winadslave and winadserv

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by t3hl33t, Dec 14, 2004.

  1. t3hl33t

    t3hl33t Private E-2

    ugh here we go again, i have yet some more unknown things running and id appreciate it if sumone would help me;preferably chaslang but if not then thast ok but i need this crap gone thanks a lot
     
    t3hl33t, Dec 14, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    I'm not Chaslang, but I play him on TV (& when he is in Florida playing baseball!) ;)

    You should first look in Add or Remove Programs and see if WinAd or the like can be uninstalled. Note other suspicious entries.

    Then, I imagine Chas would whip out a canned speech like this one:

    Generally, it is a good idea to start with the Cleanup Tutorial HERE:
    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

    Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

    Post back and let us know how you fared. Also, send us a HijackThis Log. Be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    Chas or I will check back when we get a chance.

    Best luck :)
    PP
     
    PhilliePhan, Dec 14, 2004
    #2
  3. t3hl33t

    t3hl33t Private E-2

    well i have followed the virus and trojan removal step thingy and i still have the winad things.... permission to paste hijackthis log?
     
    t3hl33t, Dec 17, 2004
    #3
  4. PhilliePhan

    PhilliePhan Guest

    Please attach one - Chas will probably look in in the wee hours.

    PP :)
     
    PhilliePhan, Dec 17, 2004
    #4
  5. t3hl33t

    t3hl33t Private E-2

    ok here it is
     

    Attached Files:

    t3hl33t, Dec 18, 2004
    #5
  6. t3hl33t

    t3hl33t Private E-2

    is there anything wrong with it or should it all be working good now?
     
    t3hl33t, Dec 25, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It took you awhile to get back here after Phillies last post. You now need to update to the current version of HijackThis ( HijackThis 1.99 )and post a new log.

    But do not run HijackThis from a sub-directory of your Desktop. You currently had it under:
    C:\WINDOWS\DESKTOP

    Please put it in c:\Program Files\HijackThis

    And yes you do have some problems!
     
    chaslang, Dec 26, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to uninstall Kazaa using Add/Remove programs. It is more than likely the root cause of all yor problems.

    Make sure you have viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    WINADSERV
    WINADSLAVE

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
    O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c18.cab

    Boot into safe mode and use Windows Explorer to delete (if still present)
    C:\PROGRAM FILES\KAZAA <--- the whole directory
    C:\PROGRAM FILES\WINDOWS ADSERVICE <--- the whole directory
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 26, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds