# My system is infected with adware/pornware



## ilugd (Jul 24, 2007)

Even though i don't use internet explorer, but firefox, internet explorer keeps opening around once every two hours with some ads of porn sites and casinos.
I tried adaware but it couldn't find any infection
Hijackthis gave me this log. Could someone point out to me what entries are to be removed?

```
Logfile of HijackThis v1.99.1
Scan saved at 12:10:34 PM, on 24/07/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Quick IP Config\QuickIPConfig.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Ahead\Nero\nero.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Jeba Singh Emmanuel\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *in.rd.yahoo.com/customize/ie/defaults/sp/msgr8/**in.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *in.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *in.rd.yahoo.com/customize/ie/defaults/su/msgr8/**in.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *in.rd.yahoo.com/customize/ie/defaults/sp/msgr8/**in.search.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = *in.rd.yahoo.com/customize/ie/defaults/su/msgr8/**in.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.50.0\gears.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [REF LIES SIXTH LITE] C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [QuickIPConfig] C:\Program Files\Quick IP Config\QuickIPConfig.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [CURBBALL] C:\DOCUME~1\JEBASI~1\APPLIC~1\LOGOME~1\CopyProcDownload.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.50.0\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.50.0\gears.dll
O9 - Extra button: CADE - {605E5D27-BFA0-471F-87ED-98A2623D633C} - C:\Program Files\CADE\Web\new.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - *www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184433152421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - *fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2E46D58-6D6B-49A2-9509-D083ADF55540}: NameServer = 203.94.243.70,4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
```


----------



## aryayush (Jul 24, 2007)

WOW! You sure have a lot of startup items.


----------



## abhijangda (Jul 24, 2007)

scan with spybot or adaware.


----------



## infra_red_dude (Jul 24, 2007)

never heard of these two:
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

what are they? better check them out.


----------



## Vishal Gupta (Jul 24, 2007)

^^ thnx.  

@ilugd
Boot into safe mdoe and fix these:


```
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REF LIES SIXTH LITE] C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe" /svc (file missing)
```
These entries will also speed up ur system.


----------



## sakumar79 (Jul 24, 2007)

A few other strange entries:

O4 - HKLM\..\Run: [REF LIES SIXTH LITE] C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe
O4 - HKCU\..\Run: [CURBBALL] C:\DOCUME~1\JEBASI~1\APPLIC~1\LOGOME~1\CopyProcDownload.exe

One more thing - you can turn off updaters for Quicktime, Real Player, Java etc if you dont use them often. You can also turn off igfxtray and hkcmd if you dont need them. 

Arun

EDIT: Just noticed Vishal beat me to it by three minutes... But I do think the CopyProcDownload program may also be malicious - if you dont know what it is, chances are it is a malware.


----------



## Liggy (Jul 24, 2007)

I would suggest a better av scaner then yahoo's or pest patrol or whatever it is called now ( CA\ eTrust ). was this free? I think everyone pointed out the nasties there, run another hijack this and compare with this one, are all those values removed now?
if it is only IE that pop open you can always remove IE form add remove prog, window components!


----------



## Vishal Gupta (Jul 24, 2007)

^^ Spyware use default web browser to pop up those ads. there will be no benefit to remove IE from system and one more thing, u can't remove IE from "Add/Remove programs -> Windows Components". It'll only remove IE shortcut from Desktop.


----------



## ilugd (Jul 25, 2007)

thanks everyone for your help. I will do these right away. (I was a bit in the blues the past few days. Didn't visit the forum too often.)


----------



## anandk (Jul 25, 2007)

www.hijackthis.de also does a good job at auto-analysing logfiles instantly.


----------



## ilugd (Jul 26, 2007)

thanks. I tried the other suggestions above, but still get the same popups. But I guess I didn't do those in safe mode. Does that make a significant difference?


----------



## shady_inc (Jul 26, 2007)

u can try posting ur hijackthis log in this forums.read their rules carefully before posting though.


----------



## ds_rajat (Jul 26, 2007)

Hey buddy, download AVG Anti-Spyware absolutely free from here:

*free.grisoft.com/doc/20/lng/us/tpl/v5

Also try Ad-aware SE free:

*www.download.com/3405-8022-5153545.html


----------



## sakumar79 (Jul 26, 2007)

Usually, it is better to remove viruses in safe mode... Also, make sure you remove all System Restore points before you proceed, and create a new system restore point after it...

Arun


----------



## ilugd (Jul 26, 2007)

did in safe mode. submitted to www.hijackthis.de and removed all entries it said even remotely suspicious. And I did this in safe mode. But the problem still persists. I am a bit confused about this line

```
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
```
i will try to download the other softwares and do a scan.
Thank you all for your continued help.


----------



## gxsaurav (Jul 26, 2007)

This file is installed with iTunes/QuickTime. Leave it.


----------



## ilugd (Jul 26, 2007)

oh, thanks

some blasted idiot told me that i was too much of a self righteous prick for using only purchased software. I figured once would not hurt and installed the cd of soldier of fortune he gave me. And guess what? Infected!!
Backdoor.theef.111

Fck him!!

some blasted idiot told me that i was too much of a self righteous prick for using only purchased software. I figured once would not hurt and installed the cd of soldier of fortune he gave me. And guess what? Infected!!
Backdoor.theef.111

Fck him!!


----------



## navjotjsingh (Jul 26, 2007)

I don't think just fixing via Hijackthis would solve the problem. You should manually delete the files:
C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe

If error appears that files in use, kill via Task manager and then delete them.

Also check Add/Remove Programs option from control panel. Sometimes spywares comes with their own uninstallers. Try them and then remove the leftovers.

Scan the PC with Kaspersky/Nod 32 and Adaware 2007, Spybot, SpySweeper and a-squared. Also check for rootkits to ensure 100% protection.


----------



## ilugd (Jul 28, 2007)

hosts file was filled with entries made by cid to 127.0.0.1. Removed those.
Thanks. Online scan is going on. Will do that then reboot in safe mode and remove the ^^^ above files.

Thanks again for all your help.


----------



## vish786 (Jul 28, 2007)

infra_red_dude said:
			
		

> never heard of these two:
> O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
> O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
> 
> what are they? better check them out.



those files make ur audio work. (hardware dependent files).


----------



## He28 (Jul 29, 2007)

Did you try SmitfraudFix? 
It is a wonderful Spyware and Adware removal tool. Please type -- **siri.urz.free.fr/Fix/SmitfraudFix.zip* in the address bar of your browser and press enter. This will download .zip file to your system. Then extract it and boot in Safe Mode. In Safe Mode, run the file; SmitfraudFix. Then follow the steps on screen and reboot in Normal Mode. I tried this on atleast a dozen systems and it successfully removed all Malware. 
If this doesn't help, let me know.

Enjoy.


----------



## abhijangda (Jul 29, 2007)

use spybot/adawarese.


----------



## ilugd (Jul 29, 2007)

never tried smitfraudfix yet. Will do now
Tried adaware, it said not infection.
Will try spybot now.
This thing is getting embarassing. The office secretary was using my system to check railway reservation since her system was undergoing maintenance by me and in the midst of all her clicking, a porn ad came up. Had to explain the whole concept of malware to her.


----------



## Liggy (Jul 30, 2007)

try ComboFix,(used smitfruad but combo is more detailed and should produce log file that is more detailed, post here if u use combofix) noticed u had entry about a winsock error in your hijack file, did you try to reset the winsocks?
by the way Ilugd, like your signature... politics... LOL So true!!! Love that one!


----------



## ilugd (Jul 30, 2007)

^^^ gx_saurav told me that it was installed with quicktime and to let it be, so I didn't change that.

OK, will try smitfraudfix and combofix both. Hold on

smitfraud fix did some deleting
but got this on searching for combofix
*www.windowsforum.org/forums/index.php?showtopic=29731&mode=linearplus


----------



## gxsaurav (Jul 30, 2007)

ilugd said:
			
		

> This thing is getting embarassing. The office secretary was using my system to check railway reservation since her system was undergoing maintenance by me and in the midst of all her clicking, a porn ad came up. Had to explain the whole concept of malware to her.



Aww....thats embarassing, not to many girls like to watch porn with guys anyway 

U do one thing, since nothing is coming out, do this

1) Give us a log here of startup programs

2) Give us a log or screenshot of "Add/Remove Programs"

3) The latest hijack this log


----------



## He28 (Jul 31, 2007)

Hi ilugd
Were you able to resolve the issue on your system with Malware?
Let me know if SmitfraudFix helped or how you manage to remove the crap off your system.


----------



## ankushkool (Jul 31, 2007)

can any one tell me if there is any unwanted application running on my comp

Logfile of HijackThis v1.99.1
Scan saved at 8:50:05 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
E:\Program Files\pc suite\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
E:\Program Files\pc suite\Nokia PC Suite 6\OneTouchAccess.exe
E:\Program Files\GetRight\getright.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\Explorer.EXE
E:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - e:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - *edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight Pro - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - e:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - e:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - 
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E550478-9B30-4FB7-96C7-CCB4CA49EE69}: NameServer = 202.56.230.5 202.56.240.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD958065-2DD7-4596-89FD-121423D33976}: NameServer = 192.255.255.0,192.255.255.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)

please help


----------



## ilugd (Jul 31, 2007)

@ he28, yes it seems to be gone now, a whole day with no explorer crap opening up.
And @gxsaurav? You think that is funny. You won't think it funny when it happens to you. I work in a church for christ's sake. 
Actually i am not sure how it got fixed but i remember that i downloaded a software that would delete locked files on the next boot and i set it to delete the two files that navjot singh had mentioned. Thanks navjot. I am keeping my fingers crossed for a week atleast.


----------



## Liggy (Aug 1, 2007)

ilugd said:
			
		

> got this on searching for combofix
> *www.windowsforum.org/forums/index.php?showtopic=29731&mode=linearplus


hmm thats funny cuz I never saw that and downloaded it after that was issued, I was able to find some links to still download it, but yeah maybe I will not suggest that in the future. But it did work... Good to see smitfruad worked for ya, good to keep that program safe somewhere.
**ankushkool get rid of that stupud mywayweb search crap, go to add/rem prog and get rid of anything that says search assistant or toolbar... if you post your log file on hijackthis.de you will see this entry shows nasty " O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - " So I guess it would be wise to remove as well (probably part of the websearch crap) good ol' spyware!


----------



## ilugd (Aug 1, 2007)

i think it got sorted out. A whole day without any problems.


----------



## gxsaurav (Aug 1, 2007)

ilugd said:
			
		

> And @gxsaurav? You think that is funny. You won't think it funny when it happens to you. I work in a church for christ's sake.


How would I know, I don't know anything about u 

If this happened with me, then I would have faced it with a positive attitude by saying "Hey, its just some educational stuff....I was trying to learn things" 

Here is my Log. Just admuncher is all I have installed for security. Thats it. No Windows defender, no any other adware removal or anti-virus. They don't even come here....

Well, its not like they can't, i m just as cautious I can be



> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 12:58:31 PM, on 01-08-2007
> Platform: Windows Vista  (WinNT 6.00.1904)
> MSIE: Internet Explorer v7.00 (7.00.6000.16473)
> ...


----------



## ilugd (Aug 1, 2007)

^^^ OK, OK I don't have much presence of mind anyway. I get flustered pretty fast. :-~
Anyway, she is a nice girl and didn't mind much.

Will try out admuncher


----------



## He28 (Aug 2, 2007)

ilugd said:
			
		

> ^^^ OK, OK I don't have much presence of mind anyway. I get flustered pretty fast. :-~
> Anyway, she is a nice girl and didn't mind much....


 
Good to know that both the issues are no longer there...
 All the best for future....


----------



## ilugd (Aug 2, 2007)

oh, she is just a pen pusher. Has no interest in computers. I don't have much use for her in future.


----------



## ankushkool (Aug 7, 2007)

can any one tell me if there is any unwanted application running on my comp

Logfile of HijackThis v1.99.1
Scan saved at 8:50:05 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
E:\Program Files\pc suite\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
E:\Program Files\pc suite\Nokia PC Suite 6\OneTouchAccess.exe
E:\Program Files\GetRight\getright.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\Explorer.EXE
E:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - e:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - *edits.mywebsearch.com/toolbar...tml?p=ZRfox000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight Pro - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - e:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - e:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E550478-9B30-4FB7-96C7-CCB4CA49EE69}: NameServer = 202.56.230.5 202.56.240.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD958065-2DD7-4596-89FD-121423D33976}: NameServer = 192.255.255.0,192.255.255.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)


----------



## ranjan2001 (Aug 9, 2007)

> Did you try SmitfraudFix?


I came to this thread via search & find my vista IE7 infected with this crap, I have spy bot which identifies Smitfraud, but cannot remove it even in safe mode.
*img263.imageshack.us/img263/1723/smitfraudhn8.th.jpg
I downloaded SmitfraudFix, but that does not run on Vista it says wrong OS, how else can I get rid of this malware which keeps opening ads on my comp even I use FF not IE7.

Further I found that in my case registery editing is disabled in Vista, though I am signed with admin previlages.


----------



## ankushkool (Aug 12, 2007)

ankushkool said:
			
		

> can any one tell me if there is any unwanted application running on my comp
> 
> Logfile of HijackThis v1.99.1
> Scan saved at 8:50:05 AM, on 7/31/2007
> ...



can someone help me????


----------

