This details how I was able to remove one of my most difficult spyware popup infections to date: ad.yieldmanager.com.
This insidious spyware was extremely persistent, avoiding cleaning by my normal set of favorite cleaners: Kaspersky, AVG Antivirus, AVG Antispyware, Spybot, Ad-Aware, Panda Online, HijackThis, l2mfix, VundoFix, Easy Cleaner, CleanUp!, and ewido.net.
At first it was even difficult to identify the type of spyware because the popups didn’t leave many clues other than an occasional “New Offer” popup window. However, after letting the PC system “ferment” a little to let the spyware infestation spread, the ad.yieldmanager.com signature appeared in one of the windows.
The best removal sequence I found came mostly from this site: http://www.pchell.com/support/smitfraud.shtml where I followed the steps for removing SmitFraud. I took a guess on this because I saw an earlier SpySheriff infection on the system and I was thinking that perhaps it was not entirely removed.
The set of cleaners I ran from Safe Mode in this order were:
SmitRem by NoahdFear – http://noahdfear.geekstogo.com/
Of the set of cleaners I ran, I think RogueRemover and Aproposfix were the critical programs for this particular spyware infection.
After running all these cleaners the ad.yieldmanager.com spyware was removed completely.
Here are a couple products you might want to consider for keeping your PC clean from further ad.yieldmanager infections.
1) First, the best anti-virus program on the market — in my view — is Kaspersky. It’s not as well known as some of the more heavily marketed antivirus programs like Norton and McAfee.
However, I like it because it catches a lot more viruses than Norton and McAfee and it is also a much smaller program. Norton is especially taxing on the system and there is a VERY noticeable slowdown of your PC when you have Norton installed.
The cheapest prices I’ve seen for Kaspersky Antivirus or Kaspersky Internet Security is on eBay. Make sure the seller has a lot of positive feedback when you make your purchase and you’ll save some bucks.
[phpbay]kaspersky, 5, “”, “”[/phpbay]
FREE registration on eBay and you can start saving right away.
2) Second, you should check out this RegCure registry cleaner. It’s a no-frills registry cleaner and has performed quite well in user tests.
I decided to remove the Notifyalert.exe program from a Dell PC which appeared to be slowing it down. The program is part of the Dell Support program that you can normally remove under Add / Remove Programs. Apparently this only works for version 3. If you have version 2 of Dell Support then the Add / Remove programs function can fail.
If you have version 2 of the Dell Support program, you need to reinstall the program and then remove it. Go to http://support.dell.com/ and do a search on “uninstall dell support” which will give you a link to the uninstall program.
Interesting slow booting problem found on a network. This is a good check for whenever you have a slow starting PC.
I noticed on a 10 PC network that one PC was particularly slow to boot. I checked the ethernet wiring from the PC to the switch with a cable tester and it all looked OK.
I then decided to check the ethernet card, thinking it might be damaged. I checked the TCP/IP properties and noticed that it had DNS server values of 22.214.171.124 and 126.96.36.199. Very unusual since this network was supposed to obtain the DNS server addresses automatically.
I did a quick Google search on the servers IPs and it looks like they are related to some Trojan. After removing the hard coded DNS server addresses the system boots up quickly now.
This VundoFix will search out the offending files for you — typically in your system32 folder — and present them to you for deletion. No more searching around with HijackThis for the evil WinFixer dll files.
There are a lot of variants of the Winfixer spyware. Some of them are easy to remove by booting into safe mode and running Spybot or Adaware.
I encountered a very persistent version recently. The symptoms are:
1) wsup.exe and wtoolsa.exe are always running in the task manager. When you end either process it just restores itself.
2) Wintools always loading when checked with msconfig.
3) Unable to delete the BHOs by using Hijackthis. They keep coming back.
4) Unable to rename or delete the c:\program files\common files\wintools folder. It says that access is denied or that another process is running.
The only procedure that worked for me was to install the 14-day demo version of the great Ewido program at http://www.ewido.net. After installation ewido was able to catch and deactivate the Wtools spyware programs long enough for me to delete the wintools folder.
After that it was an easy matter of cleaning up msconfig and deleting all instances of “wintools” in the registry.