TechSpot

Stuck With Yield Magager

By Fire Eagle
Jul 13, 2005
Topic Status:
Not open for further replies.
  1. This Yield Manager and other stuff are starting to tick me off. Attached is my HijackThis log. I am very bad at understanding the other directions I have seen. If I could just find out what to do from here in a step by step process, that would be great. Thank you.
    Please Oh Please. Its driving me crazy. WinFixer 2005 is messing with me too.
  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
    When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
    On the main screen, click on Update in the left menu, then click the Start Update button.
    After the Update finishes, the status bar at the bottom will display "Update successful".
    Now close the program, don't scan yet!

    If you have problems updating see here: http://www.ewido.net/en/download/updates/
    ==================================================================================

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.


    Now run the Ewido scan. Let the program delete what it finds.
    You may have to reboot after Ewido is finished.
    If so, re-boot in Safe Mode and continue from here.

    Several of the following nasties may have gone already!
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
    othb.exe
    ??erinit.exe
    AutoUpdate.exe
    filwdu.exe
    bebivqj.exe
    SAcc.exe
    UWFX5LP_0001_0614NetInstaller.exe
    qwidecod.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\ipee\othb.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\Program Files\SurfAccuracy\SAcc.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe
    C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\Program Files\ipee\othb.exe
    C:\WINDOWS\system32\??erinit.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by24fd.bay24.hotmail.msn.com...d89e2b9d93eb80133bdaf681a&_lang=EN&country=US
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll (file missing)
    O2 - BHO: (no name) - {958A92C2-795C-26F0-54F4-55D0585977E5} - C:\WINDOWS\system32\lblocc.dll
    O2 - BHO: (no name) - {9C8A92B4-7929-22F3-54F7-59D0575477E5} - C:\WINDOWS\system32\lblocc.dll
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [8ejZRn2AJ] C:\WINDOWS\filwdu.exe
    O4 - HKLM\..\Run: [bebivqj] C:\WINDOWS\bebivqj.exe
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe"
    O4 - HKCU\..\Run: [J0sERXJ8V] qwidecod.exe
    O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).

    You had (or still have) the DownloadWare - autoupdate.exe infection.
    The worst may have been removed by Ewido and my instructions above.

    What Does it Do?
    DownloadWare is scum of nearly every variety! It's adware, downloader, toolbar, search hijacker AND a trojan all rolled into one. This is installed using ActiveX by a number of questionable sites. It will download and install a number of various applications from its advertisers which will further mess up your system. There is truly no reason why you'll ever want to leave this trash on your system. Remove it NOW!

    To remove it, FOLLOW THESE INSTRUCTIONS FROM: http://www.iamnotageek.com/a/393-p1.php

    When you are done, boot normal. When all OK, switch System Restore back on.

    GOOD LUCK
  3. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    Big Problem

    Just at that http://www.iamnotageek.com/a/393-p1.php link
    I went to restart as posted and now my system goes to login and then it logs off...I'm on another computer at the moment. This is important! I cannot lose any the stuff that is on this computer. I believe the popups are probably gone by now but I have no way to get onto my system through safemode or normalmode.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    The problem is NOT on that IANAG-website.
    Are you sure you followed my instructions exactly?
    I'm talking about this one:
    C:\WINDOWS\system32\??erinit.exe

    If you deleted userinit.exe instead of ??erinit.exe you'd have this problem.

    There are a number of ways to fix this:
    If you have dual-boot in that PC,
    or you have a boot-floppy that has drivers to WRITE to NTFS,
    or you temporarily put that harddisk in another PC,
    you can copy that userinit.exe file back to C:\Windows\System32\ from:
    your CD (extract \i386\userinit.ex_)
    or from someone else's PC,
    or from the directory \Windows\ServicePackFiles\i386 on your own harddisk.

    Alternatively, you'll need to do a repair, as described in the sticky Read: How to repair... at the top of the Windows forum. A repair requires you to re-do all your updates again. Unless you have an XP-CD with slipstreamed SP2, you my even have to reapply SP2.
  5. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    Thats what happened. I'm sure of that. I did not know the name was
    ??erinit.exe and not userinit.exe
    Please explain what you mean in further detail.
    I would like to do the
    "copy the userinit.exe file back to C:\Windows\System32\ from CD (extract \i386\userinit.ex_)"

    I tried copying it via dos mode. I recieved the message "Access Denied".
  6. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    I thought you could not boot?
    Anyway the proper command for that would be:
    expand X:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
    or
    expand X:\i386\userinit.ex_ A:\userinit.exe if you want it on a floppy.

    where X = CD/DVD
  7. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    I went and booted from the "Operating System CD" that came with the computer. (my CD\DVD drive is set to D:\)
    This is what I did and the computer responses:

    expand D:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
    Unable to create file userinit.exe
    0 file(s) expanded.

    I had tried previously to copy from inside the i386 file and then tried copying from the outside with the same names you set for expand:
    COPY D:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
    1 file(s) copied.

    Now I'm having a password problem heh. It's getting better...I think...
    I went into the CD using F8 when the _ is blinking.
    after the CD loaded, I hit enter to set up Windows
    i agreed, then hit R for Repair.
    Still running repair
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    The copy on your C-drive is the unexpanded .ex_ with the .exe file-type.
    Delete it, then try expand again.
    But you probably will have to finish the repair.
  9. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    after deleting, I got the same response:

    expand D:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
    Unable to create file userinit.exe
    0 file(s) expanded.
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  11. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    I cannot go that deep into the computer. The farthest I can get into the computer is dos mode. I cannot logon to the computer hence i cannot place anything on my system other than the stuff on the disk through the dos prompts
     
  12. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    As I said before, put that HD in another PC that has XP, then delete/transfer from there.
    Unless you get NTFS drivers to read(free) and write(paid-for) under DOS or from floppy, you have NO other possibility!
  13. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    I'm really sorry for not understanding this so easily. I already deleted the file userinit.exe from the computer. Ok I'm gonna start somewhat as if I havent done anything...My userinit.exe file is gone... When I start up the system...the system gets to the welcome screen after already trying to logon automatically. Manually I click logon and there is a prompt that then it logs off again. I dont have a floppy drive on my computer (laptop). and I have no idea how to take anything on or off of it. I have a phone jack, a ethernet jack, and a CD Burner. I just dont know what is available to me at the moment.
  14. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Using the info from this webpage http://www.cgsecurity.org/index.html?ntfs.html
    have someone burn a selfbooting CD or CDRW with those mentioned drivers AND a full version of userinit.exe. Userinit was updated in SP1 or SP2, so burn both versions (each in its own directory if you like) just in case.
    original: size=21,505 date=23-08-2001
    update: size=24,576 date=04-08-2004

    Then boot your laptop from it and copy the file.
    Otherwise open laptop, remove HD, get 2.5" to 3.5" adapter and stick HD in a PC with XP, to copy the file.
  15. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    :confused: I do not see what the mentioned drivers are. I believe the burner works on this other computer. I know its hard to get it through to my thick skull but if you put it really REALLY simple.
  16. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    The NTFS drivers as mentioned in that cgsecurity link.
    But forget about the above, just realised it's only for floppy, and a bit convoluted.

    Instead go to http://www.bootdisk.com/popfiles.htm
    It'll cost you $4.00 via paypal, but gives you exactly what you need.
    Get every file as mentioned there (probably all included in one big zip-file), and before you burn the NTFS boot-CD, add the USERINIT files to the source from where you burn.
    Get someone in the know to help you if necessary, I can't hold your hand while you do it.

    If you know someone with the same laptop that has a floppy-drive, borrow that and make a floppy with this free download:
    http://www.datapol-technologies.com/dpe/freeware/index.html
    Copy userinit on it, boot from floppy and copy userinit to the laptop HD.
  17. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    I apologize for this but I could not do what you said in the previous message and the compaq tech support said after I went through all the other ways of trying to repair the system, "the only other option is to full restore"
    yes I erased everything. Sigh...I regret to inform you of all of this. I do however have some good news. I guess I must have hit a popup that snuck in when I was clicking the window. so the previous information should help me. The Laptop is running again though I have no idea how long it will last :eek: . Anyway...thanks.
  18. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Sorry to hear about that.
    To prevent more of the same in future, go to this website and get the latest HOSTS file from http://www.mvps.org/winhelp2002/hosts.htm
    You copy that into c:\windows\system32\drivers\etc
    The file HOSTS has no extension. It will stop you getting anywhere near dubious sites and has the added benefit of suppressing a lot of ads as well.
    And most of all, do NOT use IE anymore, its ActiveX is the main cause of all these problems!
    Go to www.getfirefox.com and install AND USE FireFox from now on.
    Use IE strictly for Windows updates, nothing else!

    PS: look around for someone with a floppydrive that you could borrow, just in case!
  19. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    I know about the use of FireFox but I was wondering how good is it to switch to Netscape instead of FireFox/Mozilla? Also I notice there is another hosts file here..."This folder already contains a file named 'HOSTS'. Would you like to replace the existing file 734 bytes with this one? 298 KB"
  20. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    I don't know Netscape.
    I DO know there's nothing wrong with Firefox.
    And yes, replace that HOSTS file with the new larger file.
  21. Fire Eagle

    Fire Eagle Newcomer, in training Topic Starter

    Thank you

    I think it's back to normal...Netscape is using FireFox in some way...anyway thank you. definately warn people NEVER DELETE "userinit.exe". Thanks again.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.