# Infected by an adware



## Niilesh (Mar 13, 2012)

Hey guys my computer is infected by an adware.
Occasionally a new tab(not window) opens to a travel (agencies) sites
they are not usually the same site every time
are these adds by thinkdigit? As i am usually surfing on forum i don't know if it is just a popup(which i doubt as I have ad-blocker installed)
I think I am affected by some adware
I will download a adware remover and check
do malwarebytes anti-malware detect it?

Any help will be appreciated since I have not dealt with adwares before


----------



## MyGeekTips (Mar 13, 2012)

Just run a MBAM Scan, it will remove the adware.


----------



## Sujeet (Mar 13, 2012)

Malware Bytes should do the trick.


----------



## coderunknown (Mar 14, 2012)

if MBAM fails, give super antispyware a try. its best in detecting infected cookie files and clearing them.


----------



## Zangetsu (Mar 14, 2012)

These adwares are Javascript tricks opens when we click anywhere on page like (textbox,label or download links)
annoying

@Nilesh: r u using Firefox with Adblock addon?


----------



## Niilesh (Mar 15, 2012)

MBAM didnt work(will update and try again)
will try super antispyware



Zangetsu said:


> These adwares are Javascript tricks opens when we click anywhere on page like (textbox,label or download links)
> annoying
> 
> @Nilesh: r u using Firefox with Adblock addon?



Yup 
BTW they don't open when i click somewhere but it usually happens while i have just open the tab(2-4 min ago)

update: MBAM detected something
Lets hope it solves the problem


----------



## meetdilip (Mar 15, 2012)

Use Revo Uninstaller and remove if you see any suspicious programs.


----------



## MyGeekTips (Mar 15, 2012)

Check your browser add-on, If you found some malicious addon remove it. Also Post A Task Manager Screenshot with all process name seeing clearly.


----------



## Sujeet (Mar 15, 2012)

meetdilip said:


> Use Revo Uninstaller and remove if you see any suspicious programs.



and how do you think he is gonna spot a malicious program...he is not gonna sit back with complete database of malicious program to find it.

Thats the job of a good antivirus.


----------



## MyGeekTips (Mar 16, 2012)

Post a HJT Log.


----------



## meetdilip (Mar 16, 2012)

Sujeet said:


> and how do you think he is gonna spot a malicious program...he is not gonna sit back with complete database of malicious program to find it.
> 
> Thats the job of a good antivirus.



True, but sometimes it can be some toolbar or a program with easily recognizable adware name.


----------



## Niilesh (Mar 19, 2012)

meetdilip said:


> Use Revo Uninstaller and remove if you see any suspicious programs.


no their are no suspicious programs


MyGeekTips said:


> Check your browser add-on, If you found some malicious addon remove it. Also Post A Task Manager Screenshot with all process name seeing clearly.


No malicious addon 
*i.imgur.com/R5llL.jpg



MyGeekTips said:


> Post a HJT Log.





Spoiler



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:50:23 PM, on 3/19/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5508)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\HWDeviceService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
d:\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
D:\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
d:\MBlaze UI\bin\MonServiceUDisk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Internet Download Manager\IDMan.exe
C:\Documents and Settings\Administrator.EXPERIEN-E323F4\Local Settings\Application Data\Google\Update\1.3.21.99\GoogleCrashHandler.exe
D:\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
D:\Internet Download Manager\IEMonitor.exe
D:\MBlaze UI\bin\App.exe
D:\Mozilla Firefox\firefox.exe
D:\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\taskmgr.exe
D:\My Documents 3\Downloads\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! Singapore
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Babylon Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Fixhomepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Fixhomepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Fixhomepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Fixhomepage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! Singapore
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator.EXPERIEN-E323F4\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Html To Image - C:\Program Files\Html To Image\menu.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED275C94-10D6-4980-9398-96F6D3138884}: NameServer = 10.228.1.114 10.228.1.113
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HWDeviceService.exe - Unknown owner - C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\HWDeviceService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - d:\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - D:\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
O23 - Service: UDisk Monitor - Unknown owner - d:\MBlaze UI\bin\MonServiceUDisk.exe
O23 - Service: Windows Presentation Foundation Font Cache 4.0.0.0 (WPFFontCache_v0400) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 6072 bytes



exams ended today didn't have time run scans
will do it today or tommorow


----------



## dashing.sujay (Mar 19, 2012)

^Nothing suspicious, all clean. But please remove that babylon search for god sake and also google_update_service from startup.

Can you tell which addons you have installed in your browser?


----------



## MyGeekTips (Mar 19, 2012)

@ OP: Post a screenshot of netstat cmd showing all processes connected to remote server. Maybe we will find the real culprit here.

Yup also tell us which addons are installed in your browser. Also try in other browser if there are ads like this. 

BTW, I've doubt on a process. My doubts will be clear if you post a netstat screenshot.


----------



## dashing.sujay (Mar 19, 2012)

^Which process?


----------



## Niilesh (Mar 20, 2012)

you mean run this command in cmd? - "netstat -o"

Addons installed
Adblock plus
IDM CC
imgur uploader
java quick starter(disabled)
Xmarks(disabled)

do you also want to know the plugins?

Hey BTW how to remove that babylon search from IE?
looks like conventional way doesn't work
hmm..

EDIT: performed a forced uninstall through revo and set the home page to google in ie


----------



## MyGeekTips (Mar 20, 2012)

^^ yup type "netstat -b" in cmd. Then make a screenshot.


----------



## Niilesh (Mar 20, 2012)

Ok but i prefer copy-pasting 
C:\>netstat -b

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    experien-e323f4:1686   lhr14s22-in-f4.1e100.net:http  ESTABLISHED     3
520
  [firefox.exe]

  TCP    experien-e323f4:1674   localhost:1675         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1675   localhost:1674         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1676   localhost:1677         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1677   localhost:1676         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1685   thinkdigit.com:http    FIN_WAIT_1      3520
  [firefox.exe]

  TCP    experien-e323f4:1687   lhr14s22-in-f4.1e100.net:http  FIN_WAIT_1      3
520
  [firefox.exe]


----------



## MyGeekTips (Mar 20, 2012)

Buddy you should wait a little I think it wasn't finished.


----------



## dashing.sujay (Mar 20, 2012)

^This won't yield any useful thing because my results are totally different.


----------



## Niilesh (Mar 20, 2012)

man it again asked for command
showing C:\>
i deleted that since it was unnecessary

I again ran it


C:\>netstat -b

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    experien-e323f4:1736   lhr14s22-in-f14.1e100.net:http  ESTABLISHED
3520
  [firefox.exe]

  TCP    experien-e323f4:1774   bru01m01-in-f95.1e100.net:http  ESTABLISHED
3520
  [firefox.exe]

  TCP    experien-e323f4:1775   bru01m01-in-f95.1e100.net:http  ESTABLISHED
3520
  [firefox.exe]

  TCP    experien-e323f4:1674   localhost:1675         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1675   localhost:1674         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1676   localhost:1677         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1677   localhost:1676         ESTABLISHED     3520
  [firefox.exe]

  TCP    experien-e323f4:1734   thinkdigit.com:http    FIN_WAIT_1      3520
  [firefox.exe]

  TCP    experien-e323f4:1735   thinkdigit.com:http    FIN_WAIT_1      3520
  [firefox.exe]

  TCP    experien-e323f4:1737   lhr14s22-in-f14.1e100.net:http  FIN_WAIT_1
3520
  [firefox.exe]

  TCP    experien-e323f4:1757   thinkdigit.com:http    FIN_WAIT_1      3520
  [firefox.exe]

  TCP    experien-e323f4:1778   bru01m01-in-f95.1e100.net:http  FIN_WAIT_1
3520
  [firefox.exe]

  TCP    experien-e323f4:1779   bru01m01-in-f95.1e100.net:http  FIN_WAIT_1
3520
  [firefox.exe]

  TCP    experien-e323f4:1789   lhr14s22-in-f14.1e100.net:http  FIN_WAIT_1
3520
  [firefox.exe]

  TCP    experien-e323f4:1792   lhr14s22-in-f14.1e100.net:http  FIN_WAIT_1
3520
  [firefox.exe]

  TCP    experien-e323f4:1817   thinkdigit.com:http    FIN_WAIT_1      3520
  [firefox.exe]

  TCP    experien-e323f4:1819   thinkdigit.com:http    FIN_WAIT_1      3520
  [firefox.exe]

  TCP    experien-e323f4:1724   110.45.229.148:http    CLOSE_WAIT      2976
  [PotPlayerMini.exe]

  TCP    experien-e323f4:1722   lhr14s22-in-f4.1e100.net:http  TIME_WAIT       0

  TCP    experien-e323f4:1742   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1744   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1773   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1780   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1784   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1791   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1805   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1815   thinkdigit.com:http    TIME_WAIT       0
  TCP    experien-e323f4:1816   thinkdigit.com:http    TIME_WAIT       0

C:\>


----------



## MyGeekTips (Mar 20, 2012)

^^ Well everything looks clean here.

Disable all of your addons except Adblock Plus, then restart firefox then try if these ads shows or not. Maybe one of your addon is doing it.

BTW, Have you tried using any other browser?


----------



## Niilesh (Mar 20, 2012)

MyGeekTips said:


> ^^ Well everything looks clean here.
> 
> Disable all of your addons except Adblock Plus, then restart firefox then try if these ads shows or not. Maybe one of your addon is doing it.
> 
> BTW, Have you tried using any other browser?



adds only appear three or four times in a hour
ok will try with every extension disabled
and on another browser(chrome)

Update: disabling all addons(except adblock) and extensions didn't work 

Now will try chrome


----------



## dashing.sujay (Mar 20, 2012)

Reinstall !!


----------



## Niilesh (Mar 20, 2012)

dashing.sujay said:


> Reinstall !!



OS?
char


----------



## dashing.sujay (Mar 20, 2012)

Firefox


----------



## Niilesh (Mar 20, 2012)

you sure firefox is the culprit?
I doubt it

lets give chrome a try


----------



## dashing.sujay (Mar 20, 2012)

Whats harm in trying?


----------



## Niilesh (Mar 20, 2012)

Ok will reinstall
just need to backup bookmarks


----------



## Rockstar11 (Mar 20, 2012)

Sam said:


> if MBAM fails, give super antispyware a try. its best in detecting infected cookie files and clearing them.



+1

or try RemoveIT Pro


----------



## coderunknown (Mar 20, 2012)

Rockstar11 said:


> or try RemoveIT Pro



i have used it. lists safe file as dangerous (not infected). don't know what kind of logic it uses to detect malware.


----------



## topgear (Mar 20, 2012)

@ OP - scan the system with Spybot Search and Destroy and Ad-Aware Antivirus


----------



## meetdilip (Mar 20, 2012)

Scan using PC Doctor, it can find dangerous add ons.


----------



## Niilesh (Mar 20, 2012)

Ran SUPERAntiSpyware and MBAM quick scan
Found 20+ tojan
450+ tracking cookies 
deleted all

lets see if it removes the problem


----------



## MyGeekTips (Mar 20, 2012)

Niilesh said:


> Ran SUPERAntiSpyware and MBAM quick scan
> Found 20+ tojan
> 450+ tracking cookies
> deleted all
> ...



I think you did scanned before too? Why didn't you found them previously?


----------



## Niilesh (Mar 20, 2012)

^I MBAM didnt detect any 

BTW it didn't work ad still come 
going to reinstall firefox


----------



## thetechfreak (Mar 20, 2012)

Sorry for my late post 

Since already everything is recommended, use-

1) as said by Topgear, get Spybot S&D. Update and full scan.
2) Scan using this- HouseCall - Free Online Virus Scan - Trend Micro USA


			
				 Niilesh said:
			
		

> ^I MBAM didnt detect any


 Surprising.


----------



## pranav0091 (Mar 20, 2012)

Check if something suspicious is being invoked through the task scheduler.


----------



## Niilesh (Mar 20, 2012)

Ran a scan with Spybot S&D
found some items deleted them now lets see

Update: problem still persists 


pranav0091 said:


> Check if something suspicious is being invoked through the task scheduler.


Nothing through windows task scheduler


----------



## coderunknown (Mar 21, 2012)

reinstall browser. also if you can do a complete PC can with Emsisoft Antimalware but it too will remove infected files, and mayn't fix the problem.


----------



## Niilesh (Mar 21, 2012)

reinstalling solved the problem(I think so)


----------



## ico (Mar 21, 2012)

*HijackThis - Trend Micro USA* <-- Download this, create HijackThis log and post in this thread.


----------



## MyGeekTips (Mar 21, 2012)

ico said:


> *HijackThis - Trend Micro USA* <-- Download this, create HijackThis log and post in this thread.



He already post HJT Log on post 12:
*www.thinkdigit.com/forum/1608173-post12.html


----------



## Vyom (Mar 21, 2012)

Niilesh said:


> Occasionally a new tab(not window) opens to a travel (agencies) sites
> they are not usually the same site every time
> are these adds by thinkdigit? As i am usually surfing on forum i don't know if it is just a popup(which i doubt as I have ad-blocker installed)



Just for the record, I would like to say that, *yes*, the site thinkdigit have started to showup pop-up ads on first visit. It's for me too, and I think for everybody. So, if you are facing the ad on just thinkdigit site, then it's normal.


----------



## Niilesh (Mar 21, 2012)

Update - it didn't work 


			
				Vyom said:
			
		

> Just for the record, I would like to say that, *yes*, the site thinkdigit have started to showup pop-up ads on first visit. It's for me too, and I think for everybody. So, if you are facing the ad on just thinkdigit site, then it's normal.


I noticed that it also comes while not surfing TDF so ..


----------



## meetdilip (Mar 21, 2012)

Niilesh said:


> just need to backup bookmarks



How to backup Firefox and Chrome bookmarks ? Sync ?


----------



## Niilesh (Mar 21, 2012)

^
1.Press ctrl + shift + b
2.Click on import and export(or something like that)
you can figure out the rest yourself
BTW you can also you addons like Xmarks


----------



## meetdilip (Mar 21, 2012)

Thanks.


----------



## MyGeekTips (Mar 21, 2012)

WTF, I think now your pc have been infected with a rootkit. Do a boot time scan.


----------



## dashing.sujay (Mar 21, 2012)

Niilesh said:


> ^
> 1.Press ctrl + shift + b
> 2.Click on import and export(or something like that)
> you can figure out the rest yourself
> BTW you can also you addons like Xmarks





meetdilip said:


> Thanks.



Its export (to save bookmarks to save to an external file), while import = to restore/retrieve all the data from the exported file.


----------



## Niilesh (Mar 21, 2012)

MyGeekTips said:


> WTF, I think now your pc have been infected with a rootkit. Do a boot time scan.



using what(i mean any trusted app?)

Update - Noticed that i didn't perform a full uninstall 
Performed a full reinstall(or whatever you would call it)

Edit: didn't work 
i am getting frustrated


----------



## topgear (Mar 22, 2012)

^^ scan your whole system with a AV rescue CD - get the latest updated version of the iso file from your preferred AV's website like Kaspersky, AVG, Avira, Bitdefender etc. - write the iso file on a cd - boot your pc with that and start the scan.


----------



## MyGeekTips (Mar 22, 2012)

Niilesh said:


> using what(i mean any trusted app?)
> 
> Update - Noticed that i didn't perform a full uninstall
> Performed a full reinstall(or whatever you would call it)
> ...



Check topgear's post.


----------



## Rockstar11 (Mar 22, 2012)

Niilesh said:


> using what(i mean any trusted app?)
> 
> Update - Noticed that i didn't perform a full uninstall
> Performed a full reinstall(or whatever you would call it)
> ...



okkk try Combofix 

ComboFix Download

IMPORTANT : ComboFix is extremely powerful , You should not run ComboFix.exe unless you are asked to by a trained helper .


----------



## Niilesh (Mar 22, 2012)

topgear said:


> ^^ scan your whole system with a AV rescue CD - get the latest updated version of the iso file from your preferred AV's website like Kaspersky, AVG, Avira, Bitdefender etc. - write the iso file on a cd - boot your pc with that and start the scan.


I have to just normally write it?
Nothing special to be done to make it bootable?(i think not but just don't want to waste a CD)
PS: Downloaded kaspersky rescue disk



Rockstar11 said:


> okkk try Combofix
> 
> ComboFix Download
> 
> IMPORTANT : ComboFix is extremely powerful , You should not run ComboFix.exe unless you are asked to by a trained helper .



are you a "trained helper" ?


----------



## topgear (Mar 23, 2012)

you should write the iso file the way you write OS iso file ( to make a bootable OS Cd/DVD )
or else :
use imgburn ( place a blank Cd on the ODD before that ) - choose write image file to disc option - select the source of the iso file you have downloaded - choose write speed ( 10x should be good ) and hit the BiG write button - Voila ! your bootable CD will be ready to use within few minutes


----------



## Niilesh (Mar 25, 2012)

Ran a scan from bootable PD today
It found three tojan.win32(which i think were false positive)
deleted them
Will again have to wait and watch

BTW kaspersky has not updated their rescue disk from a long time
its database is outdated. Is there a way to install updates from within windows?(as i would not be able to MBLAZE in its "OS")

Or should i download some other AV's rescue disk?

EDIT: didn't work(again) 
Think will have to reinstall OS


----------



## Rockstar11 (Mar 25, 2012)

Niilesh said:


> Ran a scan from bootable PD today
> It found three tojan.win32(which i think were false positive)
> deleted them
> Will again have to wait and watch
> ...



tried combofix??

just try before reinstall OS.


----------



## Niilesh (Mar 25, 2012)

^ reinstalling is the last option

will run combofix scan tonight


----------



## Rockstar11 (Mar 25, 2012)

Niilesh said:


> will run combofix scan tonight



good luck!!


----------



## topgear (Mar 26, 2012)

Niilesh said:


> Ran a scan from bootable PD today
> It found three tojan.win32(which i think were false positive)
> deleted them
> Will again have to wait and watch
> ...



try AVG or Avira rescue disc - they are updated almost daily


----------



## Niilesh (Mar 26, 2012)

Combofix didn't work
It was running the scan for 15 min. but didn't show any sign of progress 
my system was lagging like hell. even the clock(near the tray) was not being updated.
I couldn't open even taskmanger. Had to force shutdown

@topgear will download AVG rescue disk


----------



## topgear (Mar 27, 2012)

^^ nice.. let us know the result 

BTW, my recommendation goes with Avira Rescue disc


----------



## ico (Mar 27, 2012)

MyGeekTips said:


> He already post HJT Log on post 12:
> *www.thinkdigit.com/forum/1608173-post12.html


ok I missed that. 

@OP

Might want to get rid of the following entries? I know they are related to Datacard, but still weird.



> C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\HWDeviceService.exe
> O23 - Service: HWDeviceService.exe - Unknown owner - C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\HWDeviceService.exe



These as well



> O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
> O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
> O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
> ...


----------



## Rockstar11 (Mar 27, 2012)

Niilesh said:


> Combofix didn't work
> It was running the scan for 15 min. but didn't show any sign of progress
> my system was lagging like hell. even the clock(near the tray) was not being updated.
> I couldn't open even taskmanger. Had to force shutdown
> ...



......okk


----------



## Niilesh (Mar 27, 2012)

ico said:


> ok I missed that.
> 
> @OP
> 
> ...


I think these are useful files. I will probably won't be able to connect without them



ico said:


> These as well
> 
> 
> 
> ...


These are registry entries right?I do i have to search for these entries in a registry editor and delete them?


----------



## dashing.sujay (Mar 27, 2012)

^Nope, just check the boxes against them in Hijack this, and select *Fix*.


----------



## Niilesh (Mar 27, 2012)

Ran scan with AVG rescue disk
It didn't detect any infections 
BTW they dont update every day, latest one was dated 12th march



dashing.sujay said:


> ^Nope, just check the boxes against them in Hijack this, and select *Fix*.



Ok, thanx will delete them


----------



## coderunknown (Mar 27, 2012)

^^ you don't have to be 100% latest. these mayn't be 0day worms. 

have you tried emsisoft antimalware. also i have a feeling, this is caused by the damage by worms to system files. the infected files are gone but some registry values are changed.


----------



## Niilesh (Mar 27, 2012)

Sam said:


> ^^ you don't have to be 100% latest. these mayn't be 0day worms.


I know that but just wanted to inform topgear about it 



Sam said:


> have you tried emsisoft antimalware. also i have a feeling, this is caused by the damage by worms to system files. the infected files are gone but some registry values are changed.


Ok will try emsisoft antimalware
BTW registry keys can make ads pop up?


----------



## topgear (Mar 28, 2012)

Niilesh said:


> Ran scan with AVG rescue disk
> It didn't detect any infections
> BTW they dont update every day, latest one was dated 12th march
> 
> ...



that's why I recommended Avira Rescue Disc ... 

Download Avira AntiVir Rescue System


----------



## ico (Mar 28, 2012)

Niilesh said:


> These are registry entries right?I do i have to search for these entries in a registry editor and delete them?


No. Delete them using HijackThis. It gives you an option to fix.

If nothing works, get out of your Windows misery and start using *Homepage | Ubuntu*


----------



## Sujeet (Mar 28, 2012)

ico said:


> No. Delete them using HijackThis. It gives you an option to fix.
> 
> If nothing works, get out of your Windows misery and start using *Homepage | Ubuntu*





Arguably Most Productive and Work-Oriented OS We have..No need worry about virus atleast.


----------



## Niilesh (Mar 28, 2012)

*Update:*Ads seem to magically disappeared


ico said:


> No. Delete them using HijackThis. It gives you an option to fix.
> 
> If nothing works, get out of your Windows misery and start using *Homepage | Ubuntu*


Deleted them.
BTW i have an old pc(will buy a lappy in a month)
I think will have to use xubuntu



topgear said:


> that's why I recommended Avira Rescue Disc ...
> 
> Download Avira AntiVir Rescue System


will try if ads again appear


----------

