|
01-10-2005, 07:28 AM
|
#1 (permalink) |
|
disconnected
Location: ignoreland
|
how do I get rid of this adware?
I just started using the Microsoft Antispyware, and it keeps telling me about a "browser helper object" being installed MidAddle. It asks if I want to remove the adware, I say yes, and it removes it, but it tells me the same alert like 5 minutes later. Does anyone have any info on how I can remove this manually? Its a pain in the ass, it keeps putting an extra toolbar on my Internet Explorer, and redirects the homepage of Internet Explorer, which is not the browser I use, but I'd still rather not have it on my computer, of course.
Thanks. Oh, and Ad Aware and Spybot don't remove this either. |
|
|
01-10-2005, 08:22 AM
|
#2 (permalink) |
|
Professional Loafer
Location: texas
|
You might try restarting your computer into Safe Mode and then try to remove it.
Reboot your computer, and start hitting the F8 key, you will see multiple options, and just go to the top of the list and select "start in safe mode with networking". That might do it. If that doesn't work, try going to http://housecall.trendmicro.com and use their free virus/malware scanner. It is mainly for antivirus, but it does pick up a lot of malware/spyware too.
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." |
|
|
|
01-10-2005, 08:28 AM
|
#3 (permalink) |
|
Upright
Location: United Kingdom
|
Also try going to
http://www.lavasoftusa.com/software/adaware/ and downloading this and then google for spybot S&D when used together these programs will find just about every piece of malware and spy ware. |
|
|
|
01-10-2005, 10:08 AM
|
#5 (permalink) | ||
|
Professional Loafer
Location: texas
|
Quote:
Quote:
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." Last edited by bendsley; 01-10-2005 at 01:47 PM.. |
||
|
|
|
01-10-2005, 10:30 AM
|
#6 (permalink) |
|
Junkie
Location: bedford, tx
|
spyware/adware/malware can be extremely tricky. If you still need help removing these, let me know. I have alot of things that can be done.
__________________
"no amount of force can control a free man, a man whose mind is free. No, not the rack, not fission bombs, not anything. You cannot conquer a free man; the most you can do is kill him." |
|
|
|
01-10-2005, 12:13 PM
|
#7 (permalink) |
|
Professional Loafer
Location: texas
|
dksuddeth: If you wouldn't mind, would you please go ahead and post your suggestions?
It's easier than having someone contact you, and if you post in the thread, if someone else needs help, then they can read what you have suggested and follow your recommendations. Benefits everyone. Thanks
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." |
|
|
|
01-10-2005, 12:31 PM
|
#8 (permalink) |
|
Junkie
Location: bedford, tx
|
If you have hijackthis ver. 1.99, run it and post the log. If not, download it and then run it from its own folder, not a temp folder, then post the log.
__________________
"no amount of force can control a free man, a man whose mind is free. No, not the rack, not fission bombs, not anything. You cannot conquer a free man; the most you can do is kill him." |
|
|
|
01-10-2005, 12:49 PM
|
#10 (permalink) | |
|
disconnected
Location: ignoreland
|
Quote:
 Perhaps people are more prone to help if they think I'm a female, maybe I should erase the "male" undr my name. Last edited by anleja; 01-10-2005 at 12:53 PM.. |
|
|
|
|
01-10-2005, 12:59 PM
|
#12 (permalink) | ||
|
Devoted
Donor
Location: New England
|
Quote:
Quote:
__________________
I can't read your signature. Sorry. |
||
|
|
|
01-10-2005, 01:10 PM
|
#13 (permalink) | |
|
disconnected
Location: ignoreland
|
Quote:
C:\Documents and Settings\Owner.SFGCFBJHVK\Desktop\Winamp\eMusic\eMusicClient.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\OWNER~1.SFG\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo! R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local> O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7D0CFC31-6ED1-6676-A6AB-35C6FF6F9792} - C:\WINDOWS\system32\aqju.dll O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner.SFGCFBJHVK\Local Settings\Temp\g6.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Windows Login] explored.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [] SBC Yahoo! Connection Manager O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [proc knob 1 trust] C:\Documents and Settings\All Users.WINDOWS\Application Data\facestupidprocknob\Tool safe.exe O4 - HKLM\..\Run: [a3kMJ6d] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\a3kMJ6d.exe O4 - HKLM\..\Run: [v0ED9Rvf] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\v0ED9Rvf.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [gRYbA] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\gRYbA.exe O4 - HKLM\..\Run: [5Rd] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\5Rd.exe O4 - HKLM\..\Run: [oFmMny] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\oFmMny.exe O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [web axis one find] C:\Documents and Settings\All Users.WINDOWS\Application Data\bendbuildwebaxis\tick settings.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\gcasServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Owner.SFGCFBJHVK\Desktop\Winamp\winampa.exe O4 - HKLM\..\RunServices: [Windows Login] explored.exe O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\gcASCleaner.exe O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [Grid bash] C:\DOCUME~1\OWNER~1.SFG\APPLIC~1\Elseface\Browse Dumb.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Ottw] C:\Documents and Settings\Owner.SFGCFBJHVK\Application Data\aeec.exe O4 - HKCU\..\Run: [Gfbalnu] C:\WINDOWS\system32\?hkdsk.exe O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22a318a2...p/RdxIE601.cab O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter...0/SYSsfitb.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://phobos.apple.com/detection/ITDetector.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup152.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: Windows Login - Unknown - C:\WINDOWS\System32\explored.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE |
|
|
|
|
01-10-2005, 01:11 PM
|
#14 (permalink) |
|
Psycho
Location: Boston, MAss., USA
|
If nothing else works:
http://www.pestpatrol.com/pestinfo/m...0and%20Removal Go to the manual removal section of this page, follow the insturctions as best you can. Some of the steps (unregister dll's) might have to be run in safe mode.
__________________
I'm gonna be rich and famous, as soon I invent a device that lets you stab people in the face over the internet. |
|
|
|
01-10-2005, 01:34 PM
|
#17 (permalink) |
|
Junkie
Location: bedford, tx
|
wow, you're loaded with crap malware/adware.
Ok, I'm going to link you to a forum post that will have numerous steps for you to follow. Once you've done those you can repost another hijackthis log. spyware specific forum If it comes down to removing dll files, I have a utility that can help you in order to avoid having to do it in safe mode.
__________________
"no amount of force can control a free man, a man whose mind is free. No, not the rack, not fission bombs, not anything. You cannot conquer a free man; the most you can do is kill him." |
|
|
|
01-10-2005, 01:48 PM
|
#18 (permalink) |
|
Professional Loafer
Location: texas
|
Sorry about typing "her". My bad. Not sure why I wrote that, but now my post is edited.
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." |
|
|
|
01-10-2005, 02:20 PM
|
#19 (permalink) | |
|
disconnected
Location: ignoreland
|
Quote:
Bendsley, no problem, I usually laugh when people call me a girl. Well, at least on the internet. Call me a girl in real life, and we'll have issues. Actually, I think I'd laugh in real life, too. I tried to change my name from anleja on this forum, but I never got a response... oh well, I'm used to it by now. |
|
|
|
|
01-11-2005, 11:47 AM
|
#20 (permalink) |
|
Talk nerdy to me
Location: Flint, MI
|
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
O2 - BHO: (no name) - {7D0CFC31-6ED1-6676-A6AB-35C6FF6F9792} - C:\WINDOWS\system32\aqju.dll O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner.SFGCFBJHVK\Local Settings\Temp\g6.dll O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [proc knob 1 trust] C:\Documents and Settings\All Users.WINDOWS\Application Data\facestupidprocknob\Tool safe.exe O4 - HKLM\..\Run: [a3kMJ6d] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\a3kMJ6d.exe O4 - HKLM\..\Run: [v0ED9Rvf] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\v0ED9Rvf.exe O4 - HKLM\..\Run: [gRYbA] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\gRYbA.exe O4 - HKLM\..\Run: [5Rd] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\5Rd.exe O4 - HKLM\..\Run: [oFmMny] C:\documents and settings\owner.sfgcfbjhvk\local settings\temp\oFmMny.exe O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [web axis one find] C:\Documents and Settings\All Users.WINDOWS\Application Data\bendbuildwebaxis\tick settings.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\gcasServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Owner.SFGCFBJHVK\Desktop\Winamp\winampa.exe O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray C:\DOCUME~1\OWNER~1.SFG\APPLIC~1\Elseface\Browse Dumb.exe O4 - HKCU\..\Run: [Ottw] C:\Documents and Settings\Owner.SFGCFBJHVK\Application Data\aeec.exe O4 - HKCU\..\Run: [Gfbalnu] C:\WINDOWS\system32\?hkdsk.exe Those are the ones I would check to remove when running Hijack This! Most are either spyware or just not needed in startup. Clearing those will help speed the PC's boot time and free up memory
__________________
I reject your reality, and substitute my own -- Adam Savage |
|
|
|
01-11-2005, 11:57 AM
|
#21 (permalink) |
|
Junkie
Location: bedford, tx
|
the thing is, some of those are going to come right back. Any of the .dll processes listed will reinstall on the reboot. It's at that time we'll need to do some more complex work.
__________________
"no amount of force can control a free man, a man whose mind is free. No, not the rack, not fission bombs, not anything. You cannot conquer a free man; the most you can do is kill him." |
|
|
|
01-11-2005, 12:48 PM
|
#22 (permalink) |
|
Junkie
|
I think you need to run a trojan scanner, as well. You can either use the online scanners, or get a2, from the following site. http://www.emsisoft.com/en/.
|
|
|
|
01-11-2005, 07:56 PM
|
#23 (permalink) | |
|
Crazy
Location: here and there
|
Quote:
But i downloaded and ran the new M$ Spyware program the other day. It was on a pretty severely infected system that I had run Ad-aware and Spybot on the previous day. The M$ program found and removed 7 different programs that both of the others had missed or not removed. Overall, i think the program is pretty slick.
__________________
# chmod 111 /bin/Laden |
|
|
|
|
01-12-2005, 04:09 PM
|
#25 (permalink) |
|
Psycho
Location: Firefox yourself and change the world!
|
Troj/Midaddle-A is a downloader Trojan which downloads and installs/runs adware software.
Troj/Midaddle-A is typically installed to the Windows TEMP folder as Updater.exe. Updater.exe copies itself using a random filename and adds its pathname to a new sub-key of the following registry entry to run itself on startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ (the new sub-key will have the same name as the executable). Troj/Midaddle-A also creates the registry entry: HKCU\Software\Microsoft\Internet Explorer\Main\Updater Removal In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and remove any reference to any file you deleted. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry: HKCU\[code number]\Software\Microsoft\Internet Explorer\Main\Updater and remove any reference to any file you deleted. Close the registry editor. The adware software installed by Troj/Midaddle-A can typically be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start -> Settings -> Control Panel -> Add/Remove P rograms) by selecting the 'midADdle' entry.
__________________
I'll make ya famous! |
|
|
| Tags |
| adware, rid |
|
|
Did you read what "her" title is?
@ me.
