Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo spreading virus???


  • This topic is locked This topic is locked
20 replies to this topic

#1 Sargantana

Sargantana

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 14 April 2009 - 12:37 PM

A couple of days ago I reported that my laptop had become the victim of a bug from yieldmanager.com and bluelithium.com - st. a pop-up which appears whenever I tried to access my Yahoo account. Having placed an ad-blocker in its path prevented the annoyance of the pop-up but in the end (and due to a distinct lack of response following my request for assistance) I decided to cut my lossess and re-format my drive.

It happens that I also have this laptop - an old (XP sp3) Packard Bell, and I decided that from now on I would not risk using the new machine (purchased primeraly for university work) and instead use the old feller. I spent the day yesterday surfing the net, trouble free. Today I happened to visit my Yahoo account and hey presto! the $***!!!? bug has now attached itself to this machine!

Clearly the answer is to close the account, purge machine two and never visit Yahoo again, but before commiting to such drastic action again for the second time in a week I shall again ask - Dose anyone on this forum have any idea how to rid me of this bug?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 PM

Posted 14 April 2009 - 01:39 PM

yieldmanager.com bug attacks

Could you clarify and be more specific as to what you mean by a bug attack?

Ad.yieldmanager.com is a known adware site that adds cookies to track your personal information and browsing habits as you surf the web. Although it is used by some websites as part of their advertising, it is often blocked by various security tools/programs.

When going to Yahoo are you getting redirects to a google search results page with the message...Sorry, we couldn't find hxxp://ad.yieldmanager.com/st%3Fad_type. Here are some related websites: at the top of the page?

Are you using a Dell or Gateway computer?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 14 April 2009 - 03:47 PM

Hi There,

What I mean is that I am being hounded by a pop-up which appears every time I open a page in my Yahoo mail. The pop-upcome courtesy of either ads.bluelithium.com or more often ad.adyieldmanager.com. The pop-up contains a request to open an executable .st file, and it appears that regardless how I refuse the request to open the file, the pop-up drops its cargo somewhere into my laptop - most alarmingly now my second one.

My own serarches around the various forums have shown that this trojan (or whatever) is recognised as not at all easy to clear, standard malware programs failing to locate its existance. Something I have also noticed is that as it takes a hold so certain online advertisments cease to appear, and it looks like it knocked out (it greyed) the Java console controls when I was using FireFox.

I am currently using an old Packard-Bell EasyNote Widows XP (SP3). The last incident was against a brand-new Vaio, so the bug doesnt descriminate over age!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 PM

Posted 14 April 2009 - 04:28 PM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download hosts.zip and save it to your Desktop.
  • Extract (unzip) the file to its own folder C:\hosts. (Click here for information on how to do this if not sure.)
  • Open up the hosts folder and double-click on the mvps.bat file.
  • The script will rename your present HOSTS file to HOSTS.MVP and copy the new HOSTS file to the correct location on your system.
  • You can read more about what we are doing in Blocking Unwanted Parasites with a Hosts File.
    Note: You may have to overwrite the hosts file in "Safe Mode" if you get "an access denied message" when trying to do it in normal mode.
MVPS HOSTS File Install Instructions with screenshots if you need them.
Hosts File FAQ

Ad.yieldmanager.com should not be included in your "Trusted Sites List". Check this list and look for unwanted websites related to the pop ups you are getting. If you find any, then remove them.
  • Launch Internet Explorer and go to Tools > Internet Options and select the Security tab.
  • Click the Trusted sites icon and select the Sites... button.
  • A window will open with the Trusted sites...allowing you to add or remove entries.
  • Remove the Ad.yieldmanager entry from this area.
  • Click Ok, Apply, and Ok again to exit.
Then download and install SpywareBlaster. Click on Updates, then the Check for updates button. If any are found, click Enable Protection for All Unprotected items after they are downloaded.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 15 April 2009 - 05:45 AM

Hi,

So far I have managed only to get as far as cleaning with ATF. I downloaded and unzipped the Hosts program as directed but fi it unpacks into a file with no extension and so am unable to use it. I am using IZArc for my unzipping.

Edited by Sargantana, 15 April 2009 - 05:47 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 PM

Posted 15 April 2009 - 09:43 AM

If you encounter a problem with the zipped version, try using an alternative zipping tool like 7zip or ExtractNow. If you still encounter problems, then use the MVPS HOSTS File text version.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 16 April 2009 - 02:36 PM

Hi Quietman,

OK, I did all the things requested in sequence and have had no joy. Returning to Yahoo I checked my ad-blocker and within seconds the pop-up was back. Tougher than the average bear I fear...

Cheers

C.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 PM

Posted 16 April 2009 - 03:58 PM

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 17 April 2009 - 03:13 PM

Hi Quietman,

Strange - I answered you earlier today but the message has...disappeared... anyway, yes, Malwarebytes - I used that one first, as soon as I got the plague. Ran it on a full scan - it didn't find a thing!

This bug is evil.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 PM

Posted 17 April 2009 - 10:18 PM

Please post the results of your MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 18 April 2009 - 04:32 AM

Malwarebytes' Anti-Malware 1.31
Database version: 1604
Windows 5.1.2600 Service Pack 3

18/04/2009 10:24:56
mbam-log-2009-04-18 (10-24-56).txt

Scan type: Quick Scan
Objects scanned: 55233
Time elapsed: 11 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 PM

Posted 18 April 2009 - 06:43 AM

Your Malwarebytes Anti-Malware log indicates you are using an older version of MBAM (v1.31) with an outdated database. Please download and install the most current version (1.36) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your database shows 1608. Last I checked it was 1998.

Edited by quietman7, 18 April 2009 - 06:44 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 18 April 2009 - 09:09 AM

Got it! ;0)

I have to admit that I have yet to return to my Yahoo mail site to see if it re-infects my computer, and I am somewhat reluctant now to do so, nevertheless thank you very much for your assistance.

Cheers

C.



Malwarebytes' Anti-Malware 1.36
Database version: 2000
Windows 5.1.2600 Service Pack 3

18/04/2009 12:28:28
mbam-log-2009-04-18 (12-28-28).txt

Scan type: Quick Scan
Objects scanned: 78160
Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Archivos de programa\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWeb) -> Quarantined and deleted successfully.

#14 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 18 April 2009 - 09:50 AM

So I went back to Yahoo and got infected again!

Back to the drawing board...

#15 Sargantana

Sargantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge, UK
  • Local time:01:47 AM

Posted 18 April 2009 - 10:31 AM

Latest log file;

Malwarebytes' Anti-Malware 1.36
Database version: 2000
Windows 5.1.2600 Service Pack 3

18/04/2009 16:22:22
mbam-log-2009-04-18 (16-22-22).txt

Scan type: Quick Scan
Objects scanned: 78033
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users