This details how I was able to remove one of my most difficult spyware popup infections to date: ad.yieldmanager.com.
This insidious spyware was extremely persistent, avoiding cleaning by my normal set of favorite cleaners: Kaspersky, AVG Antivirus, AVG Antispyware, Spybot, Ad-Aware, Panda Online, HijackThis, l2mfix, VundoFix, Easy Cleaner, CleanUp!, and ewido.net.
At first it was even difficult to identify the type of spyware because the popups didn’t leave many clues other than an occasional “New Offer” popup window. However, after letting the PC system “ferment” a little to let the spyware infestation spread, the ad.yieldmanager.com signature appeared in one of the windows.
The best removal sequence I found came mostly from this site: http://www.pchell.com/support/smitfraud.shtml where I followed the steps for removing SmitFraud. I took a guess on this because I saw an earlier SpySheriff infection on the system and I was thinking that perhaps it was not entirely removed.
The set of cleaners I ran from Safe Mode in this order were:
SmitRem by NoahdFear – http://noahdfear.geekstogo.com/
Of the set of cleaners I ran, I think RogueRemover and Aproposfix were the critical programs for this particular spyware infection.
After running all these cleaners the ad.yieldmanager.com spyware was removed completely.
Here are a couple products you might want to consider for keeping your PC clean from further ad.yieldmanager infections.
1) First, the best anti-virus program on the market — in my view — is Kaspersky. It’s not as well known as some of the more heavily marketed antivirus programs like Norton and McAfee.
However, I like it because it catches a lot more viruses than Norton and McAfee and it is also a much smaller program. Norton is especially taxing on the system and there is a VERY noticeable slowdown of your PC when you have Norton installed.
The cheapest prices I’ve seen for Kaspersky Antivirus or Kaspersky Internet Security is on eBay. Make sure the seller has a lot of positive feedback when you make your purchase and you’ll save some bucks.
[phpbay]kaspersky, 5, “”, “”[/phpbay]
FREE registration on eBay and you can start saving right away.
2) Second, you should check out this RegCure registry cleaner. It’s a no-frills registry cleaner and has performed quite well in user tests.
I decided to remove the Notifyalert.exe program from a Dell PC which appeared to be slowing it down. The program is part of the Dell Support program that you can normally remove under Add / Remove Programs. Apparently this only works for version 3. If you have version 2 of Dell Support then the Add / Remove programs function can fail.
If you have version 2 of the Dell Support program, you need to reinstall the program and then remove it. Go to http://support.dell.com/ and do a search on “uninstall dell support” which will give you a link to the uninstall program.
Interesting slow booting problem found on a network. This is a good check for whenever you have a slow starting PC.
I noticed on a 10 PC network that one PC was particularly slow to boot. I checked the ethernet wiring from the PC to the switch with a cable tester and it all looked OK.
I then decided to check the ethernet card, thinking it might be damaged. I checked the TCP/IP properties and noticed that it had DNS server values of 85.255.116.67 and 85.255.112.71. Very unusual since this network was supposed to obtain the DNS server addresses automatically.
I did a quick Google search on the servers IPs and it looks like they are related to some Trojan. After removing the hard coded DNS server addresses the system boots up quickly now.
This VundoFix will search out the offending files for you — typically in your system32 folder — and present them to you for deletion. No more searching around with HijackThis for the evil WinFixer dll files.
Download the zip file and unzip it to your desktop. This will create an l2mfix folder.
From within the folder run the l2mfix.bat file.
Select option #1 for Run Find Log.
Select option #2 for Run Fix. It will reboot your computer and then run the fix on reboot. On some systems the scanning passes may take a while so be patient.
After it is done it will open up notepad with a trace log.
I usually run ewido and a virus checker like AVG after that, just for good measure.
There are a lot of variants of the Winfixer spyware. Some of them are easy to remove by booting into safe mode and running Spybot or Adaware.
I encountered a very persistent version recently. The symptoms are:
1) wsup.exe and wtoolsa.exe are always running in the task manager. When you end either process it just restores itself.
2) Wintools always loading when checked with msconfig.
3) Unable to delete the BHOs by using Hijackthis. They keep coming back.
4) Unable to rename or delete the c:\program files\common files\wintools folder. It says that access is denied or that another process is running.
The only procedure that worked for me was to install the 14-day demo version of the great Ewido program at http://www.ewido.net. After installation ewido was able to catch and deactivate the Wtools spyware programs long enough for me to delete the wintools folder.
After that it was an easy matter of cleaning up msconfig and deleting all instances of “wintools” in the registry.
2) Double click the file which will create a folder on your desktop.
3) Reboot into Safe Mode.
4) Run the KillVundo.bat file from the folder.
5) It will prompt you for two items. The first time you enter the full path to the offending file, such as c:\windows\system32\srvdisk.dll. This file may be different.
6) The second time you enter in the path, with the filename reverse. In the above example, you would enter in this: c:\windows\system32\ksidvrs.* .
