Tech Support Forum - View Single Post - ad.yieldmanager pop-ups

ellie_willis · 08-02-2006, 03:39 AM

I actually deleted Zango yesterday as it was only a recent download with Bearshare and knew it looked a bit dodgy. However, i followed your steps and here is the log for combofix:

Start Time= 02/08/2006 10:32:17.36
Running from: C:\Documents and Settings\Elena\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-31 15:49:04 ( .D... ) "C:\Program Files\LimeWire"
2006-07-27 11:49:48 ( .D... ) "C:\Program Files\NoAdware4"
2006-07-25 16:32:06 ( .D... ) "C:\Program Files\WebWasher"
2006-07-25 13:47:34 ( .D... ) "C:\Program Files\AVI Codec Pack"
2006-07-24 15:34:48 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-24 13:16:56 ( .D... ) "C:\Program Files\Sunbelt Software"
2006-07-20 16:12:30 ( .D... ) "C:\Documents and Settings\Elena\Application Data\SafeFiles"
2006-07-18 10:25:56 ( .D... ) "C:\Documents and Settings\Elena\Application Data\ntl"
2006-07-18 10:22:20 ( .D... ) "C:\Program Files\Common Files\Command Software"
2006-07-18 10:22:16 ( .D... ) "C:\Program Files\Common Files\PestPatrol"
2006-07-17 13:05:52 ( .D... ) "C:\Program Files\Common Files\kimo"
2006-07-17 13:02:44 ( .D... ) "C:\Program Files\Common Files\{B8BF9F95-0514-1033-0830-02051302002c}"
2006-07-17 13:01:26 ( .DSH. ) "C:\Program Files\outlook"
2006-05-19 13:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 13:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 13:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2004-12-22 13:58:58 921696 ( A.... ) "C:\Program Files\WinQualifier.exe"
2004-12-13 21:23:04 457 ( A.... ) "C:\Program Files\INSTALL.LOG"
2004-10-12 21:48:44 14545 ( A.... ) "C:\Program Files\Msncolor.zip"
2003-10-24 23:26:46 55 ( A.... ) "C:\Program Files\FixWelch.log"
2003-10-24 23:21:26 55 ( A.... ) "C:\Program Files\FixBlast.log"
2003-10-24 23:02:22 176832 ( A.... ) "C:\Program Files\fixwelch.exe"
2003-10-24 23:02:04 135360 ( A.... ) "C:\Program Files\fixblast.exe"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-30 22:06 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-27 12:20 536,399,872 C:\hiberfil.sys
2006-07-24 12:30 73,728 C:\WINDOWS\system32\asuninst.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{B8BF9F95-0514-1033-0830-02051302002c}"="\"C:\\Program Files\\Common Files\\{B8BF9F95-0514-1033-0830-02051302002c}\\Update.exe\" mc-110-12-0000140"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows Media Player\\kyzepep.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\howymymyh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 02/08/2006 10:32:32.01
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

I am still getting some pop-ups but normally after i delete cookies I don't have any for a couple of hours. On internet options I have privacy on medium-high so I'm not sure how certain cookies are accepted and then affecting my pc. I am now getting pop-ups from WinAntivirus as well as errorsafe.com and drivecleaner.com, if thats any help.

Thanks for all your help.

08-02-2006, 03:39 AM	#8 (permalink)
ellie_willis Registered User Join Date: Jul 2006 Posts: 9 OS: WinXP	I actually deleted Zango yesterday as it was only a recent download with Bearshare and knew it looked a bit dodgy. However, i followed your steps and here is the log for combofix: Start Time= 02/08/2006 10:32:17.36 Running from: C:\Documents and Settings\Elena\Desktop QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-31 15:49:04 ( .D... ) "C:\Program Files\LimeWire" 2006-07-27 11:49:48 ( .D... ) "C:\Program Files\NoAdware4" 2006-07-25 16:32:06 ( .D... ) "C:\Program Files\WebWasher" 2006-07-25 13:47:34 ( .D... ) "C:\Program Files\AVI Codec Pack" 2006-07-24 15:34:48 ( .D... ) "C:\Program Files\Spybot - Search & Destroy" 2006-07-24 13:16:56 ( .D... ) "C:\Program Files\Sunbelt Software" 2006-07-20 16:12:30 ( .D... ) "C:\Documents and Settings\Elena\Application Data\SafeFiles" 2006-07-18 10:25:56 ( .D... ) "C:\Documents and Settings\Elena\Application Data\ntl" 2006-07-18 10:22:20 ( .D... ) "C:\Program Files\Common Files\Command Software" 2006-07-18 10:22:16 ( .D... ) "C:\Program Files\Common Files\PestPatrol" 2006-07-17 13:05:52 ( .D... ) "C:\Program Files\Common Files\kimo" 2006-07-17 13:02:44 ( .D... ) "C:\Program Files\Common Files\{B8BF9F95-0514-1033-0830-02051302002c}" 2006-07-17 13:01:26 ( .DSH. ) "C:\Program Files\outlook" 2006-05-19 13:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll" 2006-05-19 13:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll" 2006-05-19 13:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll" 2004-12-22 13:58:58 921696 ( A.... ) "C:\Program Files\WinQualifier.exe" 2004-12-13 21:23:04 457 ( A.... ) "C:\Program Files\INSTALL.LOG" 2004-10-12 21:48:44 14545 ( A.... ) "C:\Program Files\Msncolor.zip" 2003-10-24 23:26:46 55 ( A.... ) "C:\Program Files\FixWelch.log" 2003-10-24 23:21:26 55 ( A.... ) "C:\Program Files\FixBlast.log" 2003-10-24 23:02:22 176832 ( A.... ) "C:\Program Files\fixwelch.exe" 2003-10-24 23:02:04 135360 ( A.... ) "C:\Program Files\fixblast.exe" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-30 22:06 11,776 C:\WINDOWS\system32\ZPORT4AS.dll 2006-07-27 12:20 536,399,872 C:\hiberfil.sys 2006-07-24 12:30 73,728 C:\WINDOWS\system32\asuninst.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] "{B8BF9F95-0514-1033-0830-02051302002c}"="\"C:\\Program Files\\Common Files\\{B8BF9F95-0514-1033-0830-02051302002c}\\Update.exe\" mc-110-12-0000140" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="C:\\Program Files\\Windows Media Player\\kyzepep.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] "Source"="C:\\Program Files\\MSN Gaming Zone\\howymymyh.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:00000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000004 "OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "SRUUninstall"="" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce] "SRUUninstall"="" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: 02/08/2006 10:32:32.01 ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt I am still getting some pop-ups but normally after i delete cookies I don't have any for a couple of hours. On internet options I have privacy on medium-high so I'm not sure how certain cookies are accepted and then affecting my pc. I am now getting pop-ups from WinAntivirus as well as errorsafe.com and drivecleaner.com, if thats any help. Thanks for all your help.