Infected by an adware

Niilesh

Padawan
Hey guys my computer is infected by an adware.
Occasionally a new tab(not window) opens to a travel (agencies) sites
they are not usually the same site every time
are these adds by thinkdigit? As i am usually surfing on forum i don't know if it is just a popup(which i doubt as I have ad-blocker installed)
I think I am affected by some adware
I will download a adware remover and check
do malwarebytes anti-malware detect it?

Any help will be appreciated since I have not dealt with adwares before
 

Zangetsu

I am the master of my Fate.
These adwares are Javascript tricks opens when we click anywhere on page like (textbox,label or download links)
annoying

@Nilesh: r u using Firefox with Adblock addon?
 
OP
Niilesh

Niilesh

Padawan
MBAM didnt work(will update and try again)
will try super antispyware

These adwares are Javascript tricks opens when we click anywhere on page like (textbox,label or download links)
annoying

@Nilesh: r u using Firefox with Adblock addon?

Yup
BTW they don't open when i click somewhere but it usually happens while i have just open the tab(2-4 min ago)

update: MBAM detected something
Lets hope it solves the problem
 

MyGeekTips

script-kiddie geek
Check your browser add-on, If you found some malicious addon remove it. Also Post A Task Manager Screenshot with all process name seeing clearly.
 

Sujeet

Undead!!!
Use Revo Uninstaller and remove if you see any suspicious programs.

and how do you think he is gonna spot a malicious program...he is not gonna sit back with complete database of malicious program to find it.

Thats the job of a good antivirus.
 

meetdilip

Computer Addict
and how do you think he is gonna spot a malicious program...he is not gonna sit back with complete database of malicious program to find it.

Thats the job of a good antivirus.

True, but sometimes it can be some toolbar or a program with easily recognizable adware name.
 
OP
Niilesh

Niilesh

Padawan
Use Revo Uninstaller and remove if you see any suspicious programs.
no their are no suspicious programs
Check your browser add-on, If you found some malicious addon remove it. Also Post A Task Manager Screenshot with all process name seeing clearly.
No malicious addon
*i.imgur.com/R5llL.jpg

Post a HJT Log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:50:23 PM, on 3/19/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5508)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\HWDeviceService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
d:\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
D:\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
d:\MBlaze UI\bin\MonServiceUDisk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Internet Download Manager\IDMan.exe
C:\Documents and Settings\Administrator.EXPERIEN-E323F4\Local Settings\Application Data\Google\Update\1.3.21.99\GoogleCrashHandler.exe
D:\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
D:\Internet Download Manager\IEMonitor.exe
D:\MBlaze UI\bin\App.exe
D:\Mozilla Firefox\firefox.exe
D:\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\taskmgr.exe
D:\My Documents 3\Downloads\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! Singapore
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Babylon Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Fixhomepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Fixhomepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Fixhomepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Fixhomepage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! Singapore
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator.EXPERIEN-E323F4\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Html To Image - C:\Program Files\Html To Image\menu.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED275C94-10D6-4980-9398-96F6D3138884}: NameServer = 10.228.1.114 10.228.1.113
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HWDeviceService.exe - Unknown owner - C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\HWDeviceService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - d:\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - D:\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
O23 - Service: UDisk Monitor - Unknown owner - d:\MBlaze UI\bin\MonServiceUDisk.exe
O23 - Service: Windows Presentation Foundation Font Cache 4.0.0.0 (WPFFontCache_v0400) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 6072 bytes

exams ended today didn't have time run scans
will do it today or tommorow
 

dashing.sujay

Moving
Staff member
^Nothing suspicious, all clean. But please remove that babylon search for god sake and also google_update_service from startup.

Can you tell which addons you have installed in your browser?
 

MyGeekTips

script-kiddie geek
@ OP: Post a screenshot of netstat cmd showing all processes connected to remote server. Maybe we will find the real culprit here.

Yup also tell us which addons are installed in your browser. Also try in other browser if there are ads like this.

BTW, I've doubt on a process. My doubts will be clear if you post a netstat screenshot.
 
OP
Niilesh

Niilesh

Padawan
you mean run this command in cmd? - "netstat -o"

Addons installed
Adblock plus
IDM CC
imgur uploader
java quick starter(disabled)
Xmarks(disabled)

do you also want to know the plugins?

Hey BTW how to remove that babylon search from IE?
looks like conventional way doesn't work
hmm..

EDIT: performed a forced uninstall through revo and set the home page to google in ie
 
Last edited:
OP
Niilesh

Niilesh

Padawan
Ok but i prefer copy-pasting
C:\>netstat -b

Active Connections

Proto Local Address Foreign Address State PID
TCP experien-e323f4:1686 lhr14s22-in-f4.1e100.net:http ESTABLISHED 3
520
[firefox.exe]

TCP experien-e323f4:1674 localhost:1675 ESTABLISHED 3520
[firefox.exe]

TCP experien-e323f4:1675 localhost:1674 ESTABLISHED 3520
[firefox.exe]

TCP experien-e323f4:1676 localhost:1677 ESTABLISHED 3520
[firefox.exe]

TCP experien-e323f4:1677 localhost:1676 ESTABLISHED 3520
[firefox.exe]

TCP experien-e323f4:1685 thinkdigit.com:http FIN_WAIT_1 3520
[firefox.exe]

TCP experien-e323f4:1687 lhr14s22-in-f4.1e100.net:http FIN_WAIT_1 3
520
[firefox.exe]
 
Top Bottom