Spyware Issues - All steps followed

I have four pieces of adware that instantly reinstall themselves after deletion - IST.SideFind (Adware), AvenueMedia.DyFuCa (Browser Plug-In), QuickLinks (Monitoring Software), YourSiteBar (Spyware).

I ran the following two scans:

-Turned off system restore
-Enabled viewing of system files, etc.
-Bitdefender and Rav Anti-Virus. Neither found anything (I had already run Norton 2005 before finding this forum)
-Booted into safe mode with networking, unplugged internet connection
-Ran ad-aware - it found the four listed above as well. Removed them.
-Ran Spybot - it found the four listed above. Removed them. Agreed to let it run after reboot.
-Ran AntiSpyware - it found the four listed above. Removed them.
-Rebooted and let Spybot run again. it found the four above - removed them.


I have attached my Hijack This log, following the instructions in the manual.

 

Your HijackThis log shows no signs of those infections; doesn't mean your not infected, just that HijackThis doesn't show the infection.

However your log does show you are infected with Vundo.

Please follow the instructions in the following threads:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Please make sure System Restore is OFF.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files

• This will create a VundoFix folder on your desktop.

• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this

• At this point press enter one time.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\pmnnk.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\knnmp.*​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• The fix will run then HijackThis will open.

• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dllC:\WINDOWS\system32\pmnnk.dll​

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.

• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

• Once your machine reboots please attach a fresh HJT log from normal mode.

 

Thank you very much for your reply and assistance. I have attached a new log file after following the steps that you outlined.

 

Also, after running Spybot I found the following entries which unfortuantely still don't stay removed.

DyFuCA
IsearchTech.Sidefind
IsearchTech.YSB

and a new one

WindowsSecurityCenter.AntiVirusDisableNotify

 

You have HijackThis install incorrectly. Please follw the instruction in this thread
Downloading, Installing, and Running HijackThis

Once you have fishised the above; scan and have HJT Fix the following:

Reboot and post a fresh HijackThis log as an ATTACHMENT.

 

Sorry for the improper install. I have followed your instructions and have the log file attached.

 

Please follow the instructions in the below thread:
Running Ewido Security Suite

Once finished please post the Ewido log.

 

Sorry for the delay and I hope that you are still out there. I have attached the Ewido log to this post.

 

You need to do this in a timely manner, as many of these viruses can mutate. As it has been a few days please post a fresh HijackThis log as an attachment.

 

I will be on top of it this time. Thanks for continuing to help.

I ran hijack this in normal boot with all browsers, etc. closed and it is installed in the program files directory.

 

I am. When I run Spybot, after updating, I still am told that the following threats are in my system:

ISearchTech.YSB
DyFuCA
ISeartchTech.SideFind

These can not be permanently erased by spybot, spyware doctor, msft anti-spyware or ewido. They always come back. Any asssistance would be greatly appreciated.

 

I am sorry for the delay. For some reason, I did not get email notification that you had responded.

I could not find Spybot's log function, or any log file in its directory structure. However, I have attached a screen shot showing the infections on my computer. Please let me know if this gives you some insight into the problem.

Thanks!

 

Just right click anywhere in the scan area and select "Save full report to file" and attach that log.

 

Here is the full report - thanks for the continued help!

FYI - I had to split it into two files because the site said it was too big to upload.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete the above, reboot and do another scan with Spybot and see if they come back.

 

Well it sounded like a really good plan, but unfortunately after rebooting they all showed up again.

I again had to split the Spybot log into two files because of the size.

 

Uninstall Ewido & Microsoft AntiSpyware and then try to fix them with Spybot, if Spybot cant fix the entries run the registry patch again.

There is no reason why the manual reg edit doesnt work.