# remove ad.yieldmanager from vista



## phantastic (Feb 16, 2008)

Is anyone willing to help me?? I am not sure how many of you pros know much about Vista yet, so before I take up too much space here I wanted to ask this question first. Should have done a search for vista first. I know I have it because I am redirected to a google search for them now I need to get rid of it. Here is my hjt log, I have tried to run a panda scan but it does not support vista yet. I ran Kasperski and it found 2 items got rid of them before the hjt scan so they are gone. This computer is only 2 weeks old so I would like to get it cleaned and keep it that way. Thank you for your help in advance.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:46:14 AM, on 2/16/2008
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\IOI\ButtonMonitor.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Users\Chris\Desktop\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5664
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5664
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5664
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [auditadmin] C:\windows\options\auditadmin.cmd
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8819 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

Welcome to TSG.

Lets take a deeper look:

Download *WinPFind35U.exe (BETA) *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind35u* on your desktop. *WinPFind35u* can be detected as malware by your firewall and Ativirus. Chose *Ignore* on any warning alert.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of WinpFind35U.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with *WinpFind35U* or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## phantastic (Feb 16, 2008)

Ok here is the file. Let me know if I didn't do it correctly? I have never attached a file to a post in a forum???
The scan didn't take long at all??? I hope I did the scan right???


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

RIGHT-CLICK *HERE* and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop. Once downloaded, *RIGHT-CLICK DelDomains.inf* and select: Install (no need to restart)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*


----------



## phantastic (Feb 16, 2008)

JS, I can't install DelDomains I get an installation failed window.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

Lets try to remove the entries in the "Trusted Zone" and "Ranges" throughout a registry script instead.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous. As a precaution, we will make a backup of the registry first.

_ Modification of the registry can be *EXTREMELY* dangerous if you do not know exactly what you are doing. Please follow the steps that are listed below *EXACTLY*. If you cannot preform some of these steps, or if you have *ANY* questions please ask *BEFORE* proceeding._

*Backing Up Your Registry*
Go *Here* and download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts 
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT* 
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup 
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked 
Press *OK*
Press *YES* to create the folder.
*Registry Modifications*

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Deldomains.reg* . Once extracted, double click on the *Deldomains.reg* file and select *Yes* when prompted to merge it into the registry.

Let me know the outcome. Please also run the *Malwarebytes' Anti-Malware* scan and post its report.


----------



## phantastic (Feb 16, 2008)

JS,
All went well it did install in the registry.
Here is the MWB log.

Malwarebytes' Anti-Malware 1.04
Database version: 381

Scan type: Quick Scan
Objects scanned: 25578
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

Run *Winpfind35u* once again and post its report.

*How is the computer doing?*


----------



## phantastic (Feb 16, 2008)

JS, it looked like it was gone, didn't get it when I checked my email, just when I logged into my ebay account and tried to look at anything I had saved it was still there. Here is the log you asked for.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

Some entries in the Trusted zone are still present.

Please remove the *Deldomains* folders from your desktop

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Deldomains.reg* . Once extracted, double click on the *Deldomains.reg* file and select *Yes* when prompted to merge it into the registry.

After a restart, run *Winpfind35u* once again apost its report.


----------



## phantastic (Feb 16, 2008)

JS Dels was not anywhere on my desktop before I downloaded it again?? I ran that restarted and ran winpfind here are the results.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

All Domains are gone. :up:


Click on the Vista logo (used to be the "Start" button).
In the "*Start Search*" box type *Combofix /u*. Note the space between the X and the /U, it needs to be there.
Do NOT hit ENTER. Instead hit* CTRL+SHIFT+ENTER*.
If the disclaimer notice is displayed, select "*2*" and press Enter
The above procedure will:
 Delete the following:
 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:\Deckard folder, if present
 The C:_OtMoveIt folder, if present

 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Set a new, clean Restore Point.

Remove all applications, files and folder created during this session.

*Test for your original issue and let me know how is the computer doing.*


----------



## phantastic (Feb 16, 2008)

JS,
the only thing the combofix did was open another window?? Didn't ask me to do anything??

Problem is still there???


----------



## phantastic (Feb 16, 2008)

JS,
had to re download combofix and got it to work, problem is still there?????


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

It could be due to VISTA's Security.

Remove it manually, including the C:\Combofix and the C:\qoobox folder if exist. Also remove all files and folders created during the fix.

*How is the computer doing?*


----------



## phantastic (Feb 16, 2008)

JS,
Nothing has changed with the computer. The problem still exists?


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* :

Click on the Vista logo (used to be the "Start" button.
In the "Start Search" box copy and paste the following command:


```
[B]CMD /C Dir /s "%Systemdrive%\*yieldmanager.*" >"%Userprofile%\Desktop\Report.txt"[/B]
```

Do NOT hit ENTER. Instead hit CTRL+SHIFT+ENTER. 
If you are prompted by the UAC warning window. Click on CTRL+C or click on the "Continue" button.
The MSDOS Window will be displayed. It will take a few minutes to scan your computer, please be patient.
Once the scan is finished, a *Report.txt* will be created on your desktop.
Please open this file in Notepad and post it contents.


----------



## phantastic (Feb 16, 2008)

JS,
I think I might have gotten it searching while waiting for your reply but I am not sure here is the report you asked for.

Volume in drive C has no label.
Volume Serial Number is A070-0A8D

Directory of C:\Users\Chris\Favorites

02/24/2008 10:21 AM 5,553 Sorry, we couldn't find http--ad.yieldmanager.com-st%3Fad_type. [ - Geeks to Go!.url
1 File(s) 5,553 bytes

Total Files Listed:
1 File(s) 5,553 bytes
0 Dir(s) 444,297,728,000 bytes free

I do have a question about 2 things in the hjt log I am not sure what they are??
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)


----------



## phantastic (Feb 16, 2008)

Not sure I fixed it, now I just get the message that the add part of the web page can not be loaded?? when I click on the back button it will show me ad.yieldmanger for the past 3 pages??? I am starting to think that this damn thing got in through a java update?????


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

We are closer.

Run the following command:


```
[B]CMD /C Dir /s "C:\Users\Chris\Favorites\*.*" >"%Userprofile%\Desktop\Report.txt"[/B]
```
Post the contents of the *Report.txt*.

Download *RegSeeker* from here:

http://www.softpedia.com/progDownload/RegSeeker-Download-4229.html

Save and extract its contents to the desktop


A new folder will appear on your desktop. Within the folder, click on *RegSeeker.exe*. Click on *Find in registry*. Copy and paste the following string and click on *Search*.

*yieldmanager*

Once the scanning has finished, click on *Select*, then on *Select All*.
Click on *Action*, then on *Export selected items*.
Name the export *Report*. It will be saved within the *RegSeeker* ->* Backup* folder.
Please Open this file in Notepad.
*Copy and Paste its contents in a reply.*

*Warning*: Please be careful with this program. In as much it can help you, improper use will damage the computer's registry.


----------



## phantastic (Feb 16, 2008)

Here is the one report, but the other one from regseaker will not save to the back up file so I can not open it with notepad??? I will keep trying but it did find 5 entries for it.

Volume in drive C has no label.
Volume Serial Number is A070-0A8D

Directory of C:\Users\Chris\Favorites

02/24/2008 11:22 AM .
02/24/2008 11:22 AM ..
02/24/2008 11:22 AM 262 AntiVir PersonalEdition Support Forum Viruses and other security risks Yeildmanager.com.url
02/14/2008 10:21 PM 266 guides The Simpsons Game Guide (Nintendo DS), The Simpsons Game Walkthrough.url
02/19/2008 07:12 AM 287 How To Remove Virusheat (removal Instructions).url
02/09/2008 08:50 AM 196 PlayStation.com Forums - PlayStation.com Forums.url
02/19/2008 07:14 PM  200 Simple Case Search.url
02/24/2008 10:21 AM 5,553 Sorry, we couldn't find http--ad.yieldmanager.com-st%3Fad_type. [ - Geeks to Go!.url
02/24/2008 11:32 AM Tech Help
02/19/2008 01:17 PM 196 Wisconsin Job Search.url
02/04/2008 07:36 PM 690 Work Email.url
8 File(s) 7,650 bytes

Directory of C:\Users\Chris\Favorites\Tech Help

02/24/2008 11:32 AM .
02/24/2008 11:32 AM ..
02/24/2008 04:28 PM 3,768 Tech Support Guy Forums.url
1 File(s) 3,768 bytes

Total Files Listed:
9 File(s) 11,418 bytes
5 Dir(s) 444,657,303,552 bytes free


----------



## phantastic (Feb 16, 2008)

sorry was not installing it just running the exe file from the zip so it wouldn't save the log. installed and here it is.

REGEDIT4

[HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yieldmanager.com]

[HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yieldmanager.com\ad]
"*"=dword:00000004

[HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yieldmanager.com\www.ad]
"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites]
"Order"=hex:08,00,00,00,02,00,00,00,50,06,00,00,01,00,00,00,09,00,00,00,62,00,00,00,05,00,\
00,00,54,00,31,00,00,00,00,00,55,38,6D,5A,10,00,54,45,43,48,48,45,7E,31,00,\
00,3C,00,07,00,04,00,EF,BE,50,38,0B,77,55,38,6D,5A,26,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,90,D5,C6,06,00,00,54,00,65,00,63,00,68,00,20,00,48,\
00,65,00,6C,00,70,00,00,00,18,00,00,00,00,00,00,00,0E,01,00,00,08,00,00,00,\
00,01,32,00,06,01,00,00,58,38,C6,8A,20,00,41,4E,54,49,56,49,7E,31,2E,55,52,\
4C,00,00,E4,00,07,00,04,00,EF,BE,58,38,C6,8A,58,38,C6,8A,26,00,00,00,A3,F7,\
01,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,41,00,6E,00,74,00,69,00,56,\
00,69,00,72,00,20,00,50,00,65,00,72,00,73,00,6F,00,6E,00,61,00,6C,00,45,00,\
64,00,69,00,74,00,69,00,6F,00,6E,00,20,00,53,00,75,00,70,00,70,00,6F,00,72,\
00,74,00,20,00,46,00,6F,00,72,00,75,00,6D,00,20,00,20,00,56,00,69,00,72,00,\
75,00,73,00,65,00,73,00,20,00,61,00,6E,00,64,00,20,00,6F,00,74,00,68,00,65,\
00,72,00,20,00,73,00,65,00,63,00,75,00,72,00,69,00,74,00,79,00,20,00,72,00,\
69,00,73,00,6B,00,73,00,20,00,20,00,59,00,65,00,69,00,6C,00,64,00,6D,00,61,\
00,6E,00,61,00,67,00,65,00,72,00,2E,00,63,00,6F,00,6D,00,2E,00,75,00,72,00,\
6C,00,00,00,1C,00,00,00,00,00,00,00,F2,00,00,00,00,00,00,00,E4,00,32,00,0A,\
01,00,00,4F,38,A6,22,20,00,47,55,49,44,45,53,7E,31,2E,55,52,4C,00,00,C8,00,\
07,00,04,00,EF,BE,4B,38,39,1C,4B,38,39,1C,26,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,C4,F4,F6,00,00,00,67,00,75,00,69,00,64,00,65,00,73,00,20,00,\
54,00,68,00,65,00,20,00,53,00,69,00,6D,00,70,00,73,00,6F,00,6E,00,73,00,20,\
00,47,00,61,00,6D,00,65,00,20,00,47,00,75,00,69,00,64,00,65,00,20,00,28,00,\
4E,00,69,00,6E,00,74,00,65,00,6E,00,64,00,6F,00,20,00,44,00,53,00,29,00,2C,\
00,20,00,54,00,68,00,65,00,20,00,53,00,69,00,6D,00,70,00,73,00,6F,00,6E,00,\
73,00,20,00,47,00,61,00,6D,00,65,00,20,00,57,00,61,00,6C,00,6B,00,74,00,68,\
00,72,00,6F,00,75,00,67,00,68,00,2E,00,75,00,72,00,6C,00,00,00,1C,00,00,00,\
00,00,00,00,B8,00,00,00,06,00,00,00,AA,00,32,00,1F,01,00,00,53,38,99,69,20,\
00,48,4F,57,54,4F,52,7E,31,2E,55,52,4C,00,00,8E,00,07,00,04,00,EF,BE,53,38,\
99,69,53,38,99,69,26,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,C4,F4,F6,\
00,00,00,48,00,6F,00,77,00,20,00,54,00,6F,00,20,00,52,00,65,00,6D,00,6F,00,\
76,00,65,00,20,00,56,00,69,00,72,00,75,00,73,00,68,00,65,00,61,00,74,00,20,\
00,28,00,72,00,65,00,6D,00,6F,00,76,00,61,00,6C,00,20,00,49,00,6E,00,73,00,\
74,00,72,00,75,00,63,00,74,00,69,00,6F,00,6E,00,73,00,29,00,2E,00,75,00,72,\
00,6C,00,00,00,1C,00,00,00,00,00,00,00,BA,00,00,00,01,00,00,00,AC,00,32,00,\
C4,00,00,00,49,38,5C,76,20,00,50,4C,41,59,53,54,7E,31,2E,55,52,4C,00,00,90,\
00,07,00,04,00,EF,BE,49,38,01,71,49,38,01,71,26,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,C4,F4,F6,00,00,00,50,00,6C,00,61,00,79,00,53,00,74,00,61,\
00,74,00,69,00,6F,00,6E,00,2E,00,63,00,6F,00,6D,00,20,00,46,00,6F,00,72,00,\
75,00,6D,00,73,00,20,00,2D,00,20,00,50,00,6C,00,61,00,79,00,53,00,74,00,61,\
00,74,00,69,00,6F,00,6E,00,2E,00,63,00,6F,00,6D,00,20,00,46,00,6F,00,72,00,\
75,00,6D,00,73,00,2E,00,75,00,72,00,6C,00,00,00,1C,00,00,00,00,00,00,00,80,\
00,00,00,02,00,00,00,72,00,32,00,C8,00,00,00,54,38,E0,09,20,00,53,49,4D,50,\
4C,45,7E,31,2E,55,52,4C,00,00,56,00,07,00,04,00,EF,BE,4F,38,65,5A,4F,38,65,\
5A,26,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,C4,F4,F6,00,00,00,53,00,\
69,00,6D,00,70,00,6C,00,65,00,20,00,43,00,61,00,73,00,65,00,20,00,53,00,65,\
00,61,00,72,00,63,00,68,00,2E,00,75,00,72,00,6C,00,00,00,1C,00,00,00,00,00,\
00,00,FC,00,00,00,07,00,00,00,EE,00,32,00,B1,15,00,00,58,38,AB,82,20,00,53,\
4F,52,52,59,5F,7E,31,2E,55,52,4C,00,00,D2,00,07,00,04,00,EF,BE,58,38,E8,6B,\
58,38,E8,6B,26,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,C4,F4,F6,00,00,\
00,53,00,6F,00,72,00,72,00,79,00,2C,00,20,00,77,00,65,00,20,00,63,00,6F,00,\
75,00,6C,00,64,00,6E,00,27,00,74,00,20,00,66,00,69,00,6E,00,64,00,20,00,68,\
00,74,00,74,00,70,00,2D,00,2D,00,61,00,64,00,2E,00,79,00,69,00,65,00,6C,00,\
64,00,6D,00,61,00,6E,00,61,00,67,00,65,00,72,00,2E,00,63,00,6F,00,6D,00,2D,\
00,73,00,74,00,25,00,33,00,46,00,61,00,64,00,5F,00,74,00,79,00,70,00,65,00,\
2E,00,20,00,5B,00,20,00,2D,00,20,00,47,00,65,00,65,00,6B,00,73,00,20,00,74,\
00,6F,00,20,00,47,00,6F,00,21,00,2E,00,75,00,72,00,6C,00,00,00,1C,00,00,00,\
00,00,00,00,84,00,00,00,03,00,00,00,76,00,32,00,C4,00,00,00,53,38,30,9A,20,\
00,57,49,53,43,4F,4E,7E,31,2E,55,52,4C,00,00,5A,00,07,00,04,00,EF,BE,4E,38,\
4F,B6,4E,38,4F,B6,26,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,90,D5,C6,\
06,00,00,57,00,69,00,73,00,63,00,6F,00,6E,00,73,00,69,00,6E,00,20,00,4A,00,\
6F,00,62,00,20,00,53,00,65,00,61,00,72,00,63,00,68,00,2E,00,75,00,72,00,6C,\
00,00,00,1C,00,00,00,00,00,00,00,70,00,00,00,04,00,00,00,62,00,32,00,B2,02,\
00,00,45,38,86,0C,20,00,57,4F,52,4B,45,4D,7E,31,2E,55,52,4C,00,00,46,00,07,\
00,04,00,EF,BE,44,38,AB,25,44,38,AB,25,26,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,90,D5,C6,06,00,00,57,00,6F,00,72,00,6B,00,20,00,45,00,6D,00,61,\
00,69,00,6C,00,2E,00,75,00,72,00,6C,00,00,00,1C,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Tech Help]
"Order"=hex:08,00,00,00,02,00,00,00,96,00,00,00,01,00,00,00,01,00,00,00,8A,00,00,00,00,00,\
00,00,7C,00,32,00,B8,0E,00,00,58,38,D6,8A,20,00,54,45,43,48,53,55,7E,31,2E,\
55,52,4C,00,00,60,00,07,00,04,00,EF,BE,50,38,C3,76,50,38,C3,76,26,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,08,F7,86,0E,00,00,54,00,65,00,63,00,68,\
00,20,00,53,00,75,00,70,00,70,00,6F,00,72,00,74,00,20,00,47,00,75,00,79,00,\
20,00,46,00,6F,00,72,00,75,00,6D,00,73,00,2E,00,75,00,72,00,6C,00,00,00,1C,\
00,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\yieldmanager.com]
@=dword:00000005

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yieldmanager.com]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yieldmanager.com\ad]
"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yieldmanager.com\www.ad]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yieldmanager.com]


----------



## JSntgRvr (Jul 1, 2003)

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please Clear (delete everything) the following *folder*:

*C:\Users\Chris\Favorites*

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *YMfix.reg* . Once extracted, double click on the *YMfix.reg* file and select *Yes* when prompted to merge it into the registry.

Restart and test the computer. Let me know the outcome.


----------



## phantastic (Feb 16, 2008)

JS,
I was never asked anything after it was extracted, when I double clicked on the file it opened a text file only?? I took a look and it seems to be gone now, nothing via yahoo and nothing via ebay??? I still would like to figure out if the file took to the registry or not???


----------



## JSntgRvr (Jul 1, 2003)

Just to make sure, run *Regedit*. Select* File* from the menu, then *Import*. Locate the *YMfix.reg* file and import the file into the registry. Restart the computer afterwards.

I'll be checking on you in the AM.


----------



## JSntgRvr (Jul 1, 2003)

phantastic said:


> JS,
> I was never asked anything after it was extracted, when I double clicked on the file it opened a text file only?? I took a look and it seems to be gone now, nothing via yahoo and nothing via ebay??? I still would like to figure out if the file took to the registry or not???


If the file opened as a text file, you may have a problem with your file associations.








Download *Deckard's System Scanner (DSS)* from *here* or *here* to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on *dss.exe *to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt *<- this one will be maximized and *extra.txt *<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the *main.txt* and the *extra.txt* in your next reply.
If the files are too long, attach them to a reply:

Scroll down and click the [*Manage Attachments*] button
Browse to the following folder:
*C:\Deckard\System Scanner*

Click *Upload* to upload these files one by one
*Submit *your reply


----------



## phantastic (Feb 16, 2008)

JS,
If I right clicked on the zip file it would ask if I wanted to extract it?? I ran dss any way and here is the file. Oh and since I have imported that file to the registry it is now back??? Mostly ebay, if I look at the back button it shows up again???


----------



## phantastic (Feb 16, 2008)

Sorry forgot to hit the upload button???


----------



## JSntgRvr (Jul 1, 2003)

phantastic said:


> JS,
> If I right clicked on the zip file it would ask if I wanted to extract it?? I ran dss any way and here is the file. Oh and since I have imported that file to the registry it is now back??? Mostly ebay, if I look at the back button it shows up again???


Are you able to extract .zipped files? When you rightclick on a .zip folder, on the Context Menu, Is there an option to* "Extract All"*?

*DDS* also produced an *Extra.txt* file. Please post or upload that file.

If you are unable to extract .zipped files, follow these steps:


*Copy the entire contents of the Code Box * below to *Notepad*. 
Name the file as *fix.reg * 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 
Once saved, double click on the *fix.reg*.
Select *Yes* when prompted to merge it into the Registry.


```
REGEDIT4

[-HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\yieldmanager.com]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
```
Make you leave two lines emptied at the bottom of the script, but do not leave an emptied line at the beginning of it.

If you are not prompted to merge it into the registry, chances are the file association has changed. I will know that when you include the *Extra.txt* file.

Restart the computer if successful.

You should be thinking in replacing the HOSTS file with the MVPs HOSTS. There is more information here:

http://www.mvps.org/winhelp2002/hosts.htm#Related

Please note Windows Vista requires special instructions.


----------



## phantastic (Feb 16, 2008)

Yes I was able to select to extract all the files from the zip file and that is what I did. As for dss i have searched my computer and re run dss and I do not get an extra.txt file, reduced or other wise???


----------



## JSntgRvr (Jul 1, 2003)

The *Extra.txt* file should be in the *C:\Deckard\System Scanner* folder. Open it in Notepad and post its contents.

Were you able to merge the *fix.reg* file? How about the *HOSTS* file?

If can't find the *Extra.txt* and DDS still on your desktop, go to the Vista (Start) button, copy and paste the following command on the search line and press Ctrl+Shift+Enter:

*"%userprofile%\desktop\dss.exe" /config*

The Deckard System Scanner Config display will appear. Deselect everything, except all boxes under the Extra.log and click on Scan. Post the report.


----------



## phantastic (Feb 16, 2008)

Ok here is the extra file. I wasn't getting one because none of the boxes were check marked under extra. Yes I did get fix.reg file merged. I have not done the host part yet wanted to get you this extra file first.


----------



## JSntgRvr (Jul 1, 2003)

Still unable to see if there is a problem with file associations.

Run again:

*"%userprofile%\desktop\dss.exe" /config*

Deselect all except for *File Associations* under *Main.log* and click on Scan


----------



## phantastic (Feb 16, 2008)

JS
Here it is.

Deckard's System Scanner v20071014.68
Run by Chris on 2008-02-26 20:08:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - %SystemRoot%\System32\imageres.dll,-68
.bat - batfile - shell\open\command - "%1" %*
.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.cmd - cmdfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,-153
.cmd - cmdfile - shell\open\command - "%1" %*
.cmd - cmdfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.chm - chm.file - DefaultIcon - %SystemRoot%\hh.exe,0
.chm - chm.file - shell\open\command - "%SystemRoot%\hh.exe" %1
.com - comfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,2
.com - comfile - shell\open\command - "%1" %*
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - %SystemRoot%\System32\rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.exe - exefile - DefaultIcon - %1
.exe - exefile - shell\open\command - "%1" %*
.hlp - hlpfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,23
.hlp - hlpfile - shell\open\command - %SystemRoot%\winhlp32.exe %1
.inf - inffile - DefaultIcon - %SystemRoot%\System32\imageres.dll,-69
.inf - inffile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.ini - inifile - DefaultIcon - imageres.dll,-69
.ini - inifile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.js - JSFile - DefaultIcon - %SystemRoot%\System32\WScript.exe,3
.js - JSFile - shell\open\command - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - CLSID - {00021401-0000-0000-C000-000000000046}
.pif - piffile - shell\open\command - "%1" %*
.reg - regfile - DefaultIcon - %SystemRoot%\regedit.exe,1
.reg - regfile - shell\open\command - regedit.exe "%1"
.reg - regfile - shell\edit\command - %SystemRoot%\system32\notepad.exe "%1"
.scr - scrfile - shell\open\command - "%1" /S
.txt - txtfile - DefaultIcon - %SystemRoot%\system32\imageres.dll,-102
.txt - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - DefaultIcon - %SystemRoot%\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - "%SystemRoot%\System32\WScript.exe" "%1" %*
.vbs - VBSFile - shell\edit\command - "%SystemRoot%\System32\Notepad.exe" %1

-- End of Deckard's System Scanner: finished at 2008-02-26 20:08:04 ------------


----------



## JSntgRvr (Jul 1, 2003)

Hi, *phantastic* 

All associations are OK. Perhaps you attempted to to open the file within the .zip folder, thus opened in Notepad. It should open with Regedit, as indicated above.

*How is the computer doing?*


----------



## phantastic (Feb 16, 2008)

Well it is still there, at least I believe it is?? I have side adds that say " Internet Explorer cannot display the webpage 
Most likely causes:
You are not connected to the Internet. 
The website is encountering problems. 
There might be a typing error in the address. " and when I hit the back button while on ebay it tells me the last 2 things loaded are adyieldmanager??? I am also working on my fathers new laptop that I now believe has the same issues????


----------



## JSntgRvr (Jul 1, 2003)

phantastic said:


> Well it is still there, at least I believe it is?? I have side adds that say " Internet Explorer cannot display the webpage
> Most likely causes:
> You are not connected to the Internet.
> The website is encountering problems.
> There might be a typing error in the address. " and when I hit the back button while on ebay it tells me the last 2 things loaded are adyieldmanager??? I am also working on my fathers new laptop that I now believe has the same issues????


This has nothing to do with *YieldManager*, or there is an indication to this effect?

Make sure your Network Cables are in place. Open a Command Prompt.


Click on the Vista logo (used to be the "Start" button).
In the "Start Search" box type CMD or CMD.EXE.
Do NOT hit ENTER. Instead hit CTRL+SHIFT+ENTER.
You will be prompted by the UAC warning window. Click on CTRL+C or click on the "Continue" button.
Note that the CMD window has an "Administrator:" appended to the window title.
At the prompt type the following and press Enter afer each command:
*ipconfig /flushdns
Exit​*
Restart the computer and test.


----------



## phantastic (Feb 16, 2008)

JS,
Did what you said and it worked fine for the first visit, the second visit it happened all over again??? The forwarding to the google search page for adyieldmanager is now gone!!!


----------



## JSntgRvr (Jul 1, 2003)

Seems that you have a problem with your ISP, as far as the DNS server is concern. We can test that by using other DNS server.

Here are the instructions:

https://www.opendns.com/start?device=windows-vista

Once you change these settings, you will be using the OPEN DNS server to browse the net, rather than your ISP.

Give it a try and let me know the outcome.


----------



## phantastic (Feb 16, 2008)

Nope didn't fix it I am still getting the errors and on ebay I am still getting the ad.yieldmanger in the back button.


----------



## JSntgRvr (Jul 1, 2003)

Lets take another look:

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## phantastic (Feb 16, 2008)

JS,
Here is the info you asked for.

ComboFix 08-03-03.6 - Chris 2008-03-03 5:55:31.3 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.2123 [GMT -6:00]
Running from: C:\Users\Chris\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 12:56 . 2008-03-02 12:56	0	--a------	C:\Windows\ativpsrm.bin
2008-03-02 12:54 . 2008-03-02 12:54 d--------	C:\ATI
2008-03-01 21:12 . 2008-03-01 21:12 d--------	C:\Users\All Users\Fugazo
2008-03-01 21:12 . 2008-03-01 21:12 d--------	C:\PROGRA~2\Fugazo
2008-02-27 21:57 . 2008-02-27 21:57	0	--a------	C:\Windows\Irremote.ini
2008-02-27 15:09 . 2008-02-27 15:09 d--------	C:\Users\Desiree\AppData\Roaming\Apple Computer
2008-02-26 16:41 . 2008-02-26 16:41 d--------	C:\Program Files\iTunes
2008-02-26 16:41 . 2008-02-26 16:41 d--------	C:\Program Files\iPod
2008-02-26 16:41 . 2008-02-26 16:41	54,156	--ah-----	C:\Windows\QTFont.qfn
2008-02-26 16:41 . 2008-02-26 16:41	1,409	--a------	C:\Windows\QTFont.for
2008-02-24 20:31 . 2008-02-24 20:31 d--------	C:\Users\All Users\SUPERAntiSpyware.com
2008-02-24 20:31 . 2008-02-24 20:32 d--------	C:\Program Files\SUPERAntiSpyware
2008-02-24 20:31 . 2008-02-24 20:31 d--------	C:\PROGRA~2\SUPERAntiSpyware.com
2008-02-24 09:56 . 2008-02-24 10:20 d--------	C:\Program Files\SpywareGuard
2008-02-24 09:50 . 2008-02-27 21:42 d--------	C:\Program Files\SpywareBlaster
2008-02-24 09:50 . 2005-08-25 18:19	115,920	--a------	C:\Windows\System32\MSINET.OCX
2008-02-24 07:36 . 2008-02-24 07:36 d--------	C:\Windows\System32\Kaspersky Lab
2008-02-24 07:12 . 2008-02-24 07:12 d--------	C:\Deckard
2008-02-22 18:43 . 2006-11-02 03:44	320,000	--a------	C:\kmd.exe
2008-02-22 07:23 . 2008-02-22 07:23 d--------	C:\Users\Alex\AppData\Roaming\Grisoft
2008-02-22 06:48 . 2008-02-22 06:48 d--------	C:\Program Files\SlySoft
2008-02-21 05:29 . 2008-02-21 05:29 d--------	C:\Program Files\Haali
2008-02-21 05:29 . 2008-02-21 05:29 d--------	C:\Program Files\ffdshow
2008-02-21 05:29 . 2007-11-29 12:52	60,273	--a------	C:\Windows\System32\pthreadGC2.dll
2008-02-21 05:29 . 2007-12-03 16:34	7,680	--a------	C:\Windows\System32\ff_vfw.dll
2008-02-21 05:29 . 2007-11-29 12:52	547	--a------	C:\Windows\System32\ff_vfw.dll.manifest
2008-02-21 05:28 . 2008-02-21 05:29 d--------	C:\Program Files\doubleTwist
2008-02-19 07:10 . 2008-02-19 07:10 d--------	C:\Users\All Users\Malwarebytes
2008-02-19 07:10 . 2008-02-22 05:27 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-02-19 07:10 . 2008-02-19 07:10 d--------	C:\PROGRA~2\Malwarebytes
2008-02-18 22:24 . 2007-05-30 06:10	10,872	--a------	C:\Windows\System32\drivers\AvgAsCln.sys
2008-02-17 10:12 . 2008-02-17 10:12 d--------	C:\Users\All Users\SlySoft
2008-02-17 10:12 . 2008-02-17 10:12 d--------	C:\PROGRA~2\SlySoft
2008-02-17 10:09 . 2008-02-17 10:12	24	---hs----	C:\Windows\S2A81514B.tmp
2008-02-16 18:30 . 2008-02-16 21:51 d--------	C:\Program Files\FBrowsingAdvisor
2008-02-16 18:30 . 2008-02-16 18:30 d--------	C:\Program Files\FBrowserAdvisor
2008-02-16 18:30 . 2008-02-16 18:30 d--------	C:\Program Files\BrowsingTool
2008-02-16 18:30 . 2006-04-14 23:05	9,952	--a------	C:\regxpcom.exe
2008-02-16 12:42 . 2008-02-16 12:42 d--------	C:\Program Files\Disney
2008-02-16 09:13 . 2008-02-16 09:13 d--------	C:\Windows\Sun
2008-02-16 09:03 . 2008-02-16 09:12 d--------	C:\Users\Chris\.SunDownloadManager
2008-02-16 09:01 . 2008-02-16 09:02 d--------	C:\Program Files\QuickTime
2008-02-15 20:26 . 2008-01-09 23:50	1,244,672	--a------	C:\Windows\System32\mcmde.dll
2008-02-15 16:47 . 2008-02-15 16:47 d--------	C:\Users\Desiree\AppData\Roaming\iWin
2008-02-13 15:29 . 2008-02-27 17:35 d--------	C:\Users\Alex\AppData\Roaming\PlayFirst
2008-02-12 22:35 . 2008-02-12 22:35	4,247,552	--a------	C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-12 15:27 . 2008-02-12 15:27 d--------	C:\Users\Desiree\AppData\Roaming\WildTangent
2008-02-11 17:37 . 2008-02-11 17:37 d--------	C:\Users\Alex\AppData\Roaming\WildTangent
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Videos
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Searches
2008-02-11 17:35 . 2008-02-27 17:30 dr-------	C:\Users\Alex\Saved Games
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Pictures
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Music
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Links
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Downloads
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Documents
2008-02-11 17:35 . 2008-02-11 17:35 dr-------	C:\Users\Alex\Contacts
2008-02-11 17:35 . 2008-03-01 09:59 d--------	C:\Users\Alex\AppData\Roaming\Spare Backup
2008-02-11 17:35 . 2008-02-11 17:35 d--------	C:\Users\Alex\AppData\Roaming\Nero
2008-02-11 17:35 . 2006-11-02 06:37 d--------	C:\Users\Alex\AppData\Roaming\Media Center Programs
2008-02-11 17:35 . 2008-03-01 09:58 d--------	C:\Users\Alex\AppData\Roaming\AVG7
2008-02-11 17:35 . 2008-02-11 17:35 d--------	C:\Users\Alex\AppData\Roaming\ATI
2008-02-11 17:35 . 2008-02-11 17:35 d--h-----	C:\Users\Alex\AppData
2008-02-11 17:07 . 2008-02-21 16:30 d--------	C:\Users\All Users\PlayFirst
2008-02-11 17:07 . 2008-02-21 16:30 d--------	C:\PROGRA~2\PlayFirst
2008-02-11 16:12 . 2008-02-11 16:12 d--------	C:\Users\Desiree\AppData\Roaming\CyberLink
2008-02-11 16:11 . 2008-03-02 18:29 d--------	C:\Users\Desiree\AppData\Roaming\Spare Backup
2008-02-11 16:10 . 2008-02-11 16:10 dr-------	C:\Users\Desiree\Videos
2008-02-11 16:10 . 2008-02-11 16:10 dr-------	C:\Users\Desiree\Searches
2008-02-11 16:10 . 2008-02-15 16:48 dr-------	C:\Users\Desiree\Saved Games
2008-02-11 16:10 . 2008-02-11 16:10 dr-------	C:\Users\Desiree\Pictures
2008-02-11 16:10 . 2008-02-27 15:11 dr-------	C:\Users\Desiree\Music
2008-02-11 16:10 . 2008-02-11 16:10 dr-------	C:\Users\Desiree\Links
2008-02-11 16:10 . 2008-02-11 16:10 dr-------	C:\Users\Desiree\Downloads
2008-02-11 16:10 . 2008-02-12 18:21 dr-------	C:\Users\Desiree\Documents
2008-02-11 16:10 . 2008-02-12 18:21 dr-------	C:\Users\Desiree\Contacts
2008-02-11 16:10 . 2008-02-11 16:10 d--------	C:\Users\Desiree\AppData\Roaming\Nero
2008-02-11 16:10 . 2006-11-02 06:37 d--------	C:\Users\Desiree\AppData\Roaming\Media Center Programs
2008-02-11 16:10 . 2008-03-02 18:23 d--------	C:\Users\Desiree\AppData\Roaming\AVG7
2008-02-11 16:10 . 2008-02-11 16:10 d--------	C:\Users\Desiree\AppData\Roaming\ATI
2008-02-11 16:10 . 2008-02-11 16:10 d--h-----	C:\Users\Desiree\AppData
2008-02-09 10:43 . 2007-01-03 11:20	1,732	--a------	C:\Windows\System32\drivers\nvphy.bin
2008-02-08 06:13 . 2008-02-08 06:13 d--------	C:\Program Files\Lavasoft
2008-02-08 06:12 . 2008-02-24 20:30 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 17:20 . 2008-02-06 17:20 d--------	C:\Windows\AiOTemp
2008-02-06 17:20 . 2008-02-06 17:20 d--------	C:\Program Files\Hewlett-Packard
2008-02-06 17:20 . 2005-07-29 11:55	38,912	--a------	C:\Windows\System32\hh.exe
2008-02-06 17:20 . 2008-02-06 17:20	20	--a------	C:\Windows\Hposcv07.INI
2008-02-05 13:06 . 2008-02-05 13:06	97,216	--a------	C:\Windows\System32\drivers\AnyDVD.sys
2008-02-05 07:08 . 2008-02-05 07:08 d--------	C:\Program Files\PENTAX Corporation
2008-02-05 07:07 . 2008-02-05 07:07 d--------	C:\Program Files\PENTAX
2008-02-05 07:06 . 2008-02-05 07:06 d--------	C:\Windows\Downloaded Installations
2008-02-05 06:36 . 2008-02-27 21:57 d--------	C:\Users\All Users\Nero
2008-02-05 06:36 . 2008-02-27 21:57 d--------	C:\Program Files\Common Files\Nero
2008-02-05 06:36 . 2008-02-27 21:57 d--------	C:\PROGRA~2\Nero
2008-02-04 21:19 . 2008-02-04 21:19 d--------	C:\Users\All Users\Ahead
2008-02-04 21:19 . 2008-02-04 21:19 d--------	C:\PROGRA~2\Ahead
2008-02-04 19:32 . 2008-02-26 22:11 d--------	C:\Users\Chris\Incomplete
2008-02-04 19:29 . 2008-02-04 19:29 d--------	C:\Program Files\LimeWire
2008-02-04 19:00 . 2008-02-26 16:41 d--------	C:\Users\All Users\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 19:01	---------	d-----w	C:\Program Files\ATI Technologies
2008-03-02 03:12	---------	d-----w	C:\Program Files\Gateway Games
2008-03-01 03:00	---------	d-----w	C:\PROGRA~2\WildTangent
2008-02-16 15:12	---------	d-----w	C:\Program Files\Java
2008-02-13 04:35	803,328	----a-w	C:\Windows\system32\drivers\tcpip.sys
2008-02-13 04:33	824,832	----a-w	C:\Windows\System32\wininet.dll
2008-02-13 04:33	56,320	----a-w	C:\Windows\System32\iesetup.dll
2008-02-13 04:33	52,736	----a-w	C:\Windows\AppPatch\iebrshim.dll
2008-02-13 04:33	26,624	----a-w	C:\Windows\System32\ieUnatt.exe
2008-02-09 16:42	---------	d-----w	C:\Program Files\CONEXANT
2008-02-09 15:00	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-05 13:08	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-02-05 00:16	---------	d-----w	C:\Program Files\MSBuild
2008-02-04 04:51	---------	d-----w	C:\PROGRA~2\Napster
2008-02-04 00:46	---------	d-----w	C:\Program Files\Windows Sidebar
2008-02-04 00:46	---------	d-----w	C:\Program Files\Windows Mail
2008-02-04 00:26	---------	d-sh--w	C:\PROGRA~2\Templates
2008-02-04 00:26	---------	d-sh--w	C:\PROGRA~2\Start Menu
2008-02-04 00:26	---------	d-sh--w	C:\PROGRA~2\Favorites
2008-02-04 00:26	---------	d-sh--w	C:\PROGRA~2\Documents
2008-02-04 00:26	---------	d-sh--w	C:\PROGRA~2\Desktop
2008-02-04 00:26	---------	d-sh--w	C:\PROGRA~2\Application Data
2008-01-22 21:39	3,482,112	----a-w	C:\Windows\system32\drivers\atikmdag.sys
2008-01-22 20:40	368,640	----a-w	C:\Windows\System32\ATIDEMGX.dll
2008-01-22 20:40	274,432	----a-w	C:\Windows\System32\atipdlxx.dll
2008-01-22 20:40	237,568	----a-w	C:\Windows\System32\Oemdspif.dll
2008-01-22 20:40	159,744	----a-w	C:\Windows\System32\atitmmxx.dll
2008-01-22 20:39	43,520	----a-w	C:\Windows\System32\ati2edxx.dll
2008-01-22 20:39	245,760	----a-w	C:\Windows\System32\Ati2evxx.dll
2008-01-22 20:38	643,072	----a-w	C:\Windows\System32\Ati2evxx.exe
2008-01-22 20:31	1,519,616	----a-w	C:\Windows\System32\atidxx32.dll
2008-01-22 20:26	3,031,552	----a-w	C:\Windows\System32\atiumdag.dll
2008-01-22 20:25	9,781,248	----a-w	C:\Windows\System32\atioglxx.dll
2008-01-22 20:13	3,936,256	----a-w	C:\Windows\System32\atiumdva.dll
2008-01-22 20:02	47,104	----a-w	C:\Windows\System32\amdpcom32.dll
2008-01-22 19:51	49,152	----a-w	C:\Windows\system32\drivers\ati2erec.dll
2008-01-15 08:39	30,464	----a-w	C:\Windows\system32\drivers\usbaapl.sys
2007-11-26 13:12	174	--sha-w	C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-26 06:25 1006264]
"auditadmin"="C:\windows\options\auditadmin.cmd" [2007-11-27 22:52 608]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-30 22:35 4702208 C:\Windows\RtHDVCpl.exe]
"ButtonMonitor"="C:\Program Files\IOI\ButtonMonitor.exe" [2007-05-10 23:55 53248]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-09-13 18:22 5252936]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-04 05:45 579072]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-04 05:45 219136]

C:\Users\Desiree\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\Users\Chris\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-02-04 05:45 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0998DE3E-871A-462E-BFAB-85AA02834860}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{00E24E32-92E5-48DC-95D5-95B07E33F103}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0D5F5D9D-A51E-433D-891E-5A14527BCA5F}"= C:\Program Files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD|Desc=CyberLink PowerDVD
"{138CBBF7-FC76-4B23-98F8-5BA24D5DBA3D}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{63515D95-57F0-4619-8521-E0C044FD763D}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{61BAA282-5C73-4B61-AB37-B9C8C4031949}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{5FB65303-314B-42B7-BBC9-25DD7EC8AC98}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{98580354-BE87-4EB1-8FE3-AE5D44AC990B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|
"{18C38F6D-B358-40D8-8E7C-6C9C0D51591D}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{D8D4C24C-614A-4280-A05A-056FF65E468D}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{4D3C2948-BCD1-4241-AA90-8901EEFF01AE}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6F0F630F-E1A8-43B3-B720-096D526320B7}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{764BF0CF-0E5B-4AD7-887D-2865FED90352}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{43E251B2-8D88-49B8-8242-074A74B7213F}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{B4A2B61B-8631-4050-A8A2-2DB8C45BBA2F}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CB02A660-1290-475A-AB68-AEFFE2F1ED96}C:\program files\limewire\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire|Desc=LimeWire
"UDP Query User{B41843EC-87F8-46B3-930A-4913E7FF310D}C:\program files\limewire\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire|Desc=LimeWire
"TCP Query User{4BC9BF6C-7363-4DBB-AF2F-4C75DBF7EE7E}C:\program files\nero\nero8\nero home\nerohome.exe"= UDP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home|Desc=Nero Home
"UDP Query User{1AA5BC36-E5BF-438F-A255-E2AAF09915E8}C:\program files\nero\nero8\nero home\nerohome.exe"= TCP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home|Desc=Nero Home
"TCP Query User{765A12D0-4B08-4E03-8A31-56747C601D5C}C:\program files\common files\nero\nero web\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer|Desc=Nero Installer
"UDP Query User{D50A3157-C3C4-4D69-B893-50BED6B58107}C:\program files\common files\nero\nero web\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer|Desc=Nero Installer
"TCP Query User{9A5C91FB-1335-4109-B371-1A344B4A235D}C:\program files\nero\nero8\nero showtime\showtime.exe"= UDP:C:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime|Desc=Nero ShowTime
"UDP Query User{0FDEB264-64D4-49C6-8D40-886889DB0EAC}C:\program files\nero\nero8\nero showtime\showtime.exe"= TCP:C:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime|Desc=Nero ShowTime
"TCP Query User{11AB8ABA-E55A-4DE7-B057-1DE9753FD9EA}C:\program files\nero\nero8\nero mediahome\nmmediaserver.exe"= UDP:C:\program files\nero\nero8\nero mediahome\nmmediaserver.exe:Nero MediaHome|Desc=Nero MediaHome
"UDP Query User{EECF479A-DC77-412D-92F8-BE78241B5887}C:\program files\nero\nero8\nero mediahome\nmmediaserver.exe"= TCP:C:\program files\nero\nero8\nero mediahome\nmmediaserver.exe:Nero MediaHome|Desc=Nero MediaHome
"{1D00C108-98F3-4BA5-80FD-A46798688153}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{C8AA3425-2AED-46B2-92D8-33FC9C3AD3B4}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-09-04 22:40]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-06-29 09:11]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-22 15:39]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-02-04 05:45]
R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2007-05-11 22:09]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);C:\Windows\system32\DRIVERS\xcbda.sys [2007-05-29 00:51]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe" [2008-01-29 11:09]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 01:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ae9fe45-d37a-11dc-bf4c-001e9067b62d}]
\shell\AutoRun\command - L:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 05:57:32
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-03 5:57:59
.
2008-02-29 11:20:27	--- E O F --- 
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:03:33 AM, on 3/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Explorer.exe
C:\Users\Chris\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [auditadmin] C:\windows\options\auditadmin.cmd
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7480 bytes


----------



## JSntgRvr (Jul 1, 2003)

What happened to the HOSTS file?

Open Internet Explorer. Select *Tools* -> *Internet Options* -> *Privacy tab* -> *Advanced*

Place a checkmark on *Override automatic cookie handling* and on *Always allow session cookies*. *Accept* First party Cookies and *block* Third party cookies. Click OK, ->OK.

*Perform Disk Cleanup*:

Click Start, and then click Computer.
Right-click the drive you want to clean, and then click Properties. On the Properties dialog, click Disk Cleanup.
Click either My Files Only or Files From All Users On This Computer.
On the Disk Cleanup tab, select the files to delete, and then click OK.
*Jotti File Submission:*

Please go to  Jotti's malware scan

Copy and paste the following file paths into the *"File to upload & scan"*box on the top of the page one by one:

*C:\Windows\S2A81514B.tmp
C:\regxpcom.exe*

 Click on the submit button

 Please post the results in your next reply.


----------



## phantastic (Feb 16, 2008)

JS,
Did what you said with ie and did the disk clean up, then went to run the scan and the first file will not load because it is in use??? The second file loaded and after it scaned this is what it said.

File: regxpcom.exe 
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 0ca935807d52b6174c6d8f5eb4f5d9e4 
Packers detected: - 
Bit9 reports: No threat detected (more info)


----------



## JSntgRvr (Jul 1, 2003)

There is no malware in your computer. If Yieldmanager loads, is loading externally. You need to block it with a HOSTS file.

If you have not downloaded the MVP's HOSTS, follow these steps to modify the HOSTS file and add a block yieldmanager command:

Click on the Vista logo (used to be the "Start" button.
In the "Start Search" box type CMD or CMD.EXE.
Do NOT hit ENTER. Instead hit CTRL+SHIFT+ENTER. 
You will be prompted by the UAC warning window. Click on CTRL+C or click on the "Continue" button.
Note that the CMD window has an "Administrator:" appended to the window title.
At the prompt type (rather copy and paste) the following command and press Enter afer each command:


```
ATTRIB +A -H -R -S %windir%\SYSTEM32\DRIVERS\ETC\HOSTS*.*
```
Leave the command window opened.

Open Notepad. Click on File -> Open copy and paste the following path as file to be opened:

*C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS*

Add the following lines to this file:


```
127.0.0.1  ad.yieldmanager.com
127.0.0.1  delb.myspace.com #[ad.yieldmanager.com]
127.0.0.1  content.yieldmanager.edgesuite.net
127.0.0.1  content.rmxads.com #[content.yieldmanager.com]
127.0.0.1  ad.yieldmanager.com #[Kephyr.PUP][MVPS.Criteria]
127.0.0.1  api.yieldmanager.com #[api.se.yieldmanager.com]
127.0.0.1  content.yieldmanager.com #[Panda.Spyware:Cookie/YieldManager]
127.0.0.1  my.yieldmanager.com #[Ewido.TrackingCookie.Yieldmanager]
127.0.0.1  adserver.00web.com #[ad.yieldmanager.com]
127.0.0.1  content.91s.com #[content.yieldmanager.com]
127.0.0.1  ad.adconsole.com #[ad.yieldmanager.com]
127.0.0.1  ad.ad-flow.com #[ad.yieldmanager.com]
127.0.0.1  content.ad-flow.com #[content.yieldmanager.com]
127.0.0.1  my.admedian.com #[my.yieldmanager.com]
127.0.0.1  ad.adtegrity.net #[ad.yieldmanager.com]
127.0.0.1  content.adtegrity.net #[content.yieldmanager.com]
127.0.0.1  my.adtegrity.net #[my.yieldmanager.com]
127.0.0.1  my.aim4media.com #[my.yieldmanager.com]
127.0.0.1  content.attune.com #[content.yieldmanager.com]
127.0.0.1  ad.axill.com #[ad.yieldmanager.com]
127.0.0.1  content.axill.com #[content.yieldmanager.com]
127.0.0.1  ad.bannerconnect.net #[ad.yieldmanager.com]
127.0.0.1  content.bannerconnect.net #[content.yieldmanager.com]
127.0.0.1  ym.bannerconnect.net #[my.yieldmanager.com]
127.0.0.1  ads.bigad.com #[ad.yieldmanager.com]
127.0.0.1  content.bigad.com #[content.yieldmanager.com]
127.0.0.1  adserving.budsinc.com #[ad.yieldmanager.com]
127.0.0.1  adserving.cpxinteractive.com #[ad.yieldmanager.com]
127.0.0.1  content.cpxinteractive.com #[content.yieldmanager.com]
127.0.0.1  ad.directanetworks.com #[ad.yieldmanager.com]
127.0.0.1  content.directanetworks.com #[content.yieldmanager.com]
127.0.0.1  media.fimnetwork.com #[ad.yieldmanager.com]
127.0.0.1  ad.firstadsolution.com #[ad.yieldmanager.com]
127.0.0.1  content.firstadsolution.com #[content.yieldmanager.com]
127.0.0.1  ad.globalinteractive.com #[ad.yieldmanager.com]
127.0.0.1  content.globalinteractive.com #[content.yieldmanager.com]
127.0.0.1  ad.greenmarquee.com #[ad.yieldmanager.com]
127.0.0.1  ad.iconadserver.com #[ad.yieldmanager.com]
127.0.0.1  my.iconadserver.com #[my.yieldmanager.com]
127.0.0.1  ad.ireit.com #[ad.yieldmanager.com]
127.0.0.1  content.ireit.com #[content.yieldmanager.com]
127.0.0.1  content.joetec.net #[content.yieldmanager.com]
127.0.0.1  ad.joinaxxess.com #[ad.yieldmanager.com]
127.0.0.1  content.joinaxxess.com #[content.yieldmanager.com]
127.0.0.1  ads-rm.looksmart.com #[ad.yieldmanager.com]
127.0.0.1  ad.marketingsector.com #[ad.yieldmanager.com]
127.0.0.1  content.marketingsector.com #[content.yieldmanager.com]
127.0.0.1  my.marketingsector.com #[my.yieldmanager.com]
127.0.0.1  ad.media-servers.net #[ad.yieldmanager.com]
127.0.0.1  content.media-servers.net #[content.yieldmanager.com]
127.0.0.1  my.media-servers.net #[my.yieldmanager.com]
127.0.0.1  ad.mediaprecision.net #[ad.yieldmanager.com]
127.0.0.1  my.mediaprecision.net #[my.yieldmanager.com]
127.0.0.1  ad.motiveinteractive.com #[ad.yieldmanager.com]
127.0.0.1  content.motiveinteractive.com
127.0.0.1  ad.oinadserver.com #[ad.yieldmanager.com][McAfee.Adware-ClickSpring]
127.0.0.1  ad.realcastmedia.com #[ad.yieldmanager.com]
127.0.0.1  content.realcastmedia.com #[content.yieldmanager.com]
127.0.0.1  my.realcastmedia.com #[my.yieldmanager.com]
127.0.0.1  ad.reduxmedia.com #[ad.yieldmanager.com]
127.0.0.1  content.reduxmedia.com #[content.yieldmanager.com]
127.0.0.1  ads.searchingbooth.com #[ad.yieldmanager.com]
127.0.0.1  adserver.sitesense.com #[ad.yieldmanager.com][Parking Service]
127.0.0.1  ad.valencemedia.com #[ad.yieldmanager.com]
127.0.0.1  content.valencemedia.com #[content.yieldmanager.com]
127.0.0.1  ad.yieldx.com #[ad.yieldmanager.com]
127.0.0.1  content.yieldx.com #[content.yieldmanager.com]
127.0.0.1  www.danworld.net #[content.yieldmanager.com]
```
Save the file.

Open the Command prompt window. Copy and paste the following command and press Enter:


```
ATTRIB +H +R +S %windir%\SYSTEM32\DRIVERS\ETC\HOSTS*.*
```
Type *Exit* and press Enter to return to Windows. Restart the computer

This is the only alternate way to block yieldmanager.


----------



## phantastic (Feb 16, 2008)

JS,
When I open the file C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS
there is something there I add the code like you said but when I try to save all I get is a window "Cannot create the C:\Windows\System32\drivers\ets\hosts file. Make sure that the path and file name are correct. ??? Am I doing something wrong????


----------



## JSntgRvr (Jul 1, 2003)

Windows VISTA will protect this file. Did you run the *Attrib* command as requested earlier? You will need to remove the Read Only, System and Hidden atributes before you can overwrite this file. So you must run the command (as an Administrator):

ATTRIB +A -H -R -S C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

Instructions were given earlier on this post.

*Updating the HOSTS file via the SendTo method *

The first step is to create a new shortcut in your SendTo folder. Open Windows Explorer to:

\Users\<username>\AppData\Roaming\Microsoft\Windows\SendTo

Note: where "<username>" is your login name

[or]

Start | Run (type) shell:sendto (click Ok)

Next: Right-click in the right pane and select: New > shortcut
In the next dialog box click Browse and navigate to:

*C:\Windows\System32\drivers\etc*

Click Ok and in the next dialog box name the shortcut (example) Update Hosts

In the future when you wish to update the HOSTS file, download the hosts file, extract the included files and right-click on the included updated HOSTS file and select: SendTo > Update Hosts

Everytime you will receive a prompt as you will need to grant permision to the Administrator to copy this file, and will be asked if you want to overwrite the file. Select That option.

I am enclosing a HOSTS file with the entries above. Use this file to overwrite the existing one. Once done, open the:

C:\Windows\System32\drivers\HOSTS

And confirm was overwritten.

See here for more options:

http://www.mvps.org/winhelp2002/hostsvista.htm


----------



## phantastic (Feb 16, 2008)

JS
Yes i did the attribute item, and fyi your code is different in both of your posts about it. second i can not create a new shortcut where you are asking me to but I can create a new folder??? What is going on???? I have tried several times to edit the host file now using HostsXpert from the link you had and I can not get it to change there????? Ok I think I have it with the help of hostman from the link

ok Why do I have so many back up files???? 
File contents:

C:\Windows\System32\drivers\etc
hosts date modified 3/5/2008 4:44 pm type file size 184 kb
hosts.20080203-222104.backup date modified 9/18/2006 3:41 pm type backup file 1kb
hosts.20080207-072823.backup date modified 2/3/2008 10:21 pm type backup file 220 kb
hosts.20080211-055802.backup date modified 2/7/2008 7:28 am type backup file 220 kb
hosts.20080216-183731.backup date modified 2/11/2008 5:58 am type backup file 220 kb
hosts.20080216-183822.backup date modified 2/16/2008 6:37 pm type backup file 220 kb
hosts.20080218-060840.backup date modified 2/16/2008 6:38 pm type backup file 220 kb
hosts.20080222-052603.backup date modified 2/18/2008 6:08 am type backup file 220 kb
hosts.20080222-052645.backup date modified 2/22/2008 5:26 am type backup file 220 kb
hosts.20080222-195703.backup date modified 2/22/2008 5:26 am type backup file 222 kb
HOSTS.bak date modified 3/5/2008 4:31 pm type bak file 176 kb
lmhosts.sam date modified 9/18/2006 3:41 pm type sam file 4 kb
networks date modified 9/18/2006 3:41 pm type file 1 kb
protocol date modified 9/18/2006 3:41 pm type file 2 kb
services date modified 9/18/2006 3:41 pm type file 17 kb

When I try to open the file C:\Windows\System32\drivers\HOSTS

I get this message
Windows cannot find 'C:\windows\system32\drivers\hosts'
make sure you typed the name correctly and then try again.


----------



## JSntgRvr (Jul 1, 2003)

Click on the Vista logo (used to be the "Start" button.
In the "Start Search" box type (Copy and paste) the following command.

```
CMD /C Attrib C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS >"%Userprofile%\Desktop\Getit.txt"
```

Do NOT hit ENTER. Instead hit CTRL+SHIFT+ENTER. 
You will be prompted by the UAC warning window. Click on CTRL+C or click on the "Continue" button.
A new file will be created on your desktop, Getit.txt.
open this file in Notepad and post its contents.


----------



## phantastic (Feb 16, 2008)

A C:\Windows\SYSTEM32\DRIVERS\ETC\hosts


----------



## JSntgRvr (Jul 1, 2003)

phantastic said:


> A C:\Windows\SYSTEM32\DRIVERS\ETC\hosts


It should be easy to modify as it is set only as an Archive. VISTA however will play tricks on you.

Disable *UAC-User Account Control *(Please remember to re-enable it afterwards :

Click Start and then open Control Panel.
In the Control Panel, click User Accounts and Family Safety.
Click User Accounts.
Click Turn User Account Control on or off.

Open the HOSTS as before in Notepad. Copy and paste the lines I asked you recently to paste-in and save the file.


----------



## phantastic (Feb 16, 2008)

Ok did what you said an disabled uac and when I opened everything up the files were there, I copied over them and saved anyway, just to make sure. I turned uac back on and now when I check to make sure it is all there it is telling me again that the file doesn't exist???? But I know it is there!!! Is this where vista is trying to fool me?

Here is what the new getit files has in it
A SHR C:\Windows\SYSTEM32\DRIVERS\ETC\hosts


----------



## JSntgRvr (Jul 1, 2003)

Click on the Vista logo (used to be the "Start" button.
In the "Start Search" box Copy and paste the following.

CMD /C Start Notepad C:\Windows\SYSTEM32\DRIVERS\ETC\hosts

Do NOT hit ENTER. Instead hit CTRL+SHIFT+ENTER. 
You will be prompted by the UAC warning window. Click on CTRL+C or click on the "Continue" button.

Notepad should open with the contents of the HOSTS file


----------



## phantastic (Feb 16, 2008)

The items you wanted me to put in there are there now, but I am still getting it in my history.


----------



## JSntgRvr (Jul 1, 2003)

Lets perform another scan.

Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

Click on *Accept*

You will be promted to install an ActiveX component from Kaspersky, Click *Yes*.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on *NEXT
*
Now click on *Scan Settings*
In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:*

*Extended (if available otherwise Standard)*

*Scan Options:*

*Scan Archives
Scan Mail Bases*

Click *OK*
Now under select a target to scan:
Select *My Computer*

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the *Save as Text* button:

Save the file to your desktop.
Copy and paste that information in your next post.


----------



## phantastic (Feb 16, 2008)

Ok here it is


----------



## JSntgRvr (Jul 1, 2003)

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> Folder::
> C:\Users\Chris\AppData\Local\Temp\NERO14399
> C:\Users\Chris\Desktop\Programs\Ahead.Nero.v8.2.8.0.Incl.Keymaker-EMBRACE












Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting reportalong with a Hijackthis log..


----------



## phantastic (Feb 16, 2008)

Here are the reports you asked for


----------



## phantastic (Feb 16, 2008)

Internet is very very slow now??? Some pages will not even load??? What happened????


----------



## JSntgRvr (Jul 1, 2003)

Seems that you are using your own fixes to resolve your problems, and if that is the case, then I wont be able to help you. I do not recognize the HOSTS file.


----------



## phantastic (Feb 16, 2008)

the only hosts file I have dealt with is yours! I have daily scans that run just about every day and you have been trying to help me with this porblem for 3-4 weeks now with one to 2 answeres a day that seem to get me nowhere. I still have the issue minus one part and you can't seem to find it. I have never changed a hosts file until you asked me to and I have only used this site to help me get that done!! If you don't want to help me then just tell me and I will go to some other site and get it. It looks to me that you have just run me in circles for a couple of weeks!


----------



## phantastic (Feb 16, 2008)

phantastic said:


> JS
> I have tried several times to edit the host file now using HostsXpert from the link you had and I can not get it to change there????? Ok I think I have it with the help of hostman from the link





> I am enclosing a HOSTS file with the entries above. Use this file to overwrite the existing one. Once done, open the:
> 
> C:\Windows\System32\drivers\HOSTS
> 
> ...


So tell me again how you don't recognize the hosts file when *you* told me to go here for more help. Do you not remember what you tell people?? Do you not read what the people you are helping post, do you just use your standard replies??? Maybe I need to find a site that is willing to help me?


----------



## phantastic (Feb 16, 2008)

Just thought you might want to know my hosts file looks like what you want now with the help of the link you gave me! I had to install hostman again and overwrite my hosts file which is not what I did last time!


----------



## phantastic (Feb 16, 2008)

Please close this post, and mark as not solved. I was refused help to finish solving this issue!


----------

