1 2 Previous Next 14 Replies Latest reply on Aug 5, 2010 5:00 AM by Peter M

    How can I remove 'Yadaying' ?

      I have a problem that McAfee did not identify, and to be fair, any scanner I've tried has not as well.  What I noticed first was my CPU was pegged at 100% all the time.  McAfee firewall and virus scanner were using about 50 - 80% of the CPU and I concluded something was wrong with those apps.  The more I track this problem, It is more likely that they are working because of 'Yadaying'. is making them work overtime  (real time scanning is on). I have tried to look at everything I can think of based on passed problems and don't see anything out of the ordinary.  Registry scans are OK.  Malwarebytes scan is clean. I tried to run a McAfee virus scan.  In 24 hours completed 18%.  Found no problem up tp that point.

       

      Symptoms I am seeing:

       

      I use Firefox, but task manager shows 2 instances of IEXPLORER running

      I get random IE popups

      I get random sounds (like 'You won!')

      CPU pegs out at 100%

      Every app runs slow ... Very slow.

      I noticed yesterday that windows thinks I have no firewall or virus software.  Security center seems fine and is running.

      I cancelled IE from task manager and then looked at my router log.  after each cancel, I see a call to www.yadaying.com.  Exerpt:

       

        1|Thu Jul 22 19:57:54 2010      |192.168.0.5     | FORWARD

           ext.tyroo.com

        2|Thu Jul 22 19:57:52 2010      |192.168.0.5     | FORWARD

           www.arcadelevels.com

        3|Thu Jul 22 19:57:44 2010      |192.168.0.5     | BLOCK_KEYWORD

           ad.yieldmanager.com

        4|Thu Jul 22 19:57:27 2010      |192.168.0.5     | FORWARD

           ad.admediaprovider.com

        5|Thu Jul 22 19:57:25 2010      |192.168.0.5     | FORWARD

           ad.globe7.com

        6|Thu Jul 22 19:57:25 2010      |192.168.0.5     | FORWARD

           ad.reduxmedia.com

        7|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.globe7.com

        8|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.admediaprovider.com

        9|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.reduxmedia.com

      10|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.globe7.com

      11|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.admediaprovider.com

      12|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.reduxmedia.com

      13|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.globe7.com

      14|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.reduxmedia.com

      15|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.admediaprovider.com

      16|Thu Jul 22 19:57:24 2010      |192.168.0.5     | FORWARD

           ad.reduxmedia.com

      17|Thu Jul 22 19:57:23 2010      |192.168.0.5     | FORWARD

           ad.admediaprovider.com

      18|Thu Jul 22 19:57:19 2010      |192.168.0.5     | FORWARD

           www.yadaying.com

       

      I have been unsuccessful in finding any discussion on how to identify and remove this.  As a minimum I blocked yadaying.com at my rounter with keyword blocking.  I imagine what ever is running on my computer will still take cycles trying to reach yadaying.

       

      Any ideas as to what has infected my computer and what is the remedy?

       

      WinXP SP3

      IE7 (which I rarely use)

      Security Center 2010

       

       

      Eric

        • 1. Re: How can I remove 'Yadaying' ?
          Peter M

          Moved to Malware Discussions > Home User Assistance for better attention.

           

          Follow the required reading here:  http://community.mcafee.com/docs/DOC-1294

           

          If that  doesn't help then download, install, update (very important) and run the  FREE version of THIS software and let it  remove everything it finds.  Reboot if asked to after the scan.

           

          Note: all of  the previous line's instructions can be achieved in "Safe Mode with  Networking" if for some reason the malware prevents normal mode  functions.  You can reach that by tapping F8 repeatedly while booting up  and selecting that option from the menu that presents itself.

          (Usually  item #2 on that menu).

          • 2. Re: How can I remove 'Yadaying' ?
            Peter M

            By the way part of a secure Windows system is an up to date Internet Explorer because whether or not you use it, many applications do, including the McAfee interface.   Please update Internet Explorer to IE8 HERE a.s.a.p. and then go to  Microsoft Updates and install both critical and non-critical updates.    Especially with an older system such as XP it's vital that everything is slap-bang up to date.

             

            I suggest you do this as soon as you are satisfied that the above "infection" is cleared.

             

             

            Message was edited by: Ex_Brit on 23/07/10 8:02:18 EDT AM
            1 of 1 people found this helpful
            • 3. Re: How can I remove 'Yadaying' ?

              Both look like good recommendations.  I'll try this evening when I get home.

               

              I toyed with the upgrade to IE8.  I am gun shy since the last time I did it, IE8 choked my PC.  Trying to remove it by a previous Restore Point, but only made it worse and I spent a week backing up and rebuilding my PC.  I opted to only reload IE7.  I was wondering if I was going to have to try it again.

               

              Thanks for the insight and I'll let you know what I find.

               

              Eric

              • 4. Re: How can I remove 'Yadaying' ?
                Peter M

                It shouldn't cause an issue on a clean machine, especially if you already have installed IE7.  Perhaps try uninstalling that first if listed in Add or Remove Programs?

                 

                Tips on installing IE8 can be found on various sites....such as...

                http://support.microsoft.com/kb/949220

                http://www.microsoft.com/windows/internet-explorer/support/faq.aspx

                 

                There are also a lot of general XP tips and tweaks here: http://www.kellys-korner-xp.com/xp.htm

                 

                 

                Message was edited by: Ex_Brit on 23/07/10 9:30:22 EDT AM
                1 of 1 people found this helpful
                • 5. Re: How can I remove 'Yadaying' ?

                  What I found:

                   

                  I had started a scan from Ad-Aware the previous night and let it run.  It found 12 cookies it didn't like, errornuker and a dvd player install.exe.  After reboot, system was better, but not great.

                  Items fixed:

                       1) My MS no firewall/virus notificaion cleared

                       2) auto update completed a download (IE7)

                       3) installed updates

                   

                  I rebooted again and after bootup, CPU usage dropped and IE did not launch.

                   

                  I opted to proceed with your recommendations to further check and verify.

                       1) McAfee was up to date and all apps green

                       2) Auto updates was on

                       3) ran Scan in safe mode - no items found

                       4) ran Stinger - found Exploit-CVE-2010-2568 and removed

                       5) reboot

                       6) installed IE8

                       7) reboot

                       8) CPU pegged at 100% for 5-10 minutes, then calmed down somewhat

                            Apps using 80% in fluctuating percent - McSvHost.exe / mcshield.exe / mfefire.exe

                            I also noticed that IE has launched again.  Is this normal and what on earth woudl it be doing if I never launch the app?

                            Even though the CPU is 100%, it is still a bit more responsive, not as slow to respond as before.

                   

                  After my last rebuild, my CPU usage after boot and w/o launching apps hovered between 2 and 10% with an occasional spike to 60 - 80%  I'm assuming that is my benchmark.  It looks like if the McAfee apps weren't using so much resources that it would be closer to normal.

                   

                  Any other insights or things to check?

                  • 6. Re: How can I remove 'Yadaying' ?
                    Peter M

                    Not too sure what to suggest.

                     

                    Did you act on part 2 of my suggestion?

                     

                    If that  doesn't help then download, install, update (very important) and run the  FREE version of THIS software and let it  remove everything it finds.  Reboot if asked to after the scan.

                     

                    Note: all of  the previous line's instructions can be achieved in "Safe Mode with  Networking" if for some reason the malware prevents normal mode  functions.  You can reach that by tapping F8 repeatedly while booting up  and selecting that option from the menu that presents itself.

                    (Usually  item #2 on that menu).

                    • 7. Re: How can I remove 'Yadaying' ?

                      Still checking....  System seemed to hang, so I rebooted....

                       

                      IE still launches and got a new popup. This time, instead of lauching in the background, this one did full screen and made it active on top.

                      • 8. Re: How can I remove 'Yadaying' ?
                        Peter M

                        Makwarebytes can be loaded, updated and run in Safe Mode with Networking as I stated, that might help.

                         

                        The only other things that I can suggest is either post a Hijackthis log on one of the folowing forums or go for the paid virus removal service but you shouldn't need to do the latter.

                         

                         

                        DOWNLOAD HIJACKTHIS

                         

                         

                        Do not post Hijackthis logs here, we can't help with  those!

                         

                         

                        Post the logs at a specialist Forum:

                         

                         

                        AUMHA FORUM

                         

                         

                        BLEEPING COMPUTER FORUM

                         

                         

                        MAJOR GEEKS FORUM

                         

                         

                        MALWAREBYTES FORUM

                         

                         

                        MALWARE REMOVAL FORUM

                         

                         

                        SPYWAREHAMMER FORUM

                         

                         

                        SPYWARE INFO FORUM

                         

                         

                        WHAT THE TECH FORUM

                         

                         

                        Be sure to read all the sticky announcements/instructions at the top of each malware forum!

                        • 9. Re: How can I remove 'Yadaying' ?

                          For Malwarebytes, that was my first choice.  I ran that last week and it did find one problem.

                           

                          I ran again for grins and it came back with 0 problems found.

                           

                          I tried Hijack this before posting and found two unnamed items that looked suspicious.  Deleted those.  No difference.  Everything else looked plausable.

                           

                          I read another thread that suggests it might be something that worked it's way in the MBR and would need a bootkit remover to get rid of it.  It seems like a logical explanation on why the scans don't find anything.  I ran the check and the program found an unidentified and received 'Unknown boot code has been found on some of your physical disks.'  I have yet to run it with the 'fix' option.

                           

                          http://www.computerhope.com/forum/index.php?PHPSESSID=3a615fa1b1e9a0bf61d76d5675 bea429&topic=107021.15

                           

                          I have never used a bootkit remover and am real skeptical.  The fail safe if it messed up my PC is to load the OS install disk and start MS Recovery Console  and run the fixmbr command.  My question is 'should I just try that?'

                           

                          I'll keep looking in the mean time.

                          1 2 Previous Next