[glassissue]

I can`t remove yieldmanager completely, I used spybot, and it will return on next day.
Please help remove this malware. I also get doubleclick.com repeatedly. Need help too.
Thanks

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:33:24, on 2010/05/25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Bandoo\Bandoo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\BEARSH~1\MediaBar\DataMngr\DataMngrUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRA~1\Bandoo\BndCore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPNRA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
O2 - BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Searchqu Toolbar - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\Program Files\Windows Searchqu Toolbar\ToolBar\SearchquDx.dll
O2 - BHO: Windows Live サインイン ヘルパー - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Bandoo IE Plugin - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O3 - Toolbar: Searchqu Toolbar - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\Program Files\Windows Searchqu Toolbar\ToolBar\SearchquDx.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DataMngr] C:\PROGRA~1\BEARSH~1\MediaBar\DataMngr\DataMngrUI.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O9 - Extra button: このコンテンツを引用 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Windows Live Writer でこのコンテンツに関する記事を書く(&B) - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.nifty.com/security/vcheck...an_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1271922840968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1271922903140
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab...l_4.1.66.0.cab
O20 - AppInit_DLLs: c:\progra~1\bearsh~1\mediabar\datamngr\datamngr.dll c:\progra~1\bandoo\bndhook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Bandoo Coordinator - Discordia Limited - C:\PROGRA~1\Bandoo\Bandoo.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 7624 bytes

[glassissue]

i can`t make boot cd to format c: drive completely. i need to format c: drive to clean up virus.
please help

[Rick_in_Fla]

Boot from your Windows XP cd.

[glassissue]

I got windows xp cd, but it doesn`t have format option with it. I need a cd with command prompt to format c: completely. I got viruses in computer, perhaps bootsector virus, backdoor orsomething, which keep comming back after new reinstalling windows xp. please help.

[glassissue]

I can`t remove bootsector viruses. I reinstalled windows xp, but viruses comming back right after the installation. Need help to clean up bootsector and any hidden, or memories on motherboard.

[huggie54]

hiya,before you reinstalled windows did you delete the partition first?

[glassissue]

i can`t delete any except reinstalling the windows xp, which comes with the pc vendor.

[Frank4d]

You have started three threads for the same issue. Since two of them are now in the Virus Removal forum, it would be best to get help there.

[valis]

merging all your threads together. Please do not start more than one thread on the same topic.

thanks,

v

[Frank4d]

Yieldmanager and Doubleclick are web browser tracking cookies, which although they are annoying, they aren't the threats that some anti-malware programs make them to be.

The only things I see in your log that you might want to get rid of is the Bandoo and Bearshare stuff using Add/Remove Programs. Then run a scan using MalwareBytes and let us know what it finds.

[glassissue]

The Bearshare program has macafee proof tested on may 25, I don`t know if it`s still unsafe.
It used to distribute with WhenUSearch.com malaware, which supposed to be cleared.

ref: http://www.bearshare.com

Bandoo shows that thay don`t have spywre, malware, nor virus contains.

I sacanned with Panda antiirus online.

;************************************************************************** *************************************************************************** ******************************
ANALYSIS: 2010-05-26 03:21:57
PROTECTIONS: 1
MALWARE: 13
SUSPECTS: 0
;************************************************************************** *************************************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;========================================================================== =========================================================================== ==============================
Microsoft Security Essentials 2.1.6519.0 Yes Yes
;========================================================================== =========================================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;========================================================================== =========================================================================== ==============================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@mediaplex[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@bs.serving-sys[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@server.iad.liveperson[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\１\cookies\ｑ@statse.webtrendslive[2].txt
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\documents and settings\all users\application data\microsoft\microsoft antimalware\localcopy\{bc12dc42-b924-85ca-bae2-1f5603528e85}-setup.exe
;========================================================================== =========================================================================== ==============================
SUSPECTS
Sent Location
;========================================================================== =========================================================================== ==============================
;========================================================================== =========================================================================== ==============================
VULNERABILITIES
Id Severity Description
;========================================================================== =========================================================================== ==============================
;========================================================================== =========================================================================== ==============================

The cookies were deleted manually from c:\documents and settings\１\cookies\.
I found out that MSN.com uses atdmt.com which is malware and is under microsoft corp. as ads company which MSN.com uses as ads company, and Doubleclick.com as research, Yahoo uses Yieldmanager.com, malware, for research.
Google also uses Doubleclick.com for research.

ref: http://en.wikipedia.org/wiki/DoubleClick

[glassissue]

I also have
Trojan.DL.Small.CXLP(Trojan), Trojan.DL.Small.CYCX(Trojan), SpyDevastator( Rouge), Exec.Variant.E (trojan), Explorer.Policies.StartMenuLogoff (adware), Explorer.Policies.No StartMenuMo? (adwarwe)
which i can`t remove. please reply.

[glassissue]

Those were detected on stopzilla.

The threads are not on a same topics, boot cds (windows xp),　bootsector virus, and Yieldmanager ( malware program cookie which is not bootsector virus). I solved bootsector cds. though not the others. please reply.

[glassissue]

i scanned with stopzilla the attached results.

[glassissue]

more