Hades Advertisements Removal Guide

  • April 27, 2015

The Hades advertisements adware is a variant of the Adware.Salus family that displays a constant barrage of ads, offers, and pop-ups that makes browsing the web almost impossible. When you have this adware installed, any web page you visit will suddenly become a page full of ads instead of content. These advertisements consist of underlined words that display an ad when you hover over them, pop-ups, giant half-screen ads, and ads with sound that state that your computer is infected. All of these ads will be labeled either Ads by Hades or Powered by Hades. Furthermore, this adware will impact the performance of your computer by making your web browser slower or freeze and your computer will constantly be accessing its hard drive.

  • Hades ads on the New York Times web site
  • Hades ads on the CNN web site

The Hades adware also installs a root certificate into the Windows Trusted Root Certification Authority called Hades CA. This root certificate allows it to see traffic passing through SSL connections so that it is able to inject ads even into encrypted connections. Unfortunately, this also gives it the ability to see all data you transmit over an encrypted SSL connection including login information. For example, in the picture below you see that the Hades CA certificate is being used to encrypt the connection between a computer and Citibank.


Hades encryption connection to Citibank

It is important to note that Hades is bundled with and installed by free programs that did not adequately disclose that other software would be installed along with it. Therefore, it is important that you pay close attention to license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you immediately cancel the install and not use the free software.

Without a doubt, the Hades adware is not something you want on your computer. Having this adware installed will make it almost impossible to browse the web and seriously impact the performance of your computer. Therefore, it is suggested that you uninstall this program and any related adware using the following removal guide.

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
  1. This removal process may appear overwhelming due to the amount of the steps and the various programs used. Please do not be concerned as it is only written this way to give you clear and easy instructions so that anyone can use this guide. Before using this guide, you should print out these instructions and close any open programs and files as your web browser will need to be closed and your computer rebooted later in this fix.

  2. Now we want to terminate any other adware or malware processes that may be running by downloading and running Rkill. Rkill will search your computer for active malware processes and attempt to terminate them so that they wont interfere with the removal process. To do this, please download RKill to your desktop from the following link.

    RKill Download Link - (Download page will open in a new tab or browser window.)

    When at the download page, click on the Download Now button labeled iExplore.exe. When you are prompted where to save it, please save it on your desktop.

  3. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Hades Advertisements and other malware. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and a log file will open. Please review the log file and then close so you can continue with the next step. If you have problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

    Do not reboot your computer after running RKill as the malware programs will start again.


  4. At this point you should download Malwarebytes Anti-Malware, or MBAM, to scan your computer for any any infections or adware that may be present. Please download Malwarebytes from the following location and save it to your desktop:

    Malwarebytes Anti-Malware Download Link (Download page will open in a new window)

  5. Once downloaded, close all programs and Windows on your computer, including this one.

  6. Double-click on the icon on your desktop named mb3-setup-1878.1878-3.0.6.1469.exe. This will start the installation of MBAM onto your computer.

  7. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave Launch Malwarebytes Anti-Malware checked. Then click on the Finish button. If MalwareBytes prompts you to reboot, please do not do so.

  8. MBAM will now start and you will be at the main screen as shown below.



    Malwarebytes Anti-Malware


    Please click on the Scan Now button to start the scan. If there is an update available for Malwarebytes it will automatically download and install it before performing the scan.

  9. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.



    Malwarebytes Anti-Malware


  10. When MBAM is finished scanning it will display a screen that displays any malware that it has detected. Please note that the infections found may be different than what is shown in the image below due to the guide being updated for newer versions of MBAM.


    MalwareBytes Scan Results


    You should now click on the Remove Selected button to remove all the seleted malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

  11. You can now exit the MBAM program.

  12. As final cleanup step, please download AdwCleaner and save it to your desktop. AdwCleaner will scan your computer for adware programs that may have been installed on your computer without your knowledge. You can download AdwCleaner from the following URL:

    https://www.bleepingcomputer.com/download/adwcleaner/

  13. When AdwCleaner has finished downloading, please double-click on the AdwCleaner.exe icon that now appears on your desktop. Once you double-click on the icon the AdwCleaner program will open and you will be presented with its start screen as shown below. If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.


    AdwCleaner Start Screen

  14. Now click on the Scan button in AdwCleaner. The program will now start to search for known adware programs that may be installed on your computer. When it has finished it will display all of the items it has found in Results section of the screen above. Please look through the results and try to determine if the programs that are listed contain ones that you do not want installed. If you find programs that you need to keep, then uncheck the entries associated with them.

    For most people, the contents of the Results section may appear confusing or as gibberish. Unless you see a program name that you know should not be removed, please continue with the next step.

  15. To remove the adware programs that were detected in the previous step, please click on the Clean button on the AdwCleaner screen. AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.



    AdwCleaner Reboot Prompt

    Please click on the OK button to let AdwCleaner reboot your computer.

  16. When your computer reboots and you are logged in, AdwCleaner will automatically open a log file that contains the files, registry keys, and programs that were removed from your computer.



    AdwCleaner Log

    Please review this log file and then close the Notepad Window.

  17. Ads by Hades can be stubborn to get rid of without fully resetting your web browsers. For each web browser that you have installed, please follow the appropriate instructions below on how to reset your browser to factory defaults. Please note that this method will remove all add-ons, extensions, toolbars and other customizations but will leave your bookmarks and favorites intact.


    In order to remove Hades Advertisements completely you will need to reset Chrome back to its initial settings. Doing these steps will erase all configuration information from Chrome such as your home page, tab settings, saved form information, browsing history, and cookies. This process will also disable any installed extensions. All of your bookmarks, though, will be preserved.

    To reset Chrome, open the program and click on the Chrome menu button (Chrome Menu Buttonm) in the top right-hand corner of the window. This will open the main menu for Chrome as shown below.

    Chrome Menu Settings Option

    Now click on the menu option labeled Settings as shown by the arrow in the picture above, which will open the basic settings screen. Scroll down to the very bottom and you will see a Show advanced settings... option as shown in the image below.

    Advanced Settings Option

    Click on the Show advanced settings... option to open the advanced settings screen. Scroll to the very bottom until you see the reset button as shown in the image below.

    Advanced Settings Reset Button

    Now click on the Reset settings button as shown in the image above. Chrome will now open a confirmation dialog asking if you are sure you wish to reset your browser.

    Reset Chrome Confirmation


    To reset Chrome, click on the Reset button. Chrome will now erase all your personal data, browsing history, and disable all installed extensions. Your bookmarks, though, will remain intact and still be accessible. You can now close the Settings tab and continue with the rest of the instructions.

    In order to remove Hades Advertisements completely you will need to reset Internet Explorer back to its initial settings. Doing these steps will erase all configuration information from Internet Explorer such as your home page, saved form information, browsing history, and cookies. This process will also disable any installed toolbars and add-ons. All of your bookmarks, though, will be preserved.

    To reset Internet Explorer, open the program and click on the Internet Explorer menu button (Tools Menu Button) in the top right-hand corner of the window. This will open the main menu for Internet Explorer as shown below.

    Internet Options Menu Item

     

    Now click on the menu option labeled Internet options as shown by the arrow in the picture above, which will open the Internet Options screen.

    General tab of the Internet Options


    Now click on the Advanced tab as shown in the image above. This will open the Advanced Settings screen.

    Advanced Settings Tab

    Now click on the Reset... button as shown in the image above. Internet Explorer will now open a confirmation dialog asking you to confirm that you wish to reset your browser.

    Reset Confirmation


    In the reset dialog shown above, please put a check mark in Delete personal settings and then click on the Reset button. Internet Explorer will now erase all your personal data, browsing history, and disable all add-ons and toolbars. Your favorites, though, will remain intact and still be accessible.

    Reset finished

    Once the Reset process has been completed, click on the Close button. You will now be prompted to restart Internet Explorer to complete the reset. Once you have restarted Internet Explorer, you can continue with the rest of the instructions.

    In order to remove Hades Advertisements completely you will need to refresh Firefox back to its initial settings. It does this by removing all add-ons and personalized configuration settings. All of your bookmarks, though, will be preserved.

    To reset Firefox, open the program and click on the Firefox menu
    button (Firefox menu button) in the top right-hand corner of the window. This will open the main menu for Firefox as shown below.

    Firefox Menu

     

    Now click on the question mark button (Help button) as indicated by the arrow in the image above. This will open up the Firefox help menu.

    Help Menu


    Next click on the Troubleshooting Information option as indicated by the arrow in the image above. This will bring you to a Troubleshooting page.

    Troubleshooting Information Page

    To begin the refresh process click on the Refresh Firefox.. button. When you do this a confirmation will be shown asking if you wish to perform a Firefox refresh.

    Firefox Refresh Confirmation


    To refresh Firefox, click on the Refresh Firefox button. When the refresh process is finished you will be shown an Import window that will automatically close. When that closes, Firefox will be open and state that it has been refreshed.

    Refresh Complete

    You can now click on the Let's go! button to start using Firefox again.

    In order to completely remove Hades Advertisements you will need to reset Safari back to its initial settings. Doing these steps will erase all configuration information from Safari such as your Top Sites, saved form information, browsing history, and cookies. This process will not erase your bookmarks or extensions, which will still be available after you reset Safari.

    To reset Safari, open the program and click on the gear (Safari Options Gear) in the top right-hand corner of the window. This will open the main menu for Safari as shown below.

    Safari Options Menu

     

    Now click on the menu option labeled Reset Safari as shown by the arrow in the picture above. This will open a window that allows you to select all the items you wish to reset.

    Reset Options Window


    Keep the check marks in each option and then click on the Reset button. Safari will delete all of your personal data and then open a blank page, which means the process has finished.

    It is important to note that this process does not delete your Bookmarks or any installed Safari Extensions. If you wish to remove your Safari Extensions as well, you can download this batch file, which will reset Safari and elete all installed extensions, while still retaining your bookmarks.


  18. We now need to delete the root certificate installed by Hades Advertisements. To do this press the Windows keyboard key (Windows Key) and the R key at the same time to open the Run dialog box. When it opens, type certmgr.msc in the Open: field and press the Enter key. The Windows Certificate Manage will now open. Click on the little arrow next to Trusted Root Certification Authority category to expand it and then click on the Certificates folder. You should now see a list of certificates similar to the image below.




    Certificate Manager


    Right-click on the certificate called Hades CA and select Delete as shown below.




    Delete Hades CA certificate


    Once you have deleted the Hades CA certificate you can close the Certificate Manager window and proceed with the rest of the steps.


  19. As many malware and unwanted programs are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Ads by Hades program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes Anti-Malware to protect against these types of threats in the future.

View Associated Hades Advertisements Files

%ProgramFiles%\Hades\ %ProgramFiles%\Hades\HadesUninstaller.exe %ProgramFiles%\Hades\uninstall.exe %ProgramFiles%\Smwyyntm1ndi1zdz\ %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\ %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfs15E7.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfs37BE.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfs381D.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfs381E.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfs8162.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfs9AF9.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsA1A2.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsA348.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsA6D4.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsA7A0.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsA7A1.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsAA42.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsB26.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsBC05.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsBC90.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsDB27.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsE48E.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsE48F.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsE490.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsEB66.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsEBE4.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsF6B3.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsF6B4.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\mfsF6B5.tmp %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\ %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-a.analytics.yahoo.com-c4da682f90194494cf46d5c2997046d51122345c#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-a.analytics.yahoo.com-c4da682f90194494cf46d5c2997046d51122345c#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ad.doubleclick.net-40b9e046a63335967dfa898af37a7c2d5ae92c6f#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ad.doubleclick.net-40b9e046a63335967dfa898af37a7c2d5ae92c6f#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-adr-g3-1.vindicosuite.com-8ef1fd38e48be9a76941759ca73743a88a41a715#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-adr-g3-1.vindicosuite.com-8ef1fd38e48be9a76941759ca73743a88a41a715#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-adsrvmedia.adk2.co-4bfc3da8c4d6274f4ca3d0b835a582e04ec99997#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-adsrvmedia.adk2.co-4bfc3da8c4d6274f4ca3d0b835a582e04ec99997#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-b.scorecardresearch.com-f01a81f9c6c0a1ffb26b477fa38145ce428a4ff9#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-b.scorecardresearch.com-f01a81f9c6c0a1ffb26b477fa38145ce428a4ff9#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-cdn.vindicosuite.com-320f24ae52f5691ba6e6199d847a1fd75be79b86#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-cdn.vindicosuite.com-320f24ae52f5691ba6e6199d847a1fd75be79b86#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-choices.truste.com-6a02d86710971ca3082dfedaa58e29932d6828c5#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-choices.truste.com-6a02d86710971ca3082dfedaa58e29932d6828c5#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-geo.query.yahoo.com-e460e390a2ca7fc5df0590aa1f4f31fa39773fb8#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-geo.query.yahoo.com-e460e390a2ca7fc5df0590aa1f4f31fa39773fb8#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-graph.facebook.com-a4fb65f8a157fe0dc017c1b55162633a1873a0b4#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-graph.facebook.com-a4fb65f8a157fe0dc017c1b55162633a1873a0b4#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-inimage.tr553.com-2206b4547fde5ced5fff10445216b3ccba5d000f#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-inimage.tr553.com-2206b4547fde5ced5fff10445216b3ccba5d000f#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-login.live.com-d4186b6e6d826a53c9a62ef2c0cd1b45c0e7e6c4#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-login.live.com-d4186b6e6d826a53c9a62ef2c0cd1b45c0e7e6c4#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ny-aaa.net-b4b57457ac0412ea3a6fece4c20e107c1ce95977#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ny-aaa.net-b4b57457ac0412ea3a6fece4c20e107c1ce95977#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-pixel.adsafeprotected.com-874aaf9aebbd586fe09951781dca43bdd748e1d5#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-pixel.adsafeprotected.com-874aaf9aebbd586fe09951781dca43bdd748e1d5#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-pixel.everesttech.net-e90a182884ad4e7e532b6aa759fbf9d1b05d742d#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-pixel.everesttech.net-e90a182884ad4e7e532b6aa759fbf9d1b05d742d#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ppd.clrstm.com-4e5dfddb97b3bc159c343700811dcb814bcd266b#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ppd.clrstm.com-4e5dfddb97b3bc159c343700811dcb814bcd266b#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-rtd.tubemogul.com-777e73e679eb7b1718ea35730aaf327ef01f9289#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-rtd.tubemogul.com-777e73e679eb7b1718ea35730aaf327ef01f9289#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-s-static.ak.facebook.com-23b719b5a410d3ac80aeb5f4a25adf4cc827f708#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-s-static.ak.facebook.com-23b719b5a410d3ac80aeb5f4a25adf4cc827f708#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-s.yimg.com-927385df9579c9d9130942f4f38ac3cf80a2017b#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-s.yimg.com-927385df9579c9d9130942f4f38ac3cf80a2017b#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-s3-eu-west-1.amazonaws.com-8c6376dc87fe68f22dab490c35ab12469b7a8116#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-s3-eu-west-1.amazonaws.com-8c6376dc87fe68f22dab490c35ab12469b7a8116#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-savecdn.com-fc69fb2bad8b341f1286e439aa4f777b53467d23#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-savecdn.com-fc69fb2bad8b341f1286e439aa4f777b53467d23#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-sc.iasds01.com-223a8c90f0c13cf6aea2f3a1f5506b13c4e3fadf#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-sc.iasds01.com-223a8c90f0c13cf6aea2f3a1f5506b13c4e3fadf#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-sdk.vindicosuite.com-320f24ae52f5691ba6e6199d847a1fd75be79b86#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-sdk.vindicosuite.com-320f24ae52f5691ba6e6199d847a1fd75be79b86#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-secure.adnxs.com-50f27e06a7ddfe11b8f563d42150626c9a320283#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-secure.adnxs.com-50f27e06a7ddfe11b8f563d42150626c9a320283#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-securepubads.g.doubleclick.net-295dbc3dd052a751ab29810476cdec630d9776bc#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-securepubads.g.doubleclick.net-295dbc3dd052a751ab29810476cdec630d9776bc#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-spc--cebhhhpgffbhedbeichhbdje--vast2as3.telemetryverification.net-ddd6995a52695c5cca9f308c053939a761c5ab7c#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-spc--cebhhhpgffbhedbeichhbdje--vast2as3.telemetryverification.net-ddd6995a52695c5cca9f308c053939a761c5ab7c#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-static.adsafeprotected.com-874aaf9aebbd586fe09951781dca43bdd748e1d5#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-static.adsafeprotected.com-874aaf9aebbd586fe09951781dca43bdd748e1d5#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-syndication.streamads.yahoo.com-03da423a320861974f1061f2cd362f512e1cb9f7#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-syndication.streamads.yahoo.com-03da423a320861974f1061f2cd362f512e1cb9f7#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ty.ts.vindicosuite.com-203242df74056b6da1eaa85f082df9d49ddaca97#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-ty.ts.vindicosuite.com-203242df74056b6da1eaa85f082df9d49ddaca97#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-urs.microsoft.com-3935f4bbdd59a690507b666351c61b43a64c1ed8#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-urs.microsoft.com-3935f4bbdd59a690507b666351c61b43a64c1ed8#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-www.facebook.com-a4fb65f8a157fe0dc017c1b55162633a1873a0b4#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-www.facebook.com-a4fb65f8a157fe0dc017c1b55162633a1873a0b4#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-www.google.com-4e73d6b5900f60240c6153be8c5fe4eff7f3ad54#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-www.google.com-4e73d6b5900f60240c6153be8c5fe4eff7f3ad54#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-www.msn.com-78d0f042a3ded4f9137f40cd94b8763833d2ebb0#child.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA-www.msn.com-78d0f042a3ded4f9137f40cd94b8763833d2ebb0#child.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\Hades CA.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\test.cer %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz\SSL\test.pvk %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz.exe %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz.log %ProgramFiles%\Smwyyntm1ndi1zdz\nss\ %ProgramFiles%\Smwyyntm1ndi1zdz\nss\certutil.exe %ProgramFiles%\Smwyyntm1ndi1zdz\nss\mozcrt19.dll %ProgramFiles%\Smwyyntm1ndi1zdz\nss\nspr4.dll %ProgramFiles%\Smwyyntm1ndi1zdz\nss\nss3.dll %ProgramFiles%\Smwyyntm1ndi1zdz\nss\plc4.dll %ProgramFiles%\Smwyyntm1ndi1zdz\nss\plds4.dll %ProgramFiles%\Smwyyntm1ndi1zdz\nss\smime3.dll %ProgramFiles%\Smwyyntm1ndi1zdz\nss\softokn3.dll %ProgramFiles%\Smwyyntm1ndi1zdz\settings.txt %ProgramFiles%\Umtayyznhndq1ntz\ %ProgramFiles%\Umtayyznhndq1ntz\mtuyntm5ndy1yjy.exe %ProgramFiles%\Umtayyznhndq1ntz\mtuyntm5ndy1yjy.log %ProgramFiles%\Umtayyznhndq1ntz\mwmyzjmzngu1mdy.dat %ProgramFiles%\Umtayyznhndq1ntz\mwmyzjmzngu1mdy.exe %ProgramFiles%\Umtayyznhndq1ntz\mwmyzjmzngu1mdy.log %System%\drivers\nmjim2z2zhm1bgz.sys

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7/8.

%ProgramFiles% refers to the Program Files folder. The path to this folder is C:\Program Files\ or C:\Program Files (X86)\ depending on whether the version of Windows or the program being installed is 32-bit or 64-bit.

View Associated Hades Advertisements Registry Information

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwyyntm1ndi1zdz %ProgramFiles%\Smwyyntm1ndi1zdz\nmjim2z2zhm1bgz.exe HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CrashMon "%ProgramFiles%\Umtayyznhndq1ntz\mtuyntm5ndy1yjy.exe" "UniversalUpdater" "http://log.data-url.com/crash/" HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Hades HKLM\SOFTWARE\Wow6432Node\Hades HKLM\SOFTWARE\Wow6432Node\Universal HKLM\SYSTEM\CurrentControlSet\services\nmjim2z2zhm1bgz HKLM\SYSTEM\CurrentControlSet\services\UniversalUpdater

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

Login

Remember Me
Sign in anonymously