Blitzed by pop-ups

orangebicycle · 23-Apr-2008, 10:14 AM #1

As of a few days ago, I'm getting blitzed by unwanted, full-page pop-up ads. I've run several anti-spyware/malware programs, but it's not worked. I'm enclosing a hijackthis.log below. Any advice on getting rid of this problem would be appreciated, as it's driving me nuts! One of the guilty parties appears to be something called ad.yieldmanager.com, if that's any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:16, on 23/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Matrox X.tools\DSOutputEnabler.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Jaman Player\jamtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\documents and settings\rob prince\local settings\application data\ufdjcdydt.exe
C:\Program Files\Jaman Player\jamdownloader.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: gPhotoShow Toolbar Helper - {D6D45128-E25E-4036-90D1-F43872902148} - C:\Program Files\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: gPhotoShow Toolbar - {D3FBBA39-B2CD-4A1A-81B5-E940850BDF59} - C:\Program Files\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSOutputEnabler] "C:\Program Files\Matrox X.tools\DSOutputEnabler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio365Agent] C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [AdwareScanner] C:\PROGRA~1\WINFIX~2\Download\jgrcthup\UPSALE~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [jamtray] C:/Program Files/Jaman Player/jamtray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ufdjcdydt] c:\documents and settings\rob prince\local settings\application data\ufdjcdydt.exe ufdjcdydt
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q D:\Recycler\S-1-5-~2\Dc2\Prefetch\WUAUCL~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WSCRIP~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WMPLAY~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WMIPRV~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WMIADA~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WINWOR~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\USERIN~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\TESTEX~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SYSOCM~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SVCHOS~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\STARTE~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~4.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~3.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~2.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SET20T~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SDNOTI~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SCHEDU~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SBDRVD~1.SH! D:\Recycler\S-1-5-~
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B72A85BD-C463-4ED3-8691-DD7C84FBC292} (Project1.AXRegister) - http://www.spamjab.com/vb/AXRegister.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: DigiCtrl - Matrox Electronic Systems - C:\Program Files\Matrox X.tools\System\digisc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - http://imgsrc.hubblesite.org/hu/db/2...aper_thumb.jpg

--
End of file - 11656 bytes

OldTimer · 27-Apr-2008, 09:25 PM #2

Hello orangebicycle and welcome to TSG. Let's see what we can find. Please follow the steps below in order.

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
In the Drivers section click on Non-Microsoft.
Under Additional Scans click the checkboxes in front of the following items to select them:
- Reg - BotCheck
  File - Additional Folder Scans
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post.

Cheers.

OT

orangebicycle · 29-Apr-2008, 08:51 AM #3

Thanks for your help, OT. Followed your instructions as best I could, and have attached the OTScan results, as requested.
Cheers
Rob

OldTimer · 29-Apr-2008, 10:29 AM #4

Hi orangebicycle. Let's see what we can cleanup. Follow the steps below in order.

Step #1

Download SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Minimize SUPERAntiSpyware, we will come back to it later on.

Step #2

Now start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> ysoljqdp.exe -> %UserProfile%\Local Settings\Application Data\ysoljqdp.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> AdwareScanner -> %ProgramFiles%\Win Fixer 2006\Download\jgrcthup\UpSalesPatch6.exe [C:\PROGRA~1\WINFIX~2\Download\jgrcthup\UPSALE~1.EXE]
YN -> jamtray -> [C:/Program Files/Jaman Player/jamtray.exe]
YY -> ysoljqdp -> %UserProfile%\Local Settings\Application Data\ysoljqdp.exe [c:\documents and settings\rob prince\local settings\application data\ysoljqdp.exe ysoljqdp]
< RunOnce [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> DelayShred -> %ProgramFiles%\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE ["C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q D:\Recycler\S-1-5-~2\Dc2\Prefetch\WUAUCL~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WSCRIP~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WMPLAY~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WMIPRV~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WMIADA~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\WINWOR~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\USERIN~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\TESTEX~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SYSOCM~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SVCHOS~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\STARTE~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~4.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~3.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SETUPE~2.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SET20T~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SDNOTI~1.SH! D:\Recycler\S-1-5-~2\Dc2\Prefetch\SCHEDU~1.SH! D:\Recycler\S-1-
[Files/Folders - Modified Within 30 days]
NY -> 6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Extra Files]
%ProgramFiles%\Win Fixer 2006\
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. Your desktop will disappear and then reappear when the fix is complete, this is normal. You might be asked to reboot if any of the files could not be moved during the fix. If so, choose Yes and reboot normally.

Step #3

Now bring up SUPERAntiSpyware again and run a scan by doing the following:

On the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Step #4

I do not see any antivirus application installed on this machine. I highly recommend that one be installed as soon as possible. Accessing the Internet without an installed anti-virus is very dangerous and, well, you see the reuslts. Here are 3 free anti-virus programs that are available for personal use (I use these on various machines and they are all good):

Step #5

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Under Additional Scans click the checkboxes in front of the following items to select them:
- File - Additional Folder Scans (make sure to check this box. It was missed in the first scan and this is where some of the malware was located).
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #6

Post the following back here:

the new OTScanIt scan report
the SUPERAntiSpyware report
the latest .log file from the OTScanIt/MovedFiles folder (it will be a .log file and have a date_time name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

orangebicycle · 30-Apr-2008, 10:23 AM #5

Hi OT
Various scans completed as requested. OTScanit report attached. SuperAnitSpyware Scan log and OTScanit moved files log are copy n pasted below.
Cheers and thanks
Rob

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2008 at 01:34 PM

Application Version : 4.0.1154

Core Rules Database Version : 3450
Trace Rules Database Version: 1442

Scan type : Complete Scan
Total Scan Time : 01:39:40

Memory items scanned : 442
Memory threats detected : 0
Registry items scanned : 5748
Registry threats detected : 14
File items scanned : 118566
File threats detected : 24

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\TypeLib
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable

Adware.WhenU
C:\Program Files\Common Files\WhenU\UControlScanAndRemove.ocx
C:\Program Files\Common Files\WhenU

Trojan.WinFixer 2006
C:\Program Files\WinFixerFree
C:\Program Files\WIN FIXER 2006\1.reg
C:\Program Files\WIN FIXER 2006\2.reg
C:\Program Files\WIN FIXER 2006\3.reg
C:\Program Files\WIN FIXER 2006\4.reg
C:\Program Files\WIN FIXER 2006\Download\apfmkgcc\WFX6Upd.exe
C:\Program Files\WIN FIXER 2006\Download\apfmkgcc
C:\Program Files\WIN FIXER 2006\Download\jgrcthup
C:\Program Files\WIN FIXER 2006\Download\ngqeqfho\setup.exe
C:\Program Files\WIN FIXER 2006\Download\ngqeqfho
C:\Program Files\WIN FIXER 2006\Download\xrspfpgh
C:\Program Files\WIN FIXER 2006\Download
C:\Program Files\WIN FIXER 2006\software_debug_winfixer2006.zip
C:\Program Files\WIN FIXER 2006\sv.txt
C:\Program Files\WIN FIXER 2006\system.nfo
C:\Program Files\WIN FIXER 2006\UpdateData\upd1129102006.dat
C:\Program Files\WIN FIXER 2006\UpdateData
C:\Program Files\WIN FIXER 2006\WinFX6.dmp
C:\Program Files\WIN FIXER 2006

Malware.DriveCleaner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/UDC6_0001_D19M2808NetInstaller.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/UDC6_0001_D19M2808NetInstaller.exe#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/UDC6_0001_D19M2808NetInstaller.exe#{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}

Adware.Jraun/WinEssential
C:\SYSTEM VOLUME INFORMATION\_RESTORE{79E8130C-11CD-428E-BDAE-933EE5F75491}\RP593\A0092447.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{79E8130C-11CD-428E-BDAE-933EE5F75491}\RP593\A0092829.EXE

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\WINFIXER2006SETUP.EXE

OTScanit MOVED FILES LOG

[Processes - Non-Microsoft Only]
Process ysoljqdp.exe killed successfully.
C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp.exe moved successfully.
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AdwareScan ner deleted successfully.
C:\Program Files\Win Fixer 2006\Download\jgrcthup\UpSalesPatch6.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\jamtray deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ysoljqdp deleted successfully.
File C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\DelayS hred deleted successfully.
[Files/Folders - Modified Within 30 days]
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
[Extra Files]
< %ProgramFiles%\Win Fixer 2006\ >
Folder C:\Program Files\Win Fixer 2006\ not found.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Rob Prince\Local Settings\Temp\~DF275D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rob Prince\Local Settings\Temp\~DF812D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rob Prince\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.11.8 fix logfile created on 04302008_114001

Files moved on Reboot...
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
C:\Documents and Settings\Rob Prince\Local Settings\Temp\~DF275D.tmp moved successfully.
C:\Documents and Settings\Rob Prince\Local Settings\Temp\~DF812D.tmp moved successfully.
File move failed. C:\Documents and Settings\Rob Prince\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

OldTimer · 30-Apr-2008, 04:04 PM #6

Hi orangebicycle. That looks much better. There are a couple of other files that showed up so let's removed those.

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill Explorer]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> ysoljqdp.dat -> %UserProfile%\Local Settings\Application Data\ysoljqdp.dat
NY -> ysoljqdp_nav.dat -> %UserProfile%\Local Settings\Application Data\ysoljqdp_nav.dat
NY -> ysoljqdp_navps.dat -> %UserProfile%\Local Settings\Application Data\ysoljqdp_navps.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> ysoljqdp.dat -> %UserProfile%\Local Settings\Application Data\ysoljqdp.dat
NY -> ysoljqdp_nav.dat -> %UserProfile%\Local Settings\Application Data\ysoljqdp_nav.dat
NY -> ysoljqdp_navps.dat -> %UserProfile%\Local Settings\Application Data\ysoljqdp_navps.dat
[Extra Files]
%programfiles%\win fixer 2006
[Start Explorer]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

I'm also knid of curious about an additional folder I see. Let's have a look inside.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Click the None button on the toolbar.
Copy/paste the text in the code box below into the Manual File or Registry Key Scans editbox:
Code:
```
%AppData%\.#\*.* /s
```
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT

orangebicycle · 02-May-2008, 07:10 AM #7

Hi OT
Here's the Notepad log, as requested. I'll crack on with the rest, meanwhile.
Cheers
Rob

Explorer killed successfully
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp.dat moved successfully.
C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp_nav.dat moved successfully.
C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp_navps.dat moved successfully.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp.dat not found!
File C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp_nav.dat not found!
File C:\Documents and Settings\Rob Prince\Local Settings\Application Data\ysoljqdp_navps.dat not found!
[Extra Files]
< %programfiles%\win fixer 2006 >
Folder C:\Program Files\win fixer 2006 not found.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.11.8 fix logfile created on 05022008_110528

orangebicycle · 02-May-2008, 07:19 AM #8

Hi OT
Re 'Copy/paste the text in the code box below into the Manual File or Registry Key Scans editbox'

I have OTScanIT open and have clicked the 'None' button, but cannot see a Manual File or Registry Key Scans editobox. The only boxes I can see are 'Paste Fix Here', 'Custom Scans' and 'Additional Scans'.

Please advise. Thanks.
Rob

orangebicycle · 02-May-2008, 07:24 AM #9

Hi OT
Despite everything, I'm still getting hit with pop-ups. Just started up Firefox, and this is what came up:

http://www.skilled2win.com/splash/sp...7da73983ac590b

Darned persistent, aren't they!

Rob

OldTimer · 02-May-2008, 11:06 AM **#10**

Hi orangebicycle. The screen settings sometimes resize the app so that everything is not visible. Either try maximizing the app, or, if that doesn't work then run the app in Safe Mode.

Cheers.

OT

orangebicycle · 02-May-2008, 12:59 PM **#11**

Hi OT
Thanks for your advice. I'll give that a try. Meanwhile, I think I have a line on one of the main culprits in all this. It's something called ad.yieldmanager.com. One of its pop-ups just generated an alert message:

ad.yieldmanager.com has sent an incorrect or unexpected message. Error Code: -12263

Pop-up URL as follows:

http://images.beatthatquote.com/pop/...d=EYE_V2&pop=0

Cheers
Rob

orangebicycle · 02-May-2008, 01:23 PM **#12**

Hi OT.
OK, I've tried maximizing and it doesn't show me anything new. All I can see are four boxes, Basic Scans, Paste Fix Here, Custom Scans and Additional Scans. Where should the Manual File or Registry Key scan box be in relation to these? Also, how would I open the app in Safe Mode?
Cheers
Rob

Tag Cloud
acer asus bios blue screen boot bsod computer crash desktop driver drivers error excel freeze gaming hard drive hardware hdmi internet laptop malware memory motherboard mouse netgear network networking outlook printer problem router slow software sound svchost.exe toshiba trojan usb video video card virus vista wifi windows windows 7 windows 7 32 bit windows update windows xp wireless work

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!