[Ziola]

[FONT=Arial]
Hello, I have AZESEARCH tool bar on my computer.

I have Windows XP, Zone Alarm, Spy Sweeper, Ad-Aware, Spybot S&D, Hijack this.

I have run Spy Sweeper, Ad-Aware and Spybot S&D both in normal mode and safe mode and the toolbar is still on my computer.

When I go into Internet Explorer, Spy Sweeper pops up showing 194 alerts that have been added to my favorites folder. After removing, they pop up again.

I have attached a log file.

Hope you can help.

Thanks Ziola

Attached Files

•  ziola_hijack_log_29.04.2005.txt   3.89KB   318 downloads

Edited by Ziola, 29 April 2005 - 10:56 AM.

[Advertisements]

Hello, I have installed the following:

Ad-Aware SE
Spybot Search & Destroy
Spy Sweeper
Spyware Doctor
Spyware Blaster
WinPatrol
CWShredder

I ran them all and did the usual removal of infections. In WinPatrol, I found the AZESEARCH Components and removed them.

I then restarted the computer in SAFE mode and I ran:

Spy Sweeper - found and removed 1 trace
Ad-Aware SE - found and removed 6 Crack Spiders
Spybot Search & Destroy - found and fixed 1 trace
Spyware Doctor - found 0 traces
Spyware Blaster - Protection enabled
CWShredder - found 0 CWS

Then I did a hijack log (log 2) in SAFE mode  ziola_hijack_log_2_29.04.2005.txt   3.53KB   364 downloads

I then restarted my computer in the normal way. My startup programs are:

ZoneAlarm
Spy Sweeper
WinPatrol
Spyware Doctor

Then I did another hijack log (log3)  ziola_hijack_log_3_29.04.2005.txt   4.1KB   359 downloads

My computer runs a little slow.

Also when I went into Internet Explorer

The AZESEARCH toolbar is GONE!!!!!!!!!!

When I first went into Internet Explorer, an Adult pop up appeared so I closed it.

Then I went back in and cleared the FAVOURITES folder.

So far no problems. My Address Toolbar was empty, but as long as there is no AZESEARCH I dont mind.

Not sure if there is anymore Spyware though.

Thanks to your forums Hopefully I've solved this

[/B]WARNING TO ALL - BE CAREFUL ABOUT WHICH SITES YOU VISIT
- UPDATE YOUR COMPUTER REGULARLY
- USE THIS SITE FOR INVALUABLE HELP AND ADVICE[B]

[Ziola]

Hello, I have installed the following:

Ad-Aware SE
Spybot Search & Destroy
Spy Sweeper
Spyware Doctor
Spyware Blaster
WinPatrol
CWShredder

I ran them all and did the usual removal of infections. In WinPatrol, I found the AZESEARCH Components and removed them.

I then restarted the computer in SAFE mode and I ran:

Spy Sweeper - found and removed 1 trace
Ad-Aware SE - found and removed 6 Crack Spiders
Spybot Search & Destroy - found and fixed 1 trace
Spyware Doctor - found 0 traces
Spyware Blaster - Protection enabled
CWShredder - found 0 CWS

Then I did a hijack log (log 2) in SAFE mode  ziola_hijack_log_2_29.04.2005.txt   3.53KB   364 downloads

I then restarted my computer in the normal way. My startup programs are:

ZoneAlarm
Spy Sweeper
WinPatrol
Spyware Doctor

Then I did another hijack log (log3)  ziola_hijack_log_3_29.04.2005.txt   4.1KB   359 downloads

My computer runs a little slow.

Also when I went into Internet Explorer

The AZESEARCH toolbar is GONE!!!!!!!!!!

When I first went into Internet Explorer, an Adult pop up appeared so I closed it.

Then I went back in and cleared the FAVOURITES folder.

So far no problems. My Address Toolbar was empty, but as long as there is no AZESEARCH I dont mind.

Not sure if there is anymore Spyware though.

Thanks to your forums Hopefully I've solved this

[/B]WARNING TO ALL - BE CAREFUL ABOUT WHICH SITES YOU VISIT
- UPDATE YOUR COMPUTER REGULARLY
- USE THIS SITE FOR INVALUABLE HELP AND ADVICE[B]

[Kat]

Logfile of HijackThis v1.99.1
Scan saved at 23:33:50, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonela...ReqId=958879026
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Program Files\Webroot\Spy Sweeper\SpySweeperFix.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114115798690
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\qrv.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ziola]

Hello Kat, does this mean I've gotten rid of any Spyware stuff?

Do I need to post a new Hijack This log?

 ziola_hijack_log_4_30.04.2005.txt   4.23KB   277 downloads

Thanks

[Kat]

hello! I have not given you any instructions yet on how to remove your instructions. Please don't post your HJT log as an attachment. Instead, when the log opens in Notepad after the scan, copy and paste it here with your reply, as I have done in the last post I made above. I am working on analyzing your log, and will have instructions for you posted in this thread afterwhile!

[Ziola]

Hello Kat, oops, I thought it would be easier.

Thanks Ziola

[Kat]

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114115798690
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab

O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\qrv.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

[/b]Please delete these files using Windows Explorer(if present):
C:\WINDOWS\shginas.dll

After that, Reboot.

After you reboot, please paste a fresh HJT log here for review, and let me know how the pc is running now.

[Ziola]

Hello, preformed the scan and removed the entries.

In safe mode I deleted the C:\WINDOWS\shginas.dll file and restarted my computer. But now my computer is running even slower!

Here is my most recent Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 02:54:00, on 30/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ziola\My Documents\INSTALLATION PROGRAMS\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonela...ReqId=958879026
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Program Files\Webroot\Spy Sweeper\SpySweeperFix.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks, Ziola

[Kat]

You have a clean log now. there are some optional removals I can tell you about that will help speed up your performance.

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Those items do not need to automatically run in the background. They are doing that, even though you aren't using them at the moment, and they can hog your resources. YOu can use Spybot to easily decide what you do and do not want to start up each time. Open Spybot and click on "Mode", then check "Advanced". on the left, click on "Tools" then "System Startup". YOu can safely remove the checks beside each of the above entries. If there are any others currently set to start when you boot the pc upthat you aren't sure of, reply here and let me know what they are, and I'll be glad to let you know what they are!

[Ziola]

Hello Kat, THANK YOU

Thumbs Up!!

This website is the absolute best and you guys ROCK!!!!

Thanks Ziola

[Kat]

You're very welcome, and thank you!

This topic is being closed as it is resolved. If you need help in the future, please feel free to start a new topic!