Stuck With Yield Magager

[Fire Eagle]

This Yield Manager and other stuff are starting to tick me off. Attached is my HijackThis log. I am very bad at understanding the other directions I have seen. If I could just find out what to do from here in a step by step process, that would be great. Thank you.
Please Oh Please. Its driving me crazy. WinFixer 2005 is messing with me too.

 

[RealBlackStuff]

Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
On the main screen, click on Update in the left menu, then click the Start Update button.
After the Update finishes, the status bar at the bottom will display "Update successful".
Now close the program, don't scan yet!

If you have problems updating see here: http://www.ewido.net/en/download/updates/
==================================================================================

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Now run the Ewido scan. Let the program delete what it finds.
You may have to reboot after Ewido is finished.
If so, re-boot in Safe Mode and continue from here.

Several of the following nasties may have gone already!
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
othb.exe
??erinit.exe
AutoUpdate.exe
filwdu.exe
bebivqj.exe
SAcc.exe
UWFX5LP_0001_0614NetInstaller.exe
qwidecod.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\ipee\othb.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe
C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\Program Files\ipee\othb.exe
C:\WINDOWS\system32\??erinit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by24fd.bay24.hotmail.msn.com...d89e2b9d93eb80133bdaf681a&_lang=EN&country=US
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll (file missing)
O2 - BHO: (no name) - {958A92C2-795C-26F0-54F4-55D0585977E5} - C:\WINDOWS\system32\lblocc.dll
O2 - BHO: (no name) - {9C8A92B4-7929-22F3-54F7-59D0575477E5} - C:\WINDOWS\system32\lblocc.dll
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [8ejZRn2AJ] C:\WINDOWS\filwdu.exe
O4 - HKLM\..\Run: [bebivqj] C:\WINDOWS\bebivqj.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKCU\..\Run: [J0sERXJ8V] qwidecod.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).

You had (or still have) the DownloadWare - autoupdate.exe infection.
The worst may have been removed by Ewido and my instructions above.

What Does it Do?
DownloadWare is scum of nearly every variety! It's adware, downloader, toolbar, search hijacker AND a trojan all rolled into one. This is installed using ActiveX by a number of questionable sites. It will download and install a number of various applications from its advertisers which will further mess up your system. There is truly no reason why you'll ever want to leave this trash on your system. Remove it NOW!

To remove it, FOLLOW THESE INSTRUCTIONS FROM: http://www.iamnotageek.com/a/393-p1.php

When you are done, boot normal. When all OK, switch System Restore back on.

GOOD LUCK

 

[Fire Eagle]

Big Problem

Just at that http://www.iamnotageek.com/a/393-p1.php link
I went to restart as posted and now my system goes to login and then it logs off...I'm on another computer at the moment. This is important! I cannot lose any the stuff that is on this computer. I believe the popups are probably gone by now but I have no way to get onto my system through safemode or normalmode.

 

[RealBlackStuff]

The problem is NOT on that IANAG-website.
Are you sure you followed my instructions exactly?
I'm talking about this one:
C:\WINDOWS\system32\??erinit.exe

If you deleted userinit.exe instead of ??erinit.exe you'd have this problem.

There are a number of ways to fix this:
If you have dual-boot in that PC,
or you have a boot-floppy that has drivers to WRITE to NTFS,
or you temporarily put that harddisk in another PC,
you can copy that userinit.exe file back to C:\Windows\System32\ from:
your CD (extract \i386\userinit.ex_)
or from someone else's PC,
or from the directory \Windows\ServicePackFiles\i386 on your own harddisk.

Alternatively, you'll need to do a repair, as described in the sticky Read: How to repair... at the top of the Windows forum. A repair requires you to re-do all your updates again. Unless you have an XP-CD with slipstreamed SP2, you my even have to reapply SP2.

 

[Fire Eagle]

Thats what happened. I'm sure of that. I did not know the name was
??erinit.exe and not userinit.exe
Please explain what you mean in further detail.
I would like to do the
"copy the userinit.exe file back to C:\Windows\System32\ from CD (extract \i386\userinit.ex_)"

I tried copying it via dos mode. I recieved the message "Access Denied".

 

[RealBlackStuff]

I thought you could not boot?
Anyway the proper command for that would be:
expand X:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
or
expand X:\i386\userinit.ex_ A:\userinit.exe if you want it on a floppy.

where X = CD/DVD

 

[Fire Eagle]

I went and booted from the "Operating System CD" that came with the computer. (my CD\DVD drive is set to D:\)
This is what I did and the computer responses:

expand D:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
Unable to create file userinit.exe
0 file(s) expanded.

I had tried previously to copy from inside the i386 file and then tried copying from the outside with the same names you set for expand:
COPY D:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
1 file(s) copied.

Now I'm having a password problem heh. It's getting better...I think...
I went into the CD using F8 when the _ is blinking.
after the CD loaded, I hit enter to set up Windows
i agreed, then hit R for Repair.
Still running repair

 

[RealBlackStuff]

The copy on your C-drive is the unexpanded .ex_ with the .exe file-type.
Delete it, then try expand again.
But you probably will have to finish the repair.

 

[Fire Eagle]

after deleting, I got the same response:

expand D:\i386\userinit.ex_ C:\Windows\System32\userinit.exe
Unable to create file userinit.exe
0 file(s) expanded.

 

[RealBlackStuff]

Get deletefxpfiles here http://www.deletefxpfiles.com/index2.html to get rid
of ??erinit.exe.
Only then can you put your proper userinit back!
Unless you can boot, put the HD in another PC.

 

[Fire Eagle]

I cannot go that deep into the computer. The farthest I can get into the computer is dos mode. I cannot logon to the computer hence i cannot place anything on my system other than the stuff on the disk through the dos prompts

 

[RealBlackStuff]

As I said before, put that HD in another PC that has XP, then delete/transfer from there.
Unless you get NTFS drivers to read(free) and write(paid-for) under DOS or from floppy, you have NO other possibility!

 

[Fire Eagle]

I'm really sorry for not understanding this so easily. I already deleted the file userinit.exe from the computer. Ok I'm gonna start somewhat as if I havent done anything...My userinit.exe file is gone... When I start up the system...the system gets to the welcome screen after already trying to logon automatically. Manually I click logon and there is a prompt that then it logs off again. I dont have a floppy drive on my computer (laptop). and I have no idea how to take anything on or off of it. I have a phone jack, a ethernet jack, and a CD Burner. I just dont know what is available to me at the moment.

 

[RealBlackStuff]

Using the info from this webpage http://www.cgsecurity.org/index.html?ntfs.html
have someone burn a selfbooting CD or CDRW with those mentioned drivers AND a full version of userinit.exe. Userinit was updated in SP1 or SP2, so burn both versions (each in its own directory if you like) just in case.
original: size=21,505 date=23-08-2001
update: size=24,576 date=04-08-2004

Then boot your laptop from it and copy the file.
Otherwise open laptop, remove HD, get 2.5" to 3.5" adapter and stick HD in a PC with XP, to copy the file.

 

[Fire Eagle]

I do not see what the mentioned drivers are. I believe the burner works on this other computer. I know its hard to get it through to my thick skull but if you put it really REALLY simple.

 

[RealBlackStuff]

The NTFS drivers as mentioned in that cgsecurity link.
But forget about the above, just realised it's only for floppy, and a bit convoluted.

Instead go to http://www.bootdisk.com/popfiles.htm
It'll cost you $4.00 via paypal, but gives you exactly what you need.
Get every file as mentioned there (probably all included in one big zip-file), and before you burn the NTFS boot-CD, add the USERINIT files to the source from where you burn.
Get someone in the know to help you if necessary, I can't hold your hand while you do it.

If you know someone with the same laptop that has a floppy-drive, borrow that and make a floppy with this free download:
http://www.datapol-technologies.com/dpe/freeware/index.html
Copy userinit on it, boot from floppy and copy userinit to the laptop HD.

 

[Fire Eagle]

I apologize for this but I could not do what you said in the previous message and the compaq tech support said after I went through all the other ways of trying to repair the system, "the only other option is to full restore"
yes I erased everything. Sigh...I regret to inform you of all of this. I do however have some good news. I guess I must have hit a popup that snuck in when I was clicking the window. so the previous information should help me. The Laptop is running again though I have no idea how long it will last . Anyway...thanks.

 

[RealBlackStuff]

Sorry to hear about that.
To prevent more of the same in future, go to this website and get the latest HOSTS file from http://www.mvps.org/winhelp2002/hosts.htm
You copy that into c:\windows\system32\drivers\etc
The file HOSTS has no extension. It will stop you getting anywhere near dubious sites and has the added benefit of suppressing a lot of ads as well.
And most of all, do NOT use IE anymore, its ActiveX is the main cause of all these problems!
Go to www.getfirefox.com and install AND USE FireFox from now on.
Use IE strictly for Windows updates, nothing else!

PS: look around for someone with a floppydrive that you could borrow, just in case!

 

[Fire Eagle]

I know about the use of FireFox but I was wondering how good is it to switch to Netscape instead of FireFox/Mozilla? Also I notice there is another hosts file here..."This folder already contains a file named 'HOSTS'. Would you like to replace the existing file 734 bytes with this one? 298 KB"

 

[RealBlackStuff]

I don't know Netscape.
I DO know there's nothing wrong with Firefox.
And yes, replace that HOSTS file with the new larger file.

 

[Fire Eagle]

Thank you

I think it's back to normal...Netscape is using FireFox in some way...anyway thank you. definately warn people NEVER DELETE "userinit.exe". Thanks again.