Ongoing Adware and My Search Assistant issue

Status
Not open for further replies.
Thanks for the help on My Search Assistant. I had it and following instructions it now appears to be gone. I must have had many other adware issues and have cleared them using the instructions in the My Search Assistant Thread. However, even after again running the latest
Spybot S&D, Adaware Personal SE, AdAware VX2 plugin, working with HJT, and using CW Shredder I still have problems w/ continuous popups and recurring adware showing up. I've also run LSPfix but can't get rid of the nasty stuff that won't go away.

I also have a couple new programs when I do Add/delete from control panel like My Search Bar and Quickset.

Attached is my latest HJT is attached.

Thanks for the help in advance
 

Attachments

  • hijackthis 2-9-05.txt
    4.3 KB · Views: 5
Unfortunately you still have some buggers in there. These:

O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {681B6B9C-63FA-284D-8339-68198DA1BF14} - (no file)
O2 - BHO: (no name) - {FAC62D88-4B3D-4F4F-1EC0-0946918A1E78} - (no file)
O2 - BHO: (no name) - {FF9C88EF-281A-F804-DEB6-B91196968E7A} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

This one isn't bad but it won't hurt to get rid of it, might help the system:
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Then if you don't use the cisco VPN, rid yourself of those two entries also.

If you've done everything in that thread and it keeps coming back, it's not these HJT entries, they will come back too. You still have to track down the startup or shared DLL that is causing the issue.

Run your scans again and pay particular attention to the file names of what they are, especially the DLL files, write them down.
Then you'll have to clean it in Safe Mode.
Clean with HJT in Safe Mode as well.
Then search your whole registry for any instances of any DLLs found and remove those keys.
Particularly in these two locations (I assume you already check standard startup locations)
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs
&
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify

If there are any DLLs in the SharedDLLs key that are stored in any "Temp" folder, or have the same name as your infected files, delete them.
In the Notify key, click on each subkey one at a time and notice in the right pane the "DLLName" Value. If it's a bad one, kill the whole key on the left pane.
For example you might have a key called "cscdll" and the right DLLName is "cscdll.dll". That is a good one. But if it wasn't, delete the whole cscdll key on the left. If will be pretty easy to spot a bad key.

Okay then. After all that jazz, do these extra things:
While in Safe Mode still, scan with everything you got again until it's clean.
Then go into C:\Windows\System32\Drivers\etc and just delete all the files in there.

Then go into Internet Explorer properties and under the security tab click on the "Trusted Sites" icon then click the "Sites" button. Removed any entries in the list that are bad ones. Or just remove EVERY entry.
Then click back on the "General" tab and put the home page in that you want. Click OK and exit settings.

Now I would suggest running BHO Captor and remove any entries except ones pointing to your Antivirus. And perhaps Adobe. (I'm not sure if BHO Captor is in the other thread or not). Also don't remove Spybots IE Helper if it's in there. Otherwise remove everything.

Now go into your Spybot and make sure your system is immunized. Also change to "Advanced" mode. On the bottom left click "Tools" then "resident". Put a check in both the tools.
Then click "IE Tweaks" and put a check on all three boxes.
And also just for fun click on "System Startup" and make sure that's clean.

Keep in mind that this stuff, I think, is only good for the currently logged in user. Some of it isn't though, such as the registry keys mentioned earlier. But you WILL have to log out and back in to EVERY user listed (in Safe Mode), to scan and clean each account. Otherwise an infected user could mess things up again. It's best to go through each account in Safe Mode and clean them all.

Lastly, after removing the LSP entries in HJT, you will want to run LSP fix again. When it asks to restart, go ahead and do it. Let it go back into Normal Mode. And hopefully your nightmares will be gone.

This post could go on forever but I might mention some more stuff. You should turn OFF system restore. Also go into C:\Windows\ and remove any files beginning with "wininit" EXCEPT for "wininit.exe" and "wininit.ini" I believe. For example delete ones like wininit.bak and wininit.txt. Note you may not even have these files at all.
Go into C:\Windows\ and delete all files in the "Prefetch" folder.

If your problem child still appears, it is certainly still in startup, somewhere in the registry for sure. And hopefully Spybot's Tea Timer will tell you when junk is trying to get in. Once you think you've got it pretty clean and virus free. Do ALL your updates and patches etc. Then download and use Firefox from www.mozilla.org. That will solve a lot of issues :)

Well that's enough for now I suppose, have fun!
 
Boot in Safe Mode
Stop System restore
Press ctrl/alt/del and in Taskmanager try to STOP: ynytnp.exe

Next, run HJT on its own and let it 'fix':
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ynytnp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {681B6B9C-63FA-284D-8339-68198DA1BF14} - (no file)
O2 - BHO: (no name) - {FAC62D88-4B3D-4F4F-1EC0-0946918A1E78} - (no file)
O2 - BHO: (no name) - {FF9C88EF-281A-F804-DEB6-B91196968E7A} - (no file)
O10 - see below
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

When done delete C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ynytnp.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
Fix these with LSPFIX as described in my thread:Broken Internet access with xxx.dll and substitute xfire_lsp_8742.dll with "your" missing file names.
Do NOT delete ANY other files!

Boot back up in normal mode.
Clean your temp directory and your internet temp files and all cookies.
If all OK, turn System Restore back on.
 
Oh I missed that startup "ynytnp.exe". Have to remove that from Safe Mode as well.

I still recommend running BHO Captor. And it might be a good idea to get rid of the temps and caches while still in Safe Mode as well. Just in case they try to activate again.

Hope you fix it soon
 
Status
Not open for further replies.
Back