multiple trojans and malware - yieldmanager

Hi, I wonder if you could help please?

I have followed your READ ME FIRST thread as far as I can, with a view to getting rid of mainly Yieldmanager. Unfortunately, although I have got as far as uninstalling Java, (version 6.17), I cannot now install the update of Java6 version 20. I get an error message, Error 25099 - unzipping core files failed. I looked this up on the java help, and it said to delete C\ProgramFiles\Java\jre6 - which I did, and to download the update again, which I also did.. same error..

What should I do now?

To give you a bit of background, I am running Windows XP service pack 3, with full AVG (not free version), with AVG firewall, and Spybot Search and Destroy. Windows firewall is turned off, as is system restore.

I have, as usual with YieldManager, been getting pop ups on my system - when I first downloaded AVG to clean these, (after running Housecall and not finding it), AVG found two trojans - cannot remember the names of them now as I have emptied the vault at least 3 times in the last 2 weeks. Since finding and quarantining these 2 trojans, my system has been over-run with trojans and malware - its as if quarantining these two spawned a whole host of others! I've taken off over 70 trojans and hundreds of malware instances.

Last run of AVG, in the early hours of this morning, found and healed/quarantined the following:

Malware:
Yieldmanager (numerous entries)
Atdmt (lots again)
Serving-Sys
WebTrends
Adtech
Adviva
Tribalfusion
Dealtime

and these trojans:
Exploit_c.DSO (3 instances)
Crypt.WCI (4 instances)
SHeur3.YNJ (2 instances)
SHeur3.ZRB
Backdoor.ircbot.MKU
Crypt.WSG

Also, when I uninstalled Java, as directed, AVG popped up straight away with a critical notice, and forced a restart on C:\Documents and Settings\Ali\ApplicationData\YCEKT, saying it had found 3 trojans (Crypt.WSG, Exploit_c.DSO (x2)). When the system had rebooted, I opened AVG and it said while quarantining those, it had terminated 74 processes (I never have more than 56 in my task manager), removed 38 files, and deleted 2 registry keys - no info as to what.

So.. where do I go from here? Can I follow the rest of the steps in your READ ME FIRST thread without installing Java?

Any help would be greatly appreciated - I've been battling this for nearly 3 weeks now and it's getting kind of wearing

Regards

Jali

 

Going ahead with the following steps in the Run & Read me first thread.. I'll get back to you when I've done all that!

Jali

 

Hello - I've run into some problems with combofix. It says to turn off or disable antivirus, antispyware and firewall before running... I'm running full AVG with firewall. Although I can and have disabled the firewall, I can't find any setting which allows me to disable the antivirus or the antispam or the online shield components. I've tried taking them out of task manager and they just come back in immediately. The only option I can see is to uninstall AVG completely, but I don't really want to do that as I'd have to pay for it again. Can anyone give me some quick advice? Should I skip ComboFix (although I am definitely running 32bit windows)? Should I run ComboFix with AVG still running? or is there an easy way to take AVG out of the start menu and still put it back again later?

I know.. I'm such a non-geek... *sighs*

Thanks in advance for your help

Jali

 

Re: multiple trojans and malware - yieldmanager - LOGS attached

Hi
I've finished the READ ME Cleaning process, the logs are attached. RootRepeal wouldn't extract so I couldn't run it. The others ran fine with no problems.

After finishing the cleaning process I ran AVG and it's still finding YieldManager, among others. I've pasted the scan results below so you can see what's still on here. I'm thinking the Trojan AVG found is just that it doesn't recognise MGTools and thinks it's a virus, but I could easily be wrong!

Also, since running ComboFix, I have no start menu. Neither AVG nor SpyBot will now load as resident scanners unless I start them manually, and all my tray icons have gone. I've also lost the 'file' toolbar from IE. I haven't tried to re-install java yet - if you remember from my previous post, after deleting the java6 version17, the install of 6.20 failed with error 25099 - unzipping core files failed.

I forgot to mention earlier what SpyBot found last night:

MyFreezeToolbar
Win32.ZBot
PlayMP3z
Virtumonde.prx
WhenUSearch
WhenUSearch.Desktoptoolbar

It said it had healed these, but somehow I doubt it!

Also, if anything, since running the cleaning process, my system is running slower than ever. IE hangs for a while before it will load pages, and if I try to open something in a new tab the new tab comes up as 'connecting' but stays blank, and the page requested comes up in a new window. If I try and close either the blank tab or the new window, it takes out all the pages and closes IE totally.

Here's the scan results from AVG run just now:

"C:\Documents and Settings\Jali\Cookies\jali@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager"
"C:\Documents and Settings\Jali\Cookies\jali@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager"
"C:\Documents and Settings\Jali\Cookies\jali@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager"
"C:\Documents and Settings\Jali\Cookies\jali@atdmt[2].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt"
"C:\Documents and Settings\Jali\Cookies\jali@atdmt[2].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt"
"C:\Documents and Settings\Jali\Cookies\jali@atdmt[2].txt";"Found Tracking cookie.Atdmt"
"C:\Documents and Settings\Jali\Cookies\jali@atdmt[3].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt"
"C:\Documents and Settings\Jali\Cookies\jali@atdmt[3].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt"
"C:\Documents and Settings\Jali\Cookies\jali@atdmt[3].txt";"Found Tracking cookie.Atdmt"
"C:\Documents and Settings\Jali\Cookies\jali@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@bs.serving-sys[1].txt";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@bs.serving-sys[2].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@bs.serving-sys[2].txt";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@bs.serving-sys[3].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@bs.serving-sys[3].txt";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci"
"C:\Documents and Settings\Jali\Cookies\jali@revsci[2].txt:\revsci.net.18a1d1b2";"Found Tracking cookie.Revsci"
"C:\Documents and Settings\Jali\Cookies\jali@revsci[2].txt:\revsci.net.632c9b0e";"Found Tracking cookie.Revsci"
"C:\Documents and Settings\Jali\Cookies\jali@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci"
"C:\Documents and Settings\Jali\Cookies\jali@revsci[2].txt:\revsci.net.f0067737";"Found Tracking cookie.Revsci"
"C:\Documents and Settings\Jali\Cookies\jali@revsci[2].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci"
"C:\Documents and Settings\Jali\Cookies\jali@revsci[2].txt";"Found Tracking cookie.Revsci"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt:\serving-sys.com.ac41fe5a";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[1].txt";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt:\serving-sys.com.ac41fe5a";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@serving-sys[2].txt";"Found Tracking cookie.Serving-sys"
"C:\Documents and Settings\Jali\Cookies\jali@tribalfusion[1].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion"
"C:\Documents and Settings\Jali\Cookies\jali@tribalfusion[1].txt";"Found Tracking cookie.Tribalfusion"
"C:\Documents and Settings\Jali\Cookies\jali@tribalfusion[2].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion"
"C:\Documents and Settings\Jali\Cookies\jali@tribalfusion[2].txt";"Found Tracking cookie.Tribalfusion"
"C:\Documents and Settings\Jali\Local Settings\Temporary Internet Files\Content.IE5\JEX5KL5H\MGtools[1].exe";"Trojan horse Dropper.VB.DCI"
"C:\MGtools.exe";"Trojan horse Dropper.VB.DCI"


I'm almost at the point of just reformatting the drive and loosing years worth of work and all my kids pics on here - please help, as I really don't want to do that

Regards

Jali

 

Hi,

Thank you so much for your reply Kestrel - You have advised that I run ComboFix but specified that I disable the AV. I said in an earlier post that I couldn't find a way to disable my AV fully when running ComboFix... I can disable the firewall, identity protection, email scanner, resident shield and the online shield components of AVG 9.0 - but that still leaves the Antivirus, antispam, anti spyware and the rootkit still running. Other than uninstalling AVG I can't see a way around this - is there anything else I can do to disable AVG?

I do take your point that cookies are not problems, but these cookies are ones I have had for weeks now, and even though AVG and SpyBot say they have got rid of them, they keep coming back. I'm not visiting these sites, and other than your forum I have not been on ANY sites tonight since running the cleaning programs. I emptied the temp files and the cache earlier before starting the cleaning process, so why are they still in there? They are all Ad sites too.

Any advice re: disabling AVG would be very welcome!

Regards

Jali

 

Hi Kestrel

Many thanks for your help

Both logs attached.

I followed the instructions in the link you posted about adding programs to the start menu, and put shortcuts to both AVG 9.0 and Spybot in there, but neither icon has come up. The machine does seem to be running a little smoother and faster, but still I have the problems that the file tool bar has gone from task manager and from IE. Also the tabs have gone from task manager so I can only view processes and nothing else.

Regards

Jali

 

Hi Kestrel

Thank you for your reply. I will run the ComboFix again as you asked, but thought you should know that things aren't so smooth running as I thought last night.

This evening, when opening a new tab in IE or clicking on a link to open another page other than the first opened IE page, I get either a new tab that won't open, says 'connecting' but doesn't, and just whites out both pages, or I get a new seperate webpage that again whites out and won't connect. The system just hangs, and I have to force it to close in task manager by knocking out iexplore.exe (multiple versions of iexplore in the task manager). I ran both AVG and SAS again, and neither found anything, other than the same yieldmanager and other ad page cookies that were there last night. But, just now I checked in system tools and found that system restore had turned itself back on, even though I had it disabled yesterday.

Heading off now to run the fixes you asked for.. back in a bit!

Thanks once again

Jali

 

Hi Kestrel

Yay! I'm done! Logs attached.. :-D

I haven't tried IE yet, other than to load the forum, but will go and have a go now and let you know how it runs.

Jali

 

Hi Kestrel

Just a quick update before I head for bed - it's 5am and my eyes are square from staring at monitors all day and most of the night too!

After posting the logs I did a windows update, including IE security fixes, and when I opened IE after the reboot I finally got a button on my toolbar giving me the option to put my file bar back! So I tried bringing up task manager, and that's gone back to normal too. I took out the google toolbar extension from IE, and the problem with the non loading/whiting out tabs seems to have gone! Although I'm not holding my breath... rolleyes

I managed to install java again.. this time it didn't fall over during the install. The only thing I haven't managed is to get my AVG and Spybot resident tray icons back. Although I have managed to pin them both to the start menu now.. When I check task manager though, although AVG's numerous processes are there, I can't find any Spybot ones. Not a TeaTimer in sight! So I really don't think it's running. At least I have AVG back and active.. I'll perhaps try a re-install of Spybot tomorrow. That's me done for the night.. work in 4 hours!

Thanks to your very patient and expert help I think the end is finally in sight... Fingers crossed for clean logs! :major

All in all, not a bad night's work.. see you on the flip side.. :zzz

Jali

 

Hi Kestrel

Thank you so much for all your efforts and help. The pc is a lot more stable now and it isn't crashing like before, and IE seems to be working ok, but it is SLOW - Much, MUCH slower than before I was virused. I'll head over to the software forums and see if there's anything they can do to help perhaps!

xn2wymib.exe - that's the random name GMer called itself when I downloaded it. You had me confused for a while as there's nothing called that on my desktop, but when I did a search, GMer came up!


Can I ask one more thing? Perhaps it might be more suited to the software forums, but.. Is it usual to have more than one instance of IE in task manager? I've not used IE much, as I prefer alternate browsers, but as they stopped working when I was virused, I switched back to IE. I've never noticed multiple iexplore.exe's in my task manager before. Last night I had 2 tabs open in IE, and 3 iexplore.exe's in task manager.. and I have noticed this a lot recently, with sometimes up to 6 or 7 iexplore.exe's. It doesn't seem related to the number of pages open.

Once more, thank you so much for your help. You people do a wonderful job here!! :cool

Jali

 

Hey Kestrel

Thanks for this.. You've been great!


Heading off to run the steps you posted.. Please don't take this the wrong way, but I really hope I don't have to post to you again! :-D


You guys do a really fabulous job.. Thank you, Thank you, Thank you!!:cool

Jali