Infected possibly by YIELDMANAGER

jcollett · Jan 13, 2009

Hello. New to this forum. Hope you all can help me. I followed the read me guide and have my logs so I will attach them in the next two posts.

What I can first recall about this infection was the following. I was browsing an article on Overclockers.com. While reading it, another browser window opened automatically full screen for a video site (I believe it was Yahoo), and started playing a video. I closed that window and a few seconds later I got a popup window in a standard windows format about some offer. At that moment, I knew I had to be infected with something. I went to my Spybot - S&D and ran it after updating it and immunizing. It came back with one entry concerning YIELDMANAGER. I selected fix problem. I did some reading on this and one forum post somewhere suggested to use Spy Hunter. I installed that but did not run it as I did some further reading that stated this could be a fake scanner. I removed it via add/remove programs.

I did not feel that this issue had been cleared up. Opening browsers like Firefox 3.1 beta 2, could take over 30 seconds, and IE7 can be slow as well.

I found this forum so I went ahead and followed the read me procedure. A couple things of note happened. After running SuperAntiSpyware and closing it, my systems corporate Norton Antivirus (program version 10.1.4.4000) reported finding "Infostealer.Gampass", Reboot required - Cleaned by Deletion, and the count was 33. The path was to an uninst.exe for UberIcon which is part of Vista Inspirat 2 application suite. I use that to change the look of my WinXP to more of a Vista look. I've used it for a long time without issue, so I do not believe this was the source of the infection. NAV asked for a reboot to clear it and since that follows the direction of SuperAntiSpyware use read me, I did that. Later on in running the anti-malware apps, NAV again stated it needed a reboot to clear infection (not exact words), this was done when allowed by the read me guide. NAV finally reported in a tooltip by the clock that it was unsuccessful in removing the offending infection (again not exact words). Finally, when I ran Spybot today in following the read me guide, it found two entries for Spy Hunter. I clicked Fix selected problems there.

Now for a possible infection point, the worst thing I did yesterday was reading about softmodding a wii. I had gotten some files from a friend in this area, but I did not run any of those on the PC here. Maybe a visit to a bad site infected me as some of those sites did generate some opening of new browser windows for various things. I closed those as I saw them by clicking on the x in the upper right corner of the window. I did not use Alt-F4 for them.

Well, that is all I can think of to report right now. Hope someone can help and that I've provided enough to get started. Thank you in advance for all your assistance in this matter. :major

jcollett · Jan 13, 2009

The other two log files are here. Thank you.

chaslang · Jan 16, 2009

Welcome to Major Geeks!

Your logs are clean. It looks like you were just having false detection issues with Symmantec.

Do no use Spy Hunter. Is you still have it, delete it. It is not a rogue anymore but it is not something you need or want. The same is true for XoftSpySE. Uninstall it. SUPERAntiSpyware and Malwarebytes are many times more useful then the above two programs.

Also delete the below two folders if still found:
c:\program files\XoftSpySE
c:\program files\Enigma Software Group

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

jcollett · Jan 16, 2009

Thank you for your time chaslang. Performing the uninstall steps now.

Jeff :-D

chaslang · Jan 17, 2009

You're welcome. Surf safely!

Log in or Sign up

Infected possibly by YIELDMANAGER

jcollett Private E-2

Attached Files:

SASlog.txt

mbam-log-2009-01-13(11-44-02).txt

jcollett Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

jcollett Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member