Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack´ed by AZESEARCH - hijack this Log -[RESOLVED]

Started by Yehaten , May 03 2005 04:06 AM

  • This topic is locked This topic is locked

#1
Yehaten
Posted 03 May 2005 - 04:06 AM

Yehaten

    New Member

  • Member
  • Pip
  • 6 posts
Hi,

I have been a very big fool, i installed an activeX. I know it was wrong but I did it anyway, and what did I get. Exactly....a whole lot of problem....

I got the AZESearch Toolbar, and I have first run.
Lavasoft Ad-Aware and Spybot Sweeper
Then I deleted everything with Azesearch in the registry.
And I deleted tre files from my computer that had the name azesearch ( and I don´t mean cookies )
I Think the problem is solved, but I run HijackThis anyway.

So now my HijackThis log look like this, and I am not very good at reading this kind och logs.
Now I want som tips and Expert help here....is it something more that I have in my computer that I can remove.
Please answer to this, i would be very greatful.
// Yehaten "The Swede"

Logfile of HijackThis v1.99.1
Scan saved at 11:49:49, on 2005-05-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\DirectUpdate\DUControl.exe
C:\Program\DU Meter\DUMeter.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Eset\nod32kui.exe
C:\Program\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\DIRECT~2\DUService.exe
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\Program\Gene6 FTP Server\G6FTPTray.exe
C:\Program\Gene6 FTP Server\G6FTPSERVER.EXE
D:\Hemtankat\Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avanza.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.50.166.11 www.google.com
O1 - Hosts: 69.50.166.11 google.com
O1 - Hosts: 69.50.166.11 www.google.co.uk
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.ca
O1 - Hosts: 69.50.166.11 google.ca
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 www.google.de
O1 - Hosts: 69.50.166.11 google.de
O1 - Hosts: 69.50.166.11 www.google.fr
O1 - Hosts: 69.50.166.11 google.fr
O1 - Hosts: 69.50.166.11 www.google.com.au
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.14 www.yahoo.com
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.msn.com
O1 - Hosts: 69.50.166.12 msn.com
O1 - Hosts: 69.50.166.12 search.msn.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DUControl] C:\Program\DirectUpdate\DUControl.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
------------------------
  • 0

Advertisements

#2
Metallica
Posted 03 May 2005 - 04:54 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi Yehaten,

I have the feeling the bottom part of your log is missing.

Please find the file C:\WINDOWS\System32\drivers\etc\hosts and rename it to hosts.bak

Then post back with a new and complete HijackThis log.

Regards,
  • 0

#3
Yehaten
Posted 03 May 2005 - 05:57 AM

Yehaten

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Renamed hosts to hosts.bak
And the Fully new HiJack Log look like this:

Logfile of HijackThis v1.99.1
Scan saved at 13:55:22, on 2005-05-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\DirectUpdate\DUControl.exe
C:\Program\DU Meter\DUMeter.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Eset\nod32kui.exe
C:\Program\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\DIRECT~2\DUService.exe
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\Program\Gene6 FTP Server\G6FTPTray.exe
C:\Program\Gene6 FTP Server\G6FTPSERVER.EXE
C:\WINDOWS\explorer.exe
D:\Hemtankat\Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avanza.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DUControl] C:\Program\DirectUpdate\DUControl.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O23 - Service: DirectUpdate engine (DirectUpdate) - http://www.directupdate.net/ - C:\Program\DIRECT~2\DUService.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - C:\Program\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: NetOp Helper ver. 7.65 (2004278) (NetOp Host for NT Service) - Danware Data A/S - C:\Program\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)
  • 0

#4
Metallica
Posted 03 May 2005 - 06:12 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll

O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -

Then reboot and post a new log.

Regards,
  • 0

#5
Yehaten
Posted 03 May 2005 - 11:55 PM

Yehaten

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I have done excatly what you have told me....so here comes the new Log.
I have to say Thank You for your help also.

Does it look fine now ?

Logfile of HijackThis v1.99.1
Scan saved at 07:53:11, on 2005-05-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\DirectUpdate\DUControl.exe
C:\Program\DU Meter\DUMeter.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Eset\nod32kui.exe
C:\Program\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\DIRECT~2\DUService.exe
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\TightVNC-unstable\WinVNC.exe
D:\Hemtankat\Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avanza.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DUControl] C:\Program\DirectUpdate\DUControl.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: DirectUpdate engine (DirectUpdate) - http://www.directupdate.net/ - C:\Program\DIRECT~2\DUService.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - C:\Program\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: NetOp Helper ver. 7.65 (2004278) (NetOp Host for NT Service) - Danware Data A/S - C:\Program\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)
  • 0

#6
Metallica
Posted 04 May 2005 - 01:31 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job. :tazz:

That is one clean log to go.

Is your computer behaving as it should?

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0

#7
Yehaten
Posted 04 May 2005 - 02:09 AM

Yehaten

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well....it works fine, although it seems like that.

But I hade the problem earlier that I got pop-up´s to the site www.adultfinder.com when I started a new Internet Explorer window.
So I searched the registry and found on this location:
Hkey_Local_Machine\Software\IsaAdc\IsaAdp\replace_url_with
and
Hkey_Local_Machine\Software\IsaAdc\IsaAdp\replace_url_to

In there i find the word adultfinder.
So I deleted both these strings.
And the Pop-Ups stopped ( I restarted the computer )

Now on the same place:
Hkey_Local_Machine\Software\IsaAdc\IsaAdp\
I got a new key that says "stats"
And in there I got three values that says:
xxx/bwbo{b/tf Value: 2
xxx/wjmeb Value: 1
xxx/wjmebxfccfo/dpn Value: 1

Don´t know what that is....got any suggestion.
I didn´t have it before ( when I deleted the values with adultfinder )

I don´t want any backdoor-action in my computer.
  • 0

#8
Metallica
Posted 04 May 2005 - 02:37 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
The adultfinder popups were caused by this BHO we removed:
http://castlecops.com/clsid-1845.html

Click Start > Run > type or copy&paste
regedit /e c:\isaadc.txt "HKEY_LOCAL_MACHINE\SOFTWARE\IsaAdc"

This will create the file c:\isaadc.txt
Open that file in notepad and post the content.

Regards,
  • 0

#9
Yehaten
Posted 04 May 2005 - 02:49 AM

Yehaten

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I tried that commando but nothing happend.

Not even any message that the string was not valid or anything like that.
And no file was created.
- EDIT -
My bad...i typed the wrong path earlier, and tried with the wrong path.
When I realised that mistake and change the path, the file was created.
And it was this type of information that you wanted. So there is always more than one way to the goal ;-)
- EDIT END -

So I did something else, don´t know if that is the value that you want but.
I opened Regedit and put the marker on the IasAdc-folder and right-click and made an Export.
Then I opened the exported file in Notepad and I got this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\IasAdc]

[HKEY_LOCAL_MACHINE\SOFTWARE\IasAdc\IasAdp]
"GUID"="92b7ae17-aadd-41aa-8e59-2c1da59a069f"
"DateTimeHigh"=dword:01c55066
"DateTimeLow"=dword:981f986b
"xml_file"="shginasn.xml"
"UPDATE_EVERY"="480"

[HKEY_LOCAL_MACHINE\SOFTWARE\IasAdc\IasAdp\searchEngines]
"1041_google"="&q="
"1467_google"="?q="
"1334_aolsearch"="&query="
"1500_aolsearch"="?query="
"1169_ask.com"="&q="
"1724_ask.com"="?q="
"1478_teoma.com"="&q="
"1358_teoma.com"="?q="
"1962_hotbot.com"="&query="
"1464_hotbot.com"="?query="
"1705_netscape.com"="&query="
"1145_netscape.com"="?query="
"1281_lycos.com"="&query="
"1827_lycos.com"="?query="
"1961_dmozg.com"="&search="
"1491_dmozg.com"="?search="
"1995_iwon.com"="&searchfor="
"1942_iwon.com"="?searchfor="
"1827_looksmart.com"="&key="
"1436_looksmart.com"="?key="
"1391_yahoo"="&p="
"1604_yahoo"="?p="
"1902_search.msn.com"="&q="
"1153_search.msn.com"="?q="
"1292_msnsearch.com"="&q="
"1382_msnsearch.com"="?q="
"1421_alltheweb.com"="&q="
"1716_alltheweb.com"="?q="
"1718_overture.com"="&Keywords="
"1895_overture.com"="?Keywords="
"1447_altavista.com"="&q="
"1726_altavista.com"="?q="

[HKEY_LOCAL_MACHINE\SOFTWARE\IasAdc\IasAdp\stats]
"xxx/bwbo{b/tf"="2"
"xxx/wjmeb"="1"
"xxx/wjmebxfccfo/dpn"="1"

Edited by Yehaten, 04 May 2005 - 02:52 AM.

  • 0

#10
Metallica
Posted 04 May 2005 - 03:07 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
That's exactly what I wanted. :tazz:

Rightclick that registry subkey (IasAdc) and choose delete.

Save the export you made, in case you need a backup.
You can import .reg files by doubleclicking them and confirm you want to merge with the registry.

Find this file shginasn.xml
Very likely in C:\WINDOWS\ and delete that as well.

Regards,
  • 0

#11
Yehaten
Posted 04 May 2005 - 04:19 AM

Yehaten

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Case Complete....Now I am clean as a MF :-D, or in other words just,
Now I am clean from Spyware and Trojans and all other kinds of trash.

The last file shginasn.xml is deleted, and I had to look in to it, and it was among other adresses, just this adultfinder in it. But now the thief is gone.

Thank You very much for your help.

Sweden "Over and Out"

// Yehaten
  • 0

#12
Metallica
Posted 04 May 2005 - 04:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP