hope the following is what you're asking about.

    Mozilla has Java Quick Starter 1.0 extension. Plugins include adobe acrobat, Java(TM) Platform SE 6 U10, Mozilla Default Plug-in, Quicktime (disabled), RealNetworks Rhapsody Player Engine and ~Mirage Plugin.


    For add-ons currently loaded in IE, the only enabled one is Shockwave Flash Object. There are several others that are disabled.

    The following add-ons run without requiring permission (publisher in parentheses):

    Adobe PDF Reader, Deployment Toolkit (Sun Microsystems, Inc.), Free Threaded XML DOM Document (Microsoft Corporation), Free Threaded XML DOM Document 3.0 (Microsoft Corporation), Free Threaded XML DOM Document 4.0 (Microsoft Corporation), Free Threaded XML DOM Document 6.0 (Microsoft Corporation), HtmlDlgSafeHelper Class (Microsoft Corporation), InformationCardSinginHelper Class (Microsoft Corporation), isInstalled Class ([Not verified] Sun Microsystems, Inc.), Java Plug-in 1.6.0_10 ([Not verified] Sun Microsystems, Inc.), Microsoft Shell UI Helper (Microsoft Corporation), QuickTime Object (Apple Computer, Inc.), RealPlayer G2 Control ([Not verified] RealNetworks), Scripting.Dictionay (Microsoft Corporation), SdcMail Class (SupportSoft, Inc.), SdcNetCheckCtl Class (SupportSoft, Inc.), Shockwave Flash Object (Adobe Systems Incorporated), Support.com Configuration Class (SupportSoft, Inc.), SupportSoft Password Reset Class (SupportSoft, Inc.), SupportSoft Script Runner Class (SupportSoft, Inc.), SupportSoft SmartIssue (SupportSoft, Inc.), Tabular Data Control (Microsoft Corporation), Windows Media Player (Microsoft Corporation), XML Data Source Object (Microsoft Corporation), XML Data Source Object 3.0 (Microsoft Corporation), XML Data Source Object 4.0 (Microsoft Corporation), XML DOM Document (Microsoft Corporation), XML DOM Document 3.0 (Microsoft Corporation), XML DOM Document 4.0 ([Not verified] Microsoft Corporation), XML DOM Document 6.0 (Microsoft Corporation), XML HTTP 3.0 (Microsoft Corporation), XML HTTP 4.0 ([Not verified] Microsoft Corporation), XML HTTP 6.0 (Microsoft Corporation), XML Schema Cache (Microsoft Corporation), XML Schema Cache 3.0 (Microsoft Corporation), XML Schema Cache 4.0 ([Not verified] Microsoft Corporation), XML Schema Cache 6.0 (Microsoft Corporation), XSL Template (Microsoft Corporation), XSL Template 3.0 (Microsoft Corporation), XSL Template 4.0 (Microsoft Corporation).

    Downloaded ActiveX Controls (32-bit) are Java Plug-in 1.6.0_10 ([Not verified] Sun Microsystems, Inc.), Java Plug-in 1.6.0_10 ([2 Not verified, 1 verified] Sun Microsystems, Inc.) and MSN Photo Upload Tool (Microsoft Corporation MSN).
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I only wanted to know about Tools, Addons. I wanted to see if you added anything like Adblock which will block advertisements too.

    At anyrate, ad.yieldmanager.com is not a malware problem. It is just an advertisement and has associated cookies. Since you were blocking it, URL Assistant from Dell was redirecting you elsewhere.


    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  17. mangst

    mangst Private E-2

    Thanks again for your help.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds