Azesearch won't go away plus pop-ups

Discussion in 'Malware Help (A Specialist Will Reply)' started by KevB, Apr 11, 2005.

  1. KevB

    KevB Private E-2

    Hi
    A couple of days ago my toolbar was replaced by Azesearch and all search engines defaulted to this. I tried all the preventative measures and thought I had removed this but then it came back and started making my home page all porn sites as well as placing several icons on my desktop for adult sites and spyware removal. I have just repeated the removal steps and although the browser appears normal, running the hijackthis seems to show that azesearch is still there and so I guess it will come back.

    As well as this I am getting constantly bombarded with grey pop up windows claiming to come from the System saying my registry is corrupt and I should go to www.registry-doctor.com to fix. This can happen several times a minute and is extremely annoying.

    I am attaching the HJT log to this message and any help offered would be greatly appreciated.

    Many thanks

    KB
     

    Attached Files:

    KevB, Apr 11, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow forum guidelines before posting HijackThis logs.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and select the below lines but do not click fix until you exit all browsers including this one:

    O1 - Hosts: 69.50.166.11 google.co.uk
    O1 - Hosts: 69.50.166.11 www.google.es
    O1 - Hosts: 69.50.166.11 google.es
    O1 - Hosts: 69.50.166.11 google.com.au
    O1 - Hosts: 69.50.166.14 yahoo.com
    O1 - Hosts: 66.218.75.184 mail.yahoo.com
    O1 - Hosts: 69.50.166.12 www.go.com
    O1 - Hosts: 69.50.166.12 go.com
    O1 - Hosts: 69.50.166.13 astalavista.com
    O1 - Hosts: 69.50.166.13 www.astalavista.com
    O1 - Hosts: 69.50.166.13 astalavista.box.sk
    O1 - Hosts: 69.50.166.13 cracks.am
    O1 - Hosts: 69.50.166.13 www.cracks.am
    O2 - BHO: AddressBar Class - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - C:\WINDOWS\system32\iasad.dll
    O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\azesearch2.ocx
    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://www.azebar.com/install/azesearch.cab

    after clicking fix exit HijackThis

    - Now reboot into safe mode and run Windows Explorer and delete the below:
    C:\WINDOWS\system32\iasad.dll
    C:\WINDOWS\System32\azesearch2.ocx

    - Now reboot in normal mode and create a new HJT log

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 12, 2005
    #2
  3. KevB

    KevB Private E-2

    Hi
    Thanks for the advise. Am at work now but will run these this evening and post the results then.

    I had done all the preliminary work including the online scans, but was unable to run the scans in safe mode as I could not get my Wanadoo broadband to connect in safe mode. All virus scans were clear.

    I have now run the removal programmes several times. The first time I ran adaware-se there were 91 errors and the next times I run it, there are somewhere between 2 and 10 errors - the only ones I can remember were "WWW" and "Cool search" or something like that. Will run this again this evening and post the output.

    Spybot also initially came up with a large number of errors but now alternates between being clean on one run and then 2 or 3 errors on the next again I thinnk this is Cool search.

    Will do as advised and post a new log this evening. Again, thanks for the assistance which is greatly appreciated.

    KB
     
    KevB, Apr 12, 2005
    #3
  4. KevB

    KevB Private E-2

    Hi

    As stated below had already run all the scans but have run them again. Adaware and spybot were both clean, but CWShredder came up with the following:

    SVChart32
    Aboutblank
    Jksearch

    EAch time I delete these and then run again it finds them each time.

    Have removed the offending lines from hijack this, and attempted to delete the 2 files. There was no file called C:\WINDOWS\System32\azesearch2.ocx
    however there is a file called C:\WINDOWS\System32\azesearch2.xml - should I delete that instead?

    New HJT log attached.

    Really appreciate your help with this.

    KB
     

    Attached Files:

    KevB, Apr 12, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Delete the C:\WINDOWS\System32\azesearch2.xml file.

    Do you want Logitech and Kodak to automatically install updates. Most people prefer not to allow processes like this to operate in the background. They are considered mild form of spyware in some cases.
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

    There are no other obvious problems in your log but the below 3 lines should be fixed using HijackThis. Do not fix until you exit all browsers.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    Are you having any current problems?
     
    chaslang, Apr 12, 2005
    #5
  6. KevB

    KevB Private E-2

    Hi

    Have deleted that file and the lines. Do the Kodak and logitech files do anything? I know every few weeks it asks me if I want to run an update but that is all. Which lines should I fix to get rid?

    Computer seems to be running fine now. Really appreciate all your help and attach hopefully the final clear log.

    Regards

    KB
     

    Attached Files:

    KevB, Apr 13, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean! You have to decide for yourself whether you always want those processes running and for them to be automatically updating. They are in some regards spying on you in order to know whether you need updates. The processes are not needed and waste resources too. You can update manually when desired. This is all up to you. Read some of the below:

    http://www.liutilities.com/products/wintaskspro/processlibrary/backweb-8876480/
    http://www.neuber.com/taskmanager/process/backweb-8876480.exe.html
    http://www.iamnotageek.com/a/backweb-8876480.exe.php


    http://www.greatis.com/appdata/a/b/backweb-7288971.exe.htm
    http://www.iamnotageek.com/a/backweb-7288971.exe.php
     
    chaslang, Apr 13, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds