how do I get rid of this adware?
 

I just started using the Microsoft Antispyware, and it keeps telling me about a "browser helper object" being installed MidAddle. It asks if I want to remove the adware, I say yes, and it removes it, but it tells me the same alert like 5 minutes later. Does anyone have any info on how I can remove this manually? Its a pain in the ass, it keeps putting an extra toolbar on my Internet Explorer, and redirects the homepage of Internet Explorer, which is not the browser I use, but I'd still rather not have it on my computer, of course.

Thanks. Oh, and Ad Aware and Spybot don't remove this either.

You might try restarting your computer into Safe Mode and then try to remove it.

Reboot your computer, and start hitting the F8 key, you will see multiple options, and just go to the top of the list and select "start in safe mode with networking". That might do it.

If that doesn't work, try going to http://housecall.trendmicro.com and use their free virus/malware scanner. It is mainly for antivirus, but it does pick up a lot of malware/spyware too.

Also try going to

http://www.lavasoftusa.com/software/adaware/ and downloading this and then google for spybot S&D when used together these programs will find just about every piece of malware and spy ware.

Thanks both of you, I'll try these out.

Read the full posting john.

spyware/adware/malware can be extremely tricky. If you still need help removing these, let me know. I have alot of things that can be done.

dksuddeth: If you wouldn't mind, would you please go ahead and post your suggestions?

It's easier than having someone contact you, and if you post in the thread, if someone else needs help, then they can read what you have suggested and follow your recommendations. Benefits everyone.

Thanks

If you have hijackthis ver. 1.99, run it and post the log. If not, download it and then run it from its own folder, not a temp folder, then post the log.

"her"? :lol: Did you read what "her" title is?

hahahaha shut up.

:p

Perhaps people are more prone to help if they think I'm a female, maybe I should erase the "male" undr my name.

Lol thanks for stickin up for me! Sorry ill be more careful next time! :rolleyes: @ me.

No, it was bendsley, not you. And it happens to the best of us.
Would it help if I say you have a cute ass? ;)

This is officially my longest post:

C:\Documents and Settings\Owner.SFGCFBJHVK\Desktop\Winamp\eMusic\eMusicClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\OWNER~1.SFG\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7D0CFC31-6ED1-6676-A6AB-35C6FF6F9792} - C:\WINDOWS\system32\aqju.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner.SFGCFBJHVK\Local Settings\Temp\g6.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Login] explored.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [proc knob 1 trust] C:\Documents and Settings\All Users.WINDOWS\Application Data\facestupidprocknob\Tool safe.exe
O4 - HKLM\..\Run: [a3kMJ6d] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\a3kMJ6d.exe
O4 - HKLM\..\Run: [v0ED9Rvf] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\v0ED9Rvf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gRYbA] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\gRYbA.exe
O4 - HKLM\..\Run: [5Rd] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\5Rd.exe
O4 - HKLM\..\Run: [oFmMny] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\oFmMny.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [web axis one find] C:\Documents and Settings\All Users.WINDOWS\Application Data\bendbuildwebaxis\tick settings.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Owner.SFGCFBJHVK\Desktop\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [Windows Login] explored.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\gcASCleaner.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Grid bash] C:\DOCUME~1\OWNER~1.SFG\APPLIC~1\Elseface\Browse Dumb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ottw] C:\Documents and Settings\Owner.SFGCFBJHVK\Application Data\aeec.exe
O4 - HKCU\..\Run: [Gfbalnu] C:\WINDOWS\system32\?hkdsk.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22a318a2...p/RdxIE601.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter...0/SYSsfitb.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://phobos.apple.com/detection/ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup152.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Windows Login - Unknown - C:\WINDOWS\System32\explored.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

If nothing else works:

http://www.pestpatrol.com/pestinfo/m...0and%20Removal

Go to the manual removal section of this page, follow the insturctions as best you can. Some of the steps (unregister dll's) might have to be run in safe mode.

Really, even with how hairy it is? :cool:

Wow, lots of good suggestions... I don't have time to do any of these at the moment, but I'll let you know how it turns out. I'm no computer expert by any means, so this is all a wonderful learning "opportunity" for me.

wow, you're loaded with crap malware/adware.

Ok, I'm going to link you to a forum post that will have numerous steps for you to follow. Once you've done those you can repost another hijackthis log.

spyware specific forum

If it comes down to removing dll files, I have a utility that can help you in order to avoid having to do it in safe mode.

Sorry about typing "her". My bad. Not sure why I wrote that, but now my post is edited.

Dammit. I look forward to casting them into the abyss.

Bendsley, no problem, I usually laugh when people call me a girl. Well, at least on the internet. Call me a girl in real life, and we'll have issues. Actually, I think I'd laugh in real life, too.

I tried to change my name from anleja on this forum, but I never got a response... oh well, I'm used to it by now.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
O2 - BHO: (no name) - {7D0CFC31-6ED1-6676-A6AB-35C6FF6F9792} - C:\WINDOWS\system32\aqju.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner.SFGCFBJHVK\Local Settings\Temp\g6.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [proc knob 1 trust] C:\Documents and Settings\All Users.WINDOWS\Application Data\facestupidprocknob\Tool safe.exe
O4 - HKLM\..\Run: [a3kMJ6d] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\a3kMJ6d.exe
O4 - HKLM\..\Run: [v0ED9Rvf] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\v0ED9Rvf.exe
O4 - HKLM\..\Run: [gRYbA] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\gRYbA.exe
O4 - HKLM\..\Run: [5Rd] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\5Rd.exe
O4 - HKLM\..\Run: [oFmMny] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\oFmMny.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [web axis one find] C:\Documents and Settings\All Users.WINDOWS\Application Data\bendbuildwebaxis\tick settings.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Owner.SFGCFBJHVK\Desktop\Winamp\winampa.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
C:\DOCUME~1\OWNER~1.SFG\APPLIC~1\Elseface\Browse Dumb.exe
O4 - HKCU\..\Run: [Ottw] C:\Documents and Settings\Owner.SFGCFBJHVK\Application Data\aeec.exe
O4 - HKCU\..\Run: [Gfbalnu] C:\WINDOWS\system32\?hkdsk.exe



Those are the ones I would check to remove when running Hijack This!

Most are either spyware or just not needed in startup. Clearing those will help speed the PC's boot time and free up memory

the thing is, some of those are going to come right back. Any of the .dll processes listed will reinstall on the reboot. It's at that time we'll need to do some more complex work.

I think you need to run a trojan scanner, as well. You can either use the online scanners, or get a2, from the following site. http://www.emsisoft.com/en/.

First off, I am not a huge Microsoft fan. If Dreamweaver and Photoshop ran on Linux I would probably be completely M$ free.

But i downloaded and ran the new M$ Spyware program the other day. It was on a pretty severely infected system that I had run Ad-aware and Spybot on the previous day.

The M$ program found and removed 7 different programs that both of the others had missed or not removed.

Overall, i think the program is pretty slick.

yup. start er up in safe mode, and run AdAware by lavasoft, and SpyBot. i usually run them more than a couple times in one sitting ;) good luck!!

Troj/Midaddle-A is a downloader Trojan which downloads and installs/runs adware software.

Troj/Midaddle-A is typically installed to the Windows TEMP folder as Updater.exe.

Updater.exe copies itself using a random filename and adds its pathname to a new sub-key of the following registry entry to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

(the new sub-key will have the same name as the executable).

Troj/Midaddle-A also creates the registry entry:

HKCU\Software\Microsoft\Internet Explorer\Main\Updater

Removal

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKCU\[code number]\Software\Microsoft\Internet Explorer\Main\Updater

and remove any reference to any file you deleted.

Close the registry editor.

The adware software installed by Troj/Midaddle-A can typically be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start -> Settings -> Control Panel -> Add/Remove P
rograms) by selecting the 'midADdle' entry.

Norton Antivirus sometimes picks up adware.