Category Archives: Spyware

Spyware

Winsys.exe Virus Unable To Run Regedit

Winsys.exe virus recented infected one of my customer’s computers. Two side effects:

1) Regedit is disabled.
2) No Control Panel under the start menu.

Boot to Safe Mode and run SDFix.exe. You can download it from this site:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You may also need to run Hijackthis to remove a regedit disable key. Run Hijackthis and search for regedit. Check off the item to remove it.

This should allow you to run Regedit.

To restore the Control Panel, see the next posting.

How To Remove ad.yieldmanager.com Popup Spyware

This details how I was able to remove one of my most difficult spyware popup infections to date: ad.yieldmanager.com.

This insidious spyware was extremely persistent, avoiding cleaning by my normal set of favorite cleaners: Kaspersky, AVG Antivirus, AVG Antispyware, Spybot, Ad-Aware, Panda Online, HijackThis, l2mfix, VundoFix, Easy Cleaner, CleanUp!, and ewido.net.

At first it was even difficult to identify the type of spyware because the popups didn’t leave many clues other than an occasional “New Offer” popup window. However, after letting the PC system “ferment” a little to let the spyware infestation spread, the ad.yieldmanager.com signature appeared in one of the windows.

The best removal sequence I found came mostly from this site: http://www.pchell.com/support/smitfraud.shtml where I followed the steps for removing SmitFraud. I took a guess on this because I saw an earlier SpySheriff infection on the system and I was thinking that perhaps it was not entirely removed.

The set of cleaners I ran from Safe Mode in this order were:

SmitRem by NoahdFear – http://noahdfear.geekstogo.com/

SmitFraudFix – http://siri.geekstogo.com/SmitfraudFix.php

RogueRemover – http://www.majorgeeks.com/RogueRemover_d5360.html

Aproposfix – http://swandog46.geekstogo.com/aproposfix.exe

HijackThis – http://www.merijn.org/files/hijackthis.zip

CCleaner – http://www.ccleaner.com/

CleanUp! – http://www.stevengould.org/software/cleanup/download.html

Easy Cleaner – http://personal.inet.fi/business/toniarts/ecleane.htm

Of the set of cleaners I ran, I think RogueRemover and Aproposfix were the critical programs for this particular spyware infection.

After running all these cleaners the ad.yieldmanager.com spyware was removed completely.

 


 
Here are a couple products you might want to consider for keeping your PC clean from further ad.yieldmanager infections.

1) First, the best anti-virus program on the market — in my view — is Kaspersky. It’s not as well known as some of the more heavily marketed antivirus programs like Norton and McAfee.

However, I like it because it catches a lot more viruses than Norton and McAfee and it is also a much smaller program. Norton is especially taxing on the system and there is a VERY noticeable slowdown of your PC when you have Norton installed.

The cheapest prices I’ve seen for Kaspersky Antivirus or Kaspersky Internet Security is on eBay. Make sure the seller has a lot of positive feedback when you make your purchase and you’ll save some bucks.

[phpbay]kaspersky, 5, “”, “”[/phpbay]

FREE registration on eBay and you can start saving right away.

2) Second, you should check out this RegCure registry cleaner. It’s a no-frills registry cleaner and has performed quite well in user tests.

Try a FREE RegCure Scan Today!

How To Remove Notifyalert.exe Dell Support

I decided to remove the Notifyalert.exe program from a Dell PC which appeared to be slowing it down. The program is part of the Dell Support program that you can normally remove under Add / Remove Programs. Apparently this only works for version 3. If you have version 2 of Dell Support then the Add / Remove programs function can fail.

If you have version 2 of the Dell Support program, you need to reinstall the program and then remove it. Go to http://support.dell.com/ and do a search on “uninstall dell support” which will give you a link to the uninstall program.

Slow Booting Problem Due To 85.255.116.67 and 85.255.112.71

Interesting slow booting problem found on a network. This is a good check for whenever you have a slow starting PC.

I noticed on a 10 PC network that one PC was particularly slow to boot. I checked the ethernet wiring from the PC to the switch with a cable tester and it all looked OK.

I then decided to check the ethernet card, thinking it might be damaged. I checked the TCP/IP properties and noticed that it had DNS server values of 85.255.116.67 and 85.255.112.71. Very unusual since this network was supposed to obtain the DNS server addresses automatically.

I did a quick Google search on the servers IPs and it looks like they are related to some Trojan. After removing the hard coded DNS server addresses the system boots up quickly now.

Removing yyy65.html

For yyy65.html and other yyy-type popups, you can use the l2mfix program found at these locations:

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Download the zip file and unzip it to your desktop. This will create an l2mfix folder.

From within the folder run the l2mfix.bat file.

Select option #1 for Run Find Log.

Select option #2 for Run Fix. It will reboot your computer and then run the fix on reboot. On some systems the scanning passes may take a while so be patient.

After it is done it will open up notepad with a trace log.

I usually run ewido and a virus checker like AVG after that, just for good measure.

Removing Winfixer, Wintools, WtoolsA, WtoolsB, Wsup

There are a lot of variants of the Winfixer spyware. Some of them are easy to remove by booting into safe mode and running Spybot or Adaware.

I encountered a very persistent version recently. The symptoms are:

1) wsup.exe and wtoolsa.exe are always running in the task manager. When you end either process it just restores itself.
2) Wintools always loading when checked with msconfig.
3) Unable to delete the BHOs by using Hijackthis. They keep coming back.
4) Unable to rename or delete the c:\program files\common files\wintools folder. It says that access is denied or that another process is running.

The only procedure that worked for me was to install the 14-day demo version of the great Ewido program at http://www.ewido.net. After installation ewido was able to catch and deactivate the Wtools spyware programs long enough for me to delete the wintools folder.

After that it was an easy matter of cleaning up msconfig and deleting all instances of “wintools” in the registry.

Vundo Spyware Removal

1) Download the fix from here http://www.atribune.org/downloads/VundoFix.exe

2) Double click the file which will create a folder on your desktop.

3) Reboot into Safe Mode.

4) Run the KillVundo.bat file from the folder.

5) It will prompt you for two items. The first time you enter the full path to the offending file, such as c:\windows\system32\srvdisk.dll. This file may be different.

6) The second time you enter in the path, with the filename reverse. In the above example, you would enter in this: c:\windows\system32\ksidvrs.* .

7) Reboot the computer and then run Cleanup from this location. http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

The CleanUp options to select are:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

8) Run HijackThis and remove the Vundo related files you entered in 5) and 6) above.

Celebrate the Vundo removal!

It’s *ahem* Vundo-bar!