Removing Doasearch.com

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

How do I go about removing this insidious program that has infected all of me
browsers?I cannot download from sites or directed anywhere except where this
program's supporters advertisements.Thanks...
 
jm47 said:
How do I go about removing this insidious program that has infected all of my
browsers?I cannot download from sites or be directed anywhere except where this
program's supporters advertisements are.Thanks...
Click to expand...
 
Hi jm47 :-)

In addition to updating and running your AV, download, install and run the
programs below in Safe Mode with Hidden Files enabled. This will remove the
nasty you have and any others that it may have let in the back door. Some
forms of malware can replicate itself repeatedly if not removed properly, so
even if you have already run some programs, run them again according to the
information below. Follow all instructions carefully:

First, Clear the TIF's and empty the recycle bin:
http://www.mvps.org/winhelp2002/delcache.htm
(The TIF size should be set to 50-60 MB. Larger caches tend to be more prone
to trouble)

If so, then do the following:

WARNING>>>> Backup all documents and files before removing any spyware!!

How to properly scan for scumware (read first, if possible)
http://aumha.org/forum/viewtopic.php?t=5878

Download and install BHODemon from
http://www.definitivesolutions.com/bhodemon.htm
Your problem may be caused by a bad BHO.

Most importantly, download install and run CWShredder here
http://www.majorgeeks.com/download3019.html
and About Buster, which searches for hidden .dlls that recreate the malware.
http://www.majorgeeks.com/download4289.html
Then visit these two sites to test for parasites and help basic cleaning:
On-Line Check
http://aumha.org/a/noads.htm
and
Quick-Fix Protocol.
http://aumha.org/a/quickfix.php
Basically, throw everything here at your "infection".

Then download, install and immediately update these two programs before
running:

AdAware SE - Update immediately after installing
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
SpyBot S &D - Update immediately after installing
http://www.majorgeeks.com/download2471.html

Download pocket killbox from Download pocket killbox from
http://www.thespykiller.co.uk/files/killbox.exe
and put it on the desktop where you can find it easily

Also download, install, and run HiJackThis - it is one of the very import
tools to clean your system of all scumware. Follow the instructions
carefully:

How to download and install HiJackThis: (it does not need to be updated)
http://www.bleepingcomputer.com/forums/topict309.html

Please DO NOT post your log to this newsgroup. It is important that you go
to one of the HiJackThis Support Forums below and allow the experts there
to analyze it for youPlease DO NOT post your log to this newsgroup. It is
important that you go to one of the HiJackThis Support Forums below and
allow the experts there to analyze it for you.::
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30
or Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums. Please
follow all posting instructions carefully to avoid having your log deleted
or ignored.)

Also, please post a link to the forum where you post your HJT log back to
this thread so that we can follow your progress there.

CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

You should also get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also... From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)
or Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip

How to Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

How to Show Hidden Files
http://snipurl.com/6rl8

Hope this helps :-)

Jan :)
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

All information provided "As Is"
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
 
Thanks Jan:would you believe that the word download in your reply has been
hijacked by this dam program?The word is a different color and is a link to
Doasearch.comh
 
Hi jm47 :-)
Thanks Jan:would you believe that the word download in your reply has been
hijacked by this dam program?The word is a different color and is a link
to
Doasearch.comh
Click to expand...

Humph! Why...the bugger's nastier than I thought! :-) Not
surprising...hopefully, this did not deter or prevent you from compeleting
the procedures. However, it may indicate that it is a 'thinker' and may
require a more stringent removal process. Please let me know what you find,
and post a link here to thed forum where you post your HiJackThis log. I
would be interested in seeing what they find as well.

Hope this helps :-)

Jan :)
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

All information provided "As Is"
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
 
Hi jm47 :-)
Thanks Jan:would you believe that the word download in your reply has been
hijacked by this dam program?The word is a different color and is a link
to
Doasearch.comh
Click to expand...

I have consulted with the experts on this, and they asked that you post your
HJT log to the AumHa HiJackThis Forum here:
http://forum.aumha.org/viewforum.php?f=30

Follow all the instructions, make sure you have run it in Safe Mode, and
tell them that I sent you.
They will be expecting you.

Hope this helps :-)

Jan :)
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

All information provided "As Is"
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
 
jm47 said:
Thanks Jan:I'll keep you updated...Joe
Click to expand...

Good! I'll be here... :-)

Jan :)
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.
 
Jan:this maybe a stupid question but how do I post the log?I have a copy in
Word Perfect.Thanks...Joe
 
Hi jm47 :-)

Not at all! :-) Here ya go.....

1. Copy the entire log from your Word Perfect file. Make sure it was run in
Safe Mode with Hidden files enabled to be sure you have picked up all the
files that may have been hidden or hide in 'in use' Windows files.
2. Go to one of the forums at the links I gave you, the AumHa forum is fine
3. You will need to register in order to post the log. Then scroll down the
list of groups until you see the HiJackThis section. Click on that link and
it will open the section and then click on the new topic button. List the
details of the problem and what you have done thus far, mention that I sent
you from this newsgroup, then just paste your log in the message space.
4. At the bottom above the submit button, be sure that the "Notify me by
e-mail..." is checked. That way, when there has been a response to your
post you will get a notification of that and the link to click to the post.
So, be sure to give a viable e-mail address that you check often when you
register.

Make sure that you read the requirements at the top of the HiJackThis
section and follow all the steps before posting the log. This will prevent
your post from being ignored or deleted. Any of the steps you have already
completed are fine.

If you need any further help just post back here. :-)

Jan :)
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

All information provided "As Is"
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
 
Hi jm47 :-)

I was not able to find the log, would you please post the name under which
you posted, or a link to your post there?


Jan :)
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.
 
HI jm47 :-)
Hi Jan:it's in the Hijack Log section under heading "Need Help/Jan Sent
Me"....Author:JM47
Click to expand...

Ah....how could I have missed it? <g>

Thank you! I'll check again.


Jan :)
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.
 
Jan:one of the lines Jim has suggested I remove is:04 HKLM\\systray.exe.Don't
I need that one?...Joe
 
Hi Joe :-)
Jan:one of the lines Jim has suggested I remove is:04
HKLM\\systray.exe.Don't
I need that one?...Joe
Click to expand...

I'll check it out for you..........be back soon. :-)

Jan :)
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.
 
Hi Joe :-)
Jan:one of the lines Jim has suggested I remove is:04
HKLM\\systray.exe.Don't
I need that one?...Joe
Click to expand...

k...here is the information to answer your question:

Per Jim Eshelman:

Go to http://castlecops.com/StartupList.html and drop SysTray.Exe into the
box for a search. You'll get a number of variants on this, some legit and
some illegit. For the specific version of a file named SysTray.Exe which
gives the identifier [SystemTray] we get this entry:

/Quote/
Added as a result of the ALADINZ.P VIRUS! Note - this is not the valid
System Tray (systray.exe) which resides in C:\Windows\System (Win9x/Me),
C:\Winnt\System32 (WinNT/2K) or C:\Windows\System32 (WinXP). If you
right-click on the real systray.exe the "Properties" reveal it to be a
Microsoft file.
/end quote/

Not all files that look legitimate may be. Some can take on the appearance,
and name, of legitimate files to decieve. If you want to be absolutely
sure, check against the information above. Go to the file location of the
file in the list Jim said for you to delete, then Right click>Properties and
see what is says. If it does not say Microsoft then it is not a legitimate
file.

Also....another bit of good
<<....Per Jim,

..... - systray isn't usually required even when we speak of the legitimate
one! It's only used for a very few specific purposes. It loads by default,
but isn't a required file and, in 9x days, we used to have people disable it
occasionally when there was a problem. See this KB article for a discussion:
http://support.microsoft.com/?kbid=128129&sd=RMVP ....>>

If you have any other questions, please feel free to ask here, or post back
to the forum :-)

Jan :)
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.
 
Jan:I'm sorry for not replying sooner.I just want to thank you for all your
help.Finally my computer is back to normal thanks to you.Steve from
Aumha.net(which you suggested) steered me to Kaspersky's website where their
anti-virus program found and eliminated my problem.I appreciate everything
you did for me...Joe
 
Hi Joe :-)
Jan:I'm sorry for not replying sooner.I just want to thank you for all
your
help.Finally my computer is back to normal thanks to you.Steve from
Aumha.net(which you suggested) steered me to Kaspersky's website where
their
anti-virus program found and eliminated my problem.I appreciate everything
you did for me...Joe
Click to expand...

You're very welcome! And, I'm very glad to hear you were able to get your
problem resolved
Good job!

Thank you for posting back and letting us know what worked for you, and for
the benefit of other readers who might have a similar problem. :-)

Jan :)
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.
 
Back
Top