PDA

View Full Version : Manual Removal Guide for AzeSearch



Friday
2008-11-28, 18:10
The following instructions have been created to help you to get rid of "AzeSearch" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
AzeSearch installs a toolbar in the Internet Explorer (IE) without giving the user a possibility to cancel that process.
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "TrustIn Popups" and pointing to "*".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "TrustIn Bar".
Products that have a key or property named "Contextual Ads".
Products that have a key or property named "TrustIn Popups".
Products that have a key or property named "AZESearch".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$PROGRAMFILES>\trustin bar\trustin.dll".
The file at "<$PROGRAMFILES>\TrustIn Contextual\trustincontext.dll".
The file at "C:\Program Files\TrustIn Contextual\trustincontext.dll".
The file at "<$WINDIR>\azesearch.bmp".
The file at "<$FAVORITES>\Favorites\Cars.url".
The file at "<$FAVORITES>\Favorites\Domain Names.url".
The file at "<$FAVORITES>\Favorites\Finance.url".
The file at "<$FAVORITES>\Favorites\Games.url".
The file at "<$FAVORITES>\Favorites\Humor.url".
The file at "<$FAVORITES>\Favorites\Movies.url".
The file at "<$FAVORITES>\Favorites\Online Pharmacy.url".
The file at "<$FAVORITES>\Favorites\Sex Personals.url".
The file at "<$FAVORITES>\Favorites\Sports.url".
The file at "<$FAVORITES>\Favorites\Viagra.url".
The file at "<$FAVORITES>\Favorites\Weather.url".
The file at "<$FAVORITES>\Favorites\Web Hosting.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\Albums.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\Artists.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\AudioBooks.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\Collections.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\Mp3 Search.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\New releases.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\Ratings.url".
The file at "<$FAVORITES>\Favorites\Music and Movies\Soundtracks.url".
The file at "<$FAVORITES>\Favorites\Spyware Removers\Adware Sheriff.url".
The file at "<$FAVORITES>\Favorites\Spyware Removers\Raze Spyware.url".
The file at "<$FAVORITES>\Favorites\Spyware Removers\Reg Freeze.url".
The file at "<$FAVORITES>\Favorites\Spyware Removers\Remedy AntiSpy.url".
The file at "<$FAVORITES>\Games\Carnival Casino.url".
The file at "<$FAVORITES>\Games\Club Dice Casino.url".
The file at "<$FAVORITES>\Games\Monaco Gold Casino.url".
The file at "<$FAVORITES>\Games\New York Casino.url".
The file at "<$FAVORITES>\Games\USA Casino.url".
The file at "<$FAVORITES>\Games\You Bingo.url".
The file at "<$FAVORITES>\Games\Gambling\Aces & Faces.url".
The file at "<$FAVORITES>\Games\Gambling\Baccarat.url".
The file at "<$FAVORITES>\Games\Gambling\Black Jack.url".
The file at "<$FAVORITES>\Games\Gambling\Caribbean Poker.url".
The file at "<$FAVORITES>\Games\Gambling\Casino War.url".
The file at "<$FAVORITES>\Games\Gambling\Cinerama.url".
The file at "<$FAVORITES>\Games\Gambling\Craps.url".
The file at "<$FAVORITES>\Games\Gambling\Deuces Wild.url".
The file at "<$FAVORITES>\Games\Gambling\Diamond Valley.url".
The file at "<$FAVORITES>\Games\Gambling\Fruit Mania.url".
The file at "<$FAVORITES>\Games\Gambling\Gold Rally.url".
The file at "<$FAVORITES>\Games\Gambling\Jacks or Better.url".
The file at "<$FAVORITES>\Games\Gambling\Magic Slots.url".
The file at "<$FAVORITES>\Games\Gambling\Mega Jacks.url".
The file at "<$FAVORITES>\Games\Gambling\Pai Gow Poker.url".
The file at "<$FAVORITES>\Games\Gambling\Red Dog Poker.url".
The file at "<$FAVORITES>\Games\Gambling\Roulette.url".
The file at "<$FAVORITES>\Games\Gambling\SafeCracer.url".
The file at "<$FAVORITES>\Games\Gambling\Sic Bo.url".
The file at "<$FAVORITES>\Games\Gambling\Wall St. Fever.url".
The file at "<$FAVORITES>\IcoPorn\Angel Baby.url".
The file at "<$FAVORITES>\IcoPorn\Ass to Mouth.url".
The file at "<$FAVORITES>\IcoPorn\Babysitter.url".
The file at "<$FAVORITES>\IcoPorn\Candys Girls.url".
The file at "<$FAVORITES>\IcoPorn\Cheerleader Diaries.url".
The file at "<$FAVORITES>\IcoPorn\Double Her Pleasure.url".
The file at "<$FAVORITES>\IcoPorn\Extreme Penetrations.url".
The file at "<$FAVORITES>\IcoPorn\Girls School.url".
The file at "<$FAVORITES>\IcoPorn\IcoNet.url".
The file at "<$FAVORITES>\IcoPorn\Kelly the Coed.url".
The file at "<$FAVORITES>\IcoPorn\Naughty Nannies.url".
The file at "<$FAVORITES>\IcoPorn\Over eighteen.url".
The file at "<$FAVORITES>\IcoPorn\Teachers Pet.url".
The file at "<$FAVORITES>\IcoPorn\Titty Mania.url".
The file at "<$FAVORITES>\IcoPorn\True College Girls.url".
The file at "<$FAVORITES>\IcoPorn\Women in Black .url".
The file at "<$FAVORITES>\Pharmacy\Carisoprodol.url".
The file at "<$FAVORITES>\Pharmacy\Celebrex.url".
The file at "<$FAVORITES>\Pharmacy\Cialis.url".
The file at "<$FAVORITES>\Pharmacy\Crestor.url".
The file at "<$FAVORITES>\Pharmacy\Levitra.url".
The file at "<$FAVORITES>\Pharmacy\Lipitor.url".
The file at "<$FAVORITES>\Pharmacy\Neurontin.url".
The file at "<$FAVORITES>\Pharmacy\Online Pharmacy.url".
The file at "<$FAVORITES>\Pharmacy\Paxil.url".
The file at "<$FAVORITES>\Pharmacy\Phentermine.url".
The file at "<$FAVORITES>\Pharmacy\Tramadol.url".
The file at "<$FAVORITES>\Pharmacy\Water Phentermine.url".
The file at "<$FAVORITES>\Pharmacy\Xanax.url".
The file at "<$FAVORITES>\Pharmacy\Zocor.url".
The file at "<$FAVORITES>\Pharmacy\Zoloft.url".
The file at "<$FAVORITES>\Travel\Adventure Travel.url".
The file at "<$FAVORITES>\Travel\Air Travel.url".
The file at "<$FAVORITES>\Travel\Business Travel.url".
The file at "<$FAVORITES>\Travel\Discount Travel.url".
The file at "<$FAVORITES>\Travel\Food.url".
The file at "<$FAVORITES>\Travel\Hawaii Travel.url".
The file at "<$FAVORITES>\Travel\Lodging.url".
The file at "<$FAVORITES>\Travel\London Travel.url".
The file at "<$FAVORITES>\Travel\Travel Agent.url".
The file at "<$FAVORITES>\Travel\Travel Insurance.url".
The file at "<$FAVORITES>\Travel\Travel package.url".
The file at "<$FAVORITES>\Travel\Travel Reservation.url".
The file at "<$FAVORITES>\Travel\Travel Spain.url".
The file at "<$FAVORITES>\Travel\Travel Web site.url".
The file at "<$FAVORITES>\Travel\Vacation Cruises.url".
The file at "<$FAVORITES>\Travel\Vacations.url".
The file at "<$SYSDIR>\kfsdfksldfk.fgi".
The file at "<$WINDIR>\zsettings.dll".
The file at "<$SYSDIR>\zlokdfs9.leo".
The file at "<$SYSDIR>\zolker010.dll".
The file at "<$SYSDIR>\ztoolb010.dll".
The file at "<$SYSDIR>\iasadm.dll".
The file at "<$SYSDIR>\iasada.dll".
The file at "<$SYSDIR>\iasad.dll".
Make sure you set your file manager to display hidden and system files. If AzeSearch uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "C:\Program Files\TrustIn Contextual".
The directory at "<$FAVORITES>\IcoPorn".
Make sure you set your file manager to display hidden and system files. If AzeSearch uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

A key in HKEY_CLASSES_ROOT\ named "TrustIn.activator", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "TrustIn.activator.1", plus associated values.
Delete the registry value "{a19ef336-01d4-48e6-926a-fe7e1c747aed}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{a19ef336-01d4-48e6-926a-fe7e1c747aed}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{a19ef336-01d4-48e6-926a-fe7e1c747aed}" at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry key "TrustIn Bar" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "TrustIn Bar" at "HKEY_CURRENT_USER\Software\".
A key in HKEY_CLASSES_ROOT\ named "TrustIn.StockBar", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "TrustIn.StockBar.1", plus associated values.
Delete the registry key "{07A78AEA-4A54-4967-9A60-4B68592D30C7}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{07A78AEA-4A54-4967-9A60-4B68592D30C7}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8C88AAE2-A341-4DE8-B064-062194307E5F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{506146FD-9499-49A8-AEDE-692C173B2AA4}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{81CDDAE8-3B92-4F0D-86C1-8DD5DB6A8471}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EFA1EC0F-8359-41B7-A178-7DD6805A0C79}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{FE6C16C4-16AD-47B6-B250-26AD1829E49A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{FE6C16C4-16AD-47B6-B250-26AD1829E49A}" at "HKEY_CLASSES_ROOT\CLSID\".
A key in HKEY_CLASSES_ROOT\ named "TrustInContext.ContextualAds", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "TrustInContext.ContextualAds.1", plus associated values.
Delete the registry key "{C28EB22A-6966-4E4B-8592-E84C28D38402}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B1C54189-72F0-4353-987B-18FA221BEF09}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "TrustIn" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "TrustIn Popups" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "TrustIn Popups" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{FFF5092F-7172-4018-827B-FA5868FB0478}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{38252777-2500-456E-8B3D-A55850306DA2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry value "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry key "{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{f65b197f-8260-4d52-909a-f70118e646eb}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry value "{a19ef336-01d4-48e6-926a-fe7e1c747aed}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry key "{a19ef336-01d4-48e6-926a-fe7e1c747aed}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{ba048011-957f-4ba0-a804-62c28d96f878}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{f65b197f-8260-4d52-909a-f70118e646eb}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{42FC3840-020C-4E93-A34C-4DF1A6330FBB}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{DEA43CE3-D57B-45F6-A4D1-110E652CED11}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{1474CE44-8057-4AE3-8F3E-ED37C7C63D8A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D7BF3304-138B-4DD5-86EE-491BB6A2286C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{FFF5092F-7172-4018-827B-FA5868FB0478}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{84C94803-B5EC-4491-B2BE-7B113E013B77}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{B5456470-1BDE-4807-B74D-1D2B83FAA264}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "AddressBar.Loader", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "AddressBar.Loader.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "ZToolbar.activator", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "ZToolbar.activator.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "ZToolbar.ParamWr", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "ZToolbar.ParamWr.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "ZToolbar.StockBar", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "ZToolbar.StockBar.1", plus associated values.
Delete the registry key "AZESearchCo" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "LoaderCo" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{1474CE44-8057-4AE3-8F3E-ED37C7C63D8A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{FFF5092F-7172-4018-827B-FA5868FB0478}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
If AzeSearch uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.