cancel
Showing results for 
Search instead for 
Did you mean: 
Ericks
Level 7

How can I remove 'Yadaying' ?

Jump to solution

I have a problem that McAfee did not identify, and to be fair, any scanner I've tried has not as well.  What I noticed first was my CPU was pegged at 100% all the time.  McAfee firewall and virus scanner were using about 50 - 80% of the CPU and I concluded something was wrong with those apps.  The more I track this problem, It is more likely that they are working because of 'Yadaying'. is making them work overtime  (real time scanning is on). I have tried to look at everything I can think of based on passed problems and don't see anything out of the ordinary.  Registry scans are OK.  Malwarebytes scan is clean. I tried to run a McAfee virus scan.  In 24 hours completed 18%.  Found no problem up tp that point.

Symptoms I am seeing:

I use Firefox, but task manager shows 2 instances of IEXPLORER running

I get random IE popups

I get random sounds (like 'You won!')

CPU pegs out at 100%

Every app runs slow ... Very slow.

I noticed yesterday that windows thinks I have no firewall or virus software.  Security center seems fine and is running.

I cancelled IE from task manager and then looked at my router log.  after each cancel, I see a call to www.yadaying.com.  Exerpt:

  1|Thu Jul 22 19:57:54 2010      |192.168.0.5     | FORWARD

     ext.tyroo.com

  2|Thu Jul 22 19:57:52 2010      |192.168.0.5     | FORWARD

     www.arcadelevels.com

  3|Thu Jul 22 19:57:44 2010      |192.168.0.5     | BLOCK_KEYWORD

     ad.yieldmanager.com

  4|Thu Jul 22 19:57:27 2010      |192.168.0.5     | FORWARD

     ad.admediaprovider.com

  5|Thu Jul 22 19:57:25 2010      |192.168.0.5     | FORWARD

     ad.globe7.com

  6|Thu Jul 22 19:57:25 2010      |192.168.0.5     | FORWARD

     ad.reduxmedia.com

  7|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.globe7.com

  8|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.admediaprovider.com

  9|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.reduxmedia.com

10|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.globe7.com

11|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.admediaprovider.com

12|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.reduxmedia.com

13|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.globe7.com

14|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.reduxmedia.com

15|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.admediaprovider.com

16|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

     ad.reduxmedia.com

17|Thu Jul 22 19:57:23 2010      |192.168.0.5     | FORWARD

     ad.admediaprovider.com

18|Thu Jul 22 19:57:19 2010      |192.168.0.5     | FORWARD

     www.yadaying.com

I have been unsuccessful in finding any discussion on how to identify and remove this.  As a minimum I blocked yadaying.com at my rounter with keyword blocking.  I imagine what ever is running on my computer will still take cycles trying to reach yadaying.

Any ideas as to what has infected my computer and what is the remedy?

WinXP SP3

IE7 (which I rarely use)

Security Center 2010

Eric

0 Kudos
1 Solution

Accepted Solutions
exbrit
Level 21

Re: How can I remove 'Yadaying' ?

Jump to solution

Moved to Malware Discussions > Home User Assistance for better attention.

Follow the required reading here:  http://community.mcafee.com/docs/DOC-1294

If that  doesn't help then download, install, update (very important) and run the  FREE version of THIS software and let it  remove everything it finds.  Reboot if asked to after the scan.

Note: all of  the previous line's instructions can be achieved in "Safe Mode with  Networking" if for some reason the malware prevents normal mode  functions.  You can reach that by tapping F8 repeatedly while booting up  and selecting that option from the menu that presents itself.

(Usually  item #2 on that menu).

0 Kudos
14 Replies
exbrit
Level 21

Re: How can I remove 'Yadaying' ?

Jump to solution

Moved to Malware Discussions > Home User Assistance for better attention.

Follow the required reading here:  http://community.mcafee.com/docs/DOC-1294

If that  doesn't help then download, install, update (very important) and run the  FREE version of THIS software and let it  remove everything it finds.  Reboot if asked to after the scan.

Note: all of  the previous line's instructions can be achieved in "Safe Mode with  Networking" if for some reason the malware prevents normal mode  functions.  You can reach that by tapping F8 repeatedly while booting up  and selecting that option from the menu that presents itself.

(Usually  item #2 on that menu).

0 Kudos
exbrit
Level 21

Re: How can I remove 'Yadaying' ?

Jump to solution

By the way part of a secure Windows system is an up to date Internet Explorer because whether or not you use it, many applications do, including the McAfee interface.   Please update Internet Explorer to IE8 HERE a.s.a.p. and then go to  Microsoft Updates and install both critical and non-critical updates.    Especially with an older system such as XP it's vital that everything is slap-bang up to date.

I suggest you do this as soon as you are satisfied that the above "infection" is cleared.

Message was edited by: Ex_Brit on 23/07/10 8:02:18 EDT AM
0 Kudos
Ericks
Level 7

Re: How can I remove 'Yadaying' ?

Jump to solution

Both look like good recommendations.  I'll try this evening when I get home.

I toyed with the upgrade to IE8.  I am gun shy since the last time I did it, IE8 choked my PC.  Trying to remove it by a previous Restore Point, but only made it worse and I spent a week backing up and rebuilding my PC.  I opted to only reload IE7.  I was wondering if I was going to have to try it again.

Thanks for the insight and I'll let you know what I find.

Eric

0 Kudos
exbrit
Level 21

Re: How can I remove 'Yadaying' ?

Jump to solution

It shouldn't cause an issue on a clean machine, especially if you already have installed IE7.  Perhaps try uninstalling that first if listed in Add or Remove Programs?

Tips on installing IE8 can be found on various sites....such as...

http://support.microsoft.com/kb/949220

http://www.microsoft.com/windows/internet-explorer/support/faq.aspx

There are also a lot of general XP tips and tweaks here: http://www.kellys-korner-xp.com/xp.htm

Message was edited by: Ex_Brit on 23/07/10 9:30:22 EDT AM
0 Kudos
Ericks
Level 7

Re: How can I remove 'Yadaying' ?

Jump to solution

What I found:

I had started a scan from Ad-Aware the previous night and let it run.  It found 12 cookies it didn't like, errornuker and a dvd player install.exe.  After reboot, system was better, but not great.

Items fixed:

     1) My MS no firewall/virus notificaion cleared

     2) auto update completed a download (IE7)

     3) installed updates

I rebooted again and after bootup, CPU usage dropped and IE did not launch.

I opted to proceed with your recommendations to further check and verify.

     1) McAfee was up to date and all apps green

     2) Auto updates was on

     3) ran Scan in safe mode - no items found

     4) ran Stinger - found Exploit-CVE-2010-2568 and removed

     5) reboot

     6) installed IE8

     7) reboot

     8) CPU pegged at 100% for 5-10 minutes, then calmed down somewhat

          Apps using 80% in fluctuating percent - McSvHost.exe / mcshield.exe / mfefire.exe

          I also noticed that IE has launched again.  Is this normal and what on earth woudl it be doing if I never launch the app?

          Even though the CPU is 100%, it is still a bit more responsive, not as slow to respond as before.

After my last rebuild, my CPU usage after boot and w/o launching apps hovered between 2 and 10% with an occasional spike to 60 - 80%  I'm assuming that is my benchmark.  It looks like if the McAfee apps weren't using so much resources that it would be closer to normal.

Any other insights or things to check?

0 Kudos
exbrit
Level 21

Re: How can I remove 'Yadaying' ?

Jump to solution

Not too sure what to suggest.

Did you act on part 2 of my suggestion?

If that  doesn't help then download, install, update (very important) and run the  FREE version of THIS software and let it  remove everything it finds.  Reboot if asked to after the scan.

Note: all of  the previous line's instructions can be achieved in "Safe Mode with  Networking" if for some reason the malware prevents normal mode  functions.  You can reach that by tapping F8 repeatedly while booting up  and selecting that option from the menu that presents itself.

(Usually  item #2 on that menu).

0 Kudos
Ericks
Level 7

Re: How can I remove 'Yadaying' ?

Jump to solution

Still checking....  System seemed to hang, so I rebooted....

IE still launches and got a new popup. This time, instead of lauching in the background, this one did full screen and made it active on top.

0 Kudos
exbrit
Level 21

Re: How can I remove 'Yadaying' ?

Jump to solution

Makwarebytes can be loaded, updated and run in Safe Mode with Networking as I stated, that might help.

The only other things that I can suggest is either post a Hijackthis log on one of the folowing forums or go for the paid virus removal service but you shouldn't need to do the latter.

DOWNLOAD HIJACKTHIS

Do not post Hijackthis logs here, we can't help with  those!

Post the logs at a specialist Forum:

AUMHA FORUM

BLEEPING COMPUTER FORUM

MAJOR GEEKS FORUM

MALWAREBYTES FORUM

MALWARE REMOVAL FORUM

SPYWAREHAMMER FORUM

SPYWARE INFO FORUM

WHAT THE TECH FORUM

Be sure to read all the sticky announcements/instructions at the top of each malware forum!

0 Kudos
Ericks
Level 7

Re: How can I remove 'Yadaying' ?

Jump to solution

For Malwarebytes, that was my first choice.  I ran that last week and it did find one problem.

I ran again for grins and it came back with 0 problems found.

I tried Hijack this before posting and found two unnamed items that looked suspicious.  Deleted those.  No difference.  Everything else looked plausable.

I read another thread that suggests it might be something that worked it's way in the MBR and would need a bootkit remover to get rid of it.  It seems like a logical explanation on why the scans don't find anything.  I ran the check and the program found an unidentified and received 'Unknown boot code has been found on some of your physical disks.'  I have yet to run it with the 'fix' option.

http://www.computerhope.com/forum/index.php?PHPSESSID=3a615fa1b1e9a0bf61d76d5675bea429&topic=107021....

I have never used a bootkit remover and am real skeptical.  The fail safe if it messed up my PC is to load the OS install disk and start MS Recovery Console  and run the fixmbr command.  My question is 'should I just try that?'

I'll keep looking in the mean time.

0 Kudos