Removing amazing autosearch toolbar from my system

[DEBBIED58]

A TOOLBAR HAS APPEARED AT THE BOTTOM OF MY SCREEN WHEN I
LOG INTO INTERNET EXPLORER. IT SAYS AMAZING AUTOSEARCHES.
I HAVE TRIED TO DELETE IT AND CANNOT. ANY IDEAS HOW TO
REMOVE IT? I THINK THAT IT WAS INSTALLED WHEN MY SON
VISITED A PARTICULAR WEBSITE.

 

[Thorsten Matzner]

A TOOLBAR HAS APPEARED AT THE BOTTOM OF MY SCREEN WHEN I
LOG INTO INTERNET EXPLORER. IT SAYS AMAZING AUTOSEARCHES.
I HAVE TRIED TO DELETE IT AND CANNOT. ANY IDEAS HOW TO
REMOVE IT? I THINK THAT IT WAS INSTALLED WHEN MY SON
VISITED A PARTICULAR WEBSITE.

See if Ad-aware (http://www.lavasoft.de) can help you to get rid of
it.

 

[nkjg]

Hi there,

First of all, please do not post with all caps lock. It
just makes your message harder to read.

It sounds like you have an adware toolbar on your computer.
There are several adware removal programs out there.

Ad-aware
www.lavasoftusa.com

Spybot Search & Destroy
http://www.safer-networking.org/

These are the two that I use most often. Run Ad-aware first
and then Spybot. It is usually good practice to run these
programs as often as you would an anti-virus scan.

Hope this helps,

Nick
(e-mail address removed)

 

[Someone]

I think it's a spyware, download Spybot Search & Destroy
to remove it or goto http://www.doxdesk.com/parasite/
it'll show you how to remove bunch of spyware I used
Spybot and it work very well on my computer and it's
free !!!
I hope this'll help

 

[Seancito]

AutoSearch is an IE Browser Helper Object that hijacks address-bar searches.
It knows about some of the other prevalent search-hijackers - IGetNet,
CommonName and NewDotNet - and will steal back any address bar searches they
take over

Also known as
AutoSearchBHO\Hijacker by Ad-Aware. MSInfoSys after its filename.

Distribution
As yet unknown.

What it does
Advertising
No, though Wink/ASWnk does. (See below.)

Any address bar search you do is sent to a single page at www.tunders.com
(which includes only static adverts, no search results).

Privacy violation
No.

Security issues
No.

Stability problems
None known.

Removal
Open a DOS command prompt window (from Start->Programs->Accessories) and
enter the following commands:

cd "%WinDir%\System"
regsvr32 /u msinfosys.dll
You should now be able to delete the 'msinfosys.dll' file in your System
folder (inside the Windows folder; called 'System32' on Windows NT/2000/XP).

It is believed that AutoSearch is installed with or by Wink/ASWnk - check
your system for this parasite.

Wink removal
Wink is a family of parasites based on an original dialler. It cannot be
detected by the script at this site. Some variants of Wink are actual
diallers; others have had this function disabled and act as adware. Wink can
download and execute arbitrary unsigned code from its controlling server at
204.177.92.204. It also puts an entry in Add/Remove Programs to run a file
'[variant name]_uninstall.exe' in the Windows System folder, which doesn't
uninstall the software, but in dialler variants makes the software hide
instead of showing itself at startup.

Wink can be spotted by opening the registry (click 'Start', choose 'Run',
enter 'regedit') and finding the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run; Wink
variants have a characteristic run string ending in '/noconnect'. This entry
should be deleted, along with the key HKEY_CURRENT_USER\Software\SiteIcons,
and, in dialler variants, HKEY_CLASSES_ROOT\.WINK and HKEY_CLASSES_ROOT\WINK
File. If you use Netscape 4, dialler variants will also add themselves to
the 'User Trusted External Applications' in
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator; its entries here
should be deleted.

Then restart and delete the program file, which usually lives in a folder
called 'dialers' in 'C:\Program Files', but see the following variants:

Wink/Party: dialler, program file in
'files\dialers\online_party\online_party.exe'.

Wink/hot: various diallers: at least hot_swiss, hot_canada and
hotsurprise_in have been seen. Program file is in the form
'dialers\hot_swiss\hot_swiss.exe' (and so on for the other variants).

Wink/HornyCam: various diallers: at least hornycam_jp has been seen. Program
file is in the form 'comsoft\dialers\hornycam_jp\hornycam_jp.exe'.

Wink/EasyDates: various diallers: at least hornycam_jp has been seen.
Program file is in the form 'comsoft\dialers\easydates_jp\easydates_jp.exe'.

Wink/UKVideo2: another dialler, program file
'dialers\ukvideo2\ukvideo2.exe'.

Wink/VideoAction: more diallers: at least videoaction_se has been seen.
Program file in the form
'comsoft\dialers\videoaction_se\videoaction_se.exe'.

Wink/DateMaker: more diallers: at least datemakerspain and datemakerintl
have been seen. Program file in the form
'dialers\datemakerspain\datemakerspain.exe' and so on. Uses registry key
'HKEY_CLASSES_ROOT\dting File' instead of 'WINK file'. Detected by Sophos
anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.

Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is
ASWnk.exe in a Program Files folder called 'primesoft\ASWnk' (instead of the
usual 'dialers').

Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath)
0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com. Program
file is 'dialers\nsdlua\nsdlua.exe'. This is known to be loaded as a fake
pop-up-killer application (which claims it has failed to run), by
stopannoyingpopups.com; exploitation of an IE security hole is suspected
here.

Wink/dluca: not a dialler. Program file is
'msinstall\dlu32\dluca\dluca.exe', hidden in the Windows System[32] folder
instead of Program Files.

Wink/infwin: not a dialler. Program file is 'infwin.exe', hidden in the
Windows System[32] folder instead of Program Files.

Wink/win and Wink/win32: not a dialler. Program file depends on country; at
least 'winde.exe', 'win32us.exe', 'win32gb.exe' have been seen, in the
Windows System[32] folder.

Parasite detection & information

(e-mail address removed)

 

[nkjg]

Holy crap that's a lot of info... =P

Nick
(e-mail address removed)

-----Original Message-----
AutoSearch is an IE Browser Helper Object that hijacks address-bar searches.
It knows about some of the other prevalent search-hijackers - IGetNet,
CommonName and NewDotNet - and will steal back any address bar searches they
take over

Also known as
AutoSearchBHO\Hijacker by Ad-Aware. MSInfoSys after its filename.

Distribution
As yet unknown.

What it does
Advertising
No, though Wink/ASWnk does. (See below.)

Any address bar search you do is sent to a single page at www.tunders.com
(which includes only static adverts, no search results).

Privacy violation
No.

Security issues
No.

Stability problems
None known.

Removal
Open a DOS command prompt window (from

Start->Programs->Accessories) and

enter the following commands:

cd "%WinDir%\System"
regsvr32 /u msinfosys.dll
You should now be able to delete the 'msinfosys.dll' file in your System
folder (inside the Windows folder; called 'System32' on Windows NT/2000/XP).

It is believed that AutoSearch is installed with or by Wink/ASWnk - check
your system for this parasite.

Wink removal
Wink is a family of parasites based on an original dialler. It cannot be
detected by the script at this site. Some variants of Wink are actual
diallers; others have had this function disabled and act as adware. Wink can
download and execute arbitrary unsigned code from its controlling server at
204.177.92.204. It also puts an entry in Add/Remove Programs to run a file
'[variant name]_uninstall.exe' in the Windows System folder, which doesn't
uninstall the software, but in dialler variants makes the software hide
instead of showing itself at startup.

Wink can be spotted by opening the registry (click 'Start', choose 'Run',
enter 'regedit') and finding the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run; Wink
variants have a characteristic run string ending in '/noconnect'. This entry
should be deleted, along with the key HKEY_CURRENT_USER\Software\SiteIcons,
and, in dialler variants, HKEY_CLASSES_ROOT\.WINK and HKEY_CLASSES_ROOT\WINK
File. If you use Netscape 4, dialler variants will also add themselves to
the 'User Trusted External Applications' in
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator; its entries here
should be deleted.

Then restart and delete the program file, which usually lives in a folder
called 'dialers' in 'C:\Program Files', but see the following variants:

Wink/Party: dialler, program file in
'files\dialers\online_party\online_party.exe'.

Wink/hot: various diallers: at least hot_swiss, hot_canada and
hotsurprise_in have been seen. Program file is in the form
'dialers\hot_swiss\hot_swiss.exe' (and so on for the other variants).

Wink/HornyCam: various diallers: at least hornycam_jp has been seen. Program
file is in the form 'comsoft\dialers\hornycam_jp\hornycam_jp.exe'.

Wink/EasyDates: various diallers: at least hornycam_jp has been seen.
Program file is in the form 'comsoft\dialers\easydates_jp\easydates_jp.exe'.

Wink/UKVideo2: another dialler, program file
'dialers\ukvideo2\ukvideo2.exe'.

Wink/VideoAction: more diallers: at least videoaction_se has been seen.
Program file in the form
'comsoft\dialers\videoaction_se\videoaction_se.exe'.

Wink/DateMaker: more diallers: at least datemakerspain and datemakerintl
have been seen. Program file in the form
'dialers\datemakerspain\datemakerspain.exe' and so on. Uses registry key
'HKEY_CLASSES_ROOT\dting File' instead of 'WINK file'. Detected by Sophos
anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.

Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is
ASWnk.exe in a Program Files folder called

'primesoft\ASWnk' (instead of the

usual 'dialers').

Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath)

0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com.

Program
file is 'dialers\nsdlua\nsdlua.exe'. This is known to be loaded as a fake
pop-up-killer application (which claims it has failed to run), by
stopannoyingpopups.com; exploitation of an IE security hole is suspected
here.

Wink/dluca: not a dialler. Program file is
'msinstall\dlu32\dluca\dluca.exe', hidden in the Windows System[32] folder
instead of Program Files.

Wink/infwin: not a dialler. Program file is 'infwin.exe', hidden in the
Windows System[32] folder instead of Program Files.

Wink/win and Wink/win32: not a dialler. Program file depends on country; at
least 'winde.exe', 'win32us.exe', 'win32gb.exe' have been seen, in the
Windows System[32] folder.

Parasite detection & information

(e-mail address removed)


.

 

[someone]

It's the only one that is really useful though.

-----Original Message-----
Holy crap that's a lot of info... =P

Nick
(e-mail address removed)

-----Original Message-----
AutoSearch is an IE Browser Helper Object that hijacks address-bar searches.
It knows about some of the other prevalent search-hijackers - IGetNet,
CommonName and NewDotNet - and will steal back any

address
bar searches they

take over

Also known as
AutoSearchBHO\Hijacker by Ad-Aware. MSInfoSys after its filename.

Distribution
As yet unknown.

What it does
Advertising
No, though Wink/ASWnk does. (See below.)

Any address bar search you do is sent to a single page

at

www.tunders.com
(which includes only static adverts, no search results).

Privacy violation
No.

Security issues
No.

Stability problems
None known.

Removal
Open a DOS command prompt window (from

Start->Programs->Accessories) and

enter the following commands:

cd "%WinDir%\System"
regsvr32 /u msinfosys.dll
You should now be able to delete the 'msinfosys.dll'

file
in your System

folder (inside the Windows folder; called 'System32' on Windows NT/2000/XP).

It is believed that AutoSearch is installed with or by Wink/ASWnk - check
your system for this parasite.

Wink removal
Wink is a family of parasites based on an original dialler. It cannot be
detected by the script at this site. Some variants of

Wink
are actual

diallers; others have had this function disabled and act as adware. Wink can
download and execute arbitrary unsigned code from its controlling server at
204.177.92.204. It also puts an entry in Add/Remove Programs to run a file
'[variant name]_uninstall.exe' in the Windows System folder, which doesn't
uninstall the software, but in dialler variants makes

the
software hide

instead of showing itself at startup.

Wink can be spotted by opening the registry (click 'Start', choose 'Run',
enter 'regedit') and finding the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer

sion\Run;

Wink
variants have a characteristic run string ending in '/noconnect'. This entry
should be deleted, along with the key HKEY_CURRENT_USER\Software\SiteIcons,
and, in dialler variants, HKEY_CLASSES_ROOT\.WINK and HKEY_CLASSES_ROOT\WINK
File. If you use Netscape 4, dialler variants will also add themselves to
the 'User Trusted External Applications' in
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator; its entries here
should be deleted.

Then restart and delete the program file, which usually lives in a folder
called 'dialers' in 'C:\Program Files', but see the following variants:

Wink/Party: dialler, program file in
'files\dialers\online_party\online_party.exe'.

Wink/hot: various diallers: at least hot_swiss, hot_canada and
hotsurprise_in have been seen. Program file is in the form
'dialers\hot_swiss\hot_swiss.exe' (and so on for the

other

variants).

Wink/HornyCam: various diallers: at least hornycam_jp

has
been seen. Program

file is in the form 'comsoft\dialers\hornycam_jp\hornycam_jp.exe'.

Wink/EasyDates: various diallers: at least hornycam_jp

has
been seen.

Program file is in the form 'comsoft\dialers\easydates_jp\easydates_jp.exe'.

Wink/UKVideo2: another dialler, program file
'dialers\ukvideo2\ukvideo2.exe'.

Wink/VideoAction: more diallers: at least videoaction_se has been seen.
Program file in the form
'comsoft\dialers\videoaction_se\videoaction_se.exe'.

Wink/DateMaker: more diallers: at least datemakerspain

and

datemakerintl
have been seen. Program file in the form
'dialers\datemakerspain\datemakerspain.exe' and so on. Uses registry key
'HKEY_CLASSES_ROOT\dting File' instead of 'WINK file'. Detected by Sophos
anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.

Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is
ASWnk.exe in a Program Files folder called

'primesoft\ASWnk' (instead of the

usual 'dialers').

Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath)

0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-

oll11iz0oil-ol.com.
Program
file is 'dialers\nsdlua\nsdlua.exe'. This is known to be loaded as a fake
pop-up-killer application (which claims it has failed to run), by
stopannoyingpopups.com; exploitation of an IE security hole is suspected
here.

Wink/dluca: not a dialler. Program file is
'msinstall\dlu32\dluca\dluca.exe', hidden in the Windows System[32] folder
instead of Program Files.

Wink/infwin: not a dialler. Program file

is 'infwin.exe',
hidden in the

Windows System[32] folder instead of Program Files.

Wink/win and Wink/win32: not a dialler. Program file depends on country; at
least 'winde.exe', 'win32us.exe', 'win32gb.exe' have

been
seen, in the

Windows System[32] folder.

Parasite detection & information

(e-mail address removed)


.

.

 

[sputtereddog]

After I followed your instructions and typed:

cd "%WinDir%\System"
regsvr32 /u msinfosys.dll

I got an error message saying:

LoadLibrary("msinfosys.dll")failed - The specified module could not b
found.

Any idea what that means? Went to System32 folder and couldn't find th
'msinfosys.dll' file either.

The people at www.lop.com are idiots. I now have a bar on top and a
the bottom, and my homepage is irretrievably set a
http://tinyurl.com/388dy
even though adaware and spybot have removed all other traces of it.
also had to manually remove new folders in the favorites menu. Thre
hours fiddling with this! just because downloaded an mp3 file from mp
search!!! Not my day


-
sputtereddo

 

[David Candy]

adware probably got it and typed it for you.

 

[remeizo]

this amazing autosearch thing is a pain to get rid of, i have run virus
scan, hijack this, ashampoo, adware 6.0, spybot search and destroy then
deleted all the registry keys, talk about hard to kill, good thing it
is just a huge annoyance, i hope someone can solve this case and help
all who might fall victim to this thing. as of yet i have no solution

 

[John Stables]

After I followed your instructions and typed:

cd "%WinDir%\System"
regsvr32 /u msinfosys.dll

I got an error message saying:

LoadLibrary("msinfosys.dll")failed - The specified module could not be
found.

Any idea what that means? Went to System32 folder and couldn't find the
'msinfosys.dll' file either.

The people at www.lop.com are idiots. I now have a bar on top and at
the bottom, and my homepage is irretrievably set at
http://tinyurl.com/388dy
even though adaware and spybot have removed all other traces of it. I
also had to manually remove new folders in the favorites menu. Three
hours fiddling with this! just because downloaded an mp3 file from mp3
search!!! Not my day.

Hey I have the same problem too, the specified module could not be
found. Did you ever find a way to get rid of this annoying toolbar?