win32:adware-gen[adw]

[FreewheelinFrank]

Hi Cdngrl,

As Cloussau said, two AV's is not a good idea: they will fight together like two dogs over a bone.

You also seem to have no firewall: are you behind a hardware firewall?

You are using a version of Windows that is not supported now, so you really need to switch to an alternative browser, Firefox or Opera, which are much more secure.

To answer your question, it won't be a virus causing the random links- it's spyware, actually a bad BHO (Browser Helper Object) as Clousau suspected- another reason to switch to an alternative browser as they don't suffer from these things.

Anyway, here is how to get rid of your problem.

Run HijackThis! again, tick the following entry and click the 'fix' button.

O2 - BHO: ohb Class - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINNT\system32\SearchEnhancer\nsg10.dll

Reboot into safe mode and delete the following folder:

C:\WINNT\system32\SearchEnhancer

http://www.pchell.com/support/safemode.shtml

You may need to enable 'view hidden folders':

http://www.bleepingcomputer.com/tutorials/tutorial62.html

You should also check your computer with these free anti-spyware programs:

a-Squared free:

http://www.emsisoft.com/en/software/free/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/

Good luck!

[Cdngrl]

Hi FreewheelinFrank & Clossau,

thanks for the advice - I will try everything out and let you know how it goes...x-fingers!

C

[Cdngrl]

Thanks again you two! 

Success (I think).  I've installed Firefox 2 - I just have to get used to it looking a bit different.  I fixed the BHO and no more popping up of weird pages and no random links.  Btw spybot and ad-aware didn't pick the spyware you identified up (I used it prior to doing my hijackthis log). 

Any suggestions for a firewall?  I don't know anything about them except that my work firewall means it takes almost ten minutes to log on to my laptop...

Would upgrading my OS to XP assist in any way to prevent this occurring again, or can I live with 2000?   I don't do anything really intensive on my PC, just some surfing, office work and a little db development.

thanks again, the popping up stuff was driving me nuts!

C

[drasonz]

I haven’t fix the 2 files
HKLM\..\Run: [_systeminit] C:\WINDOWS\system32\systeminitialization.exe
O23 - Service: ServiceM - Unknown owner - C:\WINDOWS\system32\ServiceM.exe
yet.

I’ll fixed it and in the meantime can you tell me the next few steps on what to do? I would like to ask why my firewall was turned off automatically and I couldn’t turn it back on. And one more thing to enquire. That is, if all these are fixed, will my com be normal again or are there a lot more things to be done? Thanxs a lot.

[drasonz]

Logfile of HijackThis v1.99.1
Scan saved at 11:46:00 AM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\!SUNV\GraspWord\sgwKey.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
F:\Hijacktis\HijackThis.exe

[drasonz]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.sg/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [_systeminit] C:\WINDOWS\system32\systeminitialization.exe                                                       
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SysHotKey_DFDD] C:\Program Files\Common Files\!SUNV\GraspWord\sgwKey.exe
O4 - HKLM\..\Run: [DFKCSmartAssistant] C:\Program Files\!Sunv\DFKC6\SmartA.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161411665406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161411655343
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceM - Unknown owner - C:\WINDOWS\system32\ServiceM.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

[drasonz]

Oh, by the way I had scan my com with ewido and windows defender and they found nothing. It could be due to the fact that I read one particular forum on I followed the advice given. I downloaded and used the !killbox software to manually remove the infect file.Pls advice. Thanxs a lot.

[galooma]

@ Cdngrl
                 The bad bho wasnt a spyware or an adware it was just part of program you or someone else installed thinking it was gonna be of use . The fact that it loaded stuff you didnt want was probably in the fine print somewhere but who reads that ? Important thing is its gone.
 If you want to upgrade to xp thats great , bear in mind that it needs lots more resources that you may not have.Hard disk around 40 gig, 256 minimum ram and if your processor is less than 1.7mhz then sometimes its easier especially if the pc isnt for serious use to stay with what it was built with in mind. It can cost the price of  upgrading those items for a new system.

Drasonz
             Most certainly restart your firewall , its your first line of defense. although you have used killbox to remove the 2 files FWF noted, that effort was probably wasted on one line because you didnt fixthis line                           O4 - HKLM\..\Run: [_systeminit] C:\WINDOWS\system32\systeminitialization.exe      so it may well be back. As for the rest of your system there`s no sign of java now so i can only assume you have updated it. as I said previously try to get rid of some of the stuff thats running in background needlessly as it will be slowing your system down considerably.
good luck

[FreewheelinFrank]

Cdngrl,

As Cloussau said, upgrading with less than 256M is not going to be fun, unless you enjoy wading in treacle!

For a firewall I would recommend Zone Alarm or Kerio. If these prove too cumbersome on an older system, you could try the free Outpost firewall.

http://www.majorgeeks.com/download1056.html

Drasonz,

You still have the two entries I was suspicious about in your new log:

HKLM\..\Run: [_systeminit] C:\WINDOWS\system32\systeminitialization.exe
O23 - Service: ServiceM - Unknown owner - C:\WINDOWS\system32\ServiceM.exe

Did you try to fix them with HijackThis?

Here's how to delete the 023 entry:

Click "Start" > "Run" and type "Services.msc" (without quotes) then hit "Ok".
Click the "Extended" tab.
Scroll down and find the service called ServiceM
Click once on the service to highlight it.
Click "Stop".
Right-click on the service.
Click on "Properties".
Select the "General" tab.
Click the Arrow-down tab on the right-hand side on the "Start-up Type" box.
From the drop-down menu, click on "Disabled".
Click "Apply", then "OK".

Open HijackThis.
Click on the "Open Misc. tools section" button.
Click on the "Delete an NT service" button.
Type ServiceM in the space provided and click OK.
The program will ask you to reboot.  Accept.

Boot into safe mode.

Run HijackThis! again and fix the following entries:

HKLM\..\Run: [_systeminit] C:\WINDOWS\system32\systeminitialization.exe
O23 - Service: ServiceM - Unknown owner - C:\WINDOWS\system32\ServiceM.exe

Make sure you have 'view hidden files' enabled and delete the following files:

C:\WINDOWS\system32\systeminitialization.exe
C:\WINDOWS\system32\ServiceM.exe

[FreewheelinFrank]

Drasonz,

I think you have Windows firewall? Is that correct?

It looks like the malware has brought down the firewall.

You would be better off installing a good third-party firewall like Zone Alarm or Kerio.

[drasonz]

I did as you told but my com still prompts me these things whenever I start windows.

1) Bitcomet – Can not listen to port 19287.
2) avast! – avast! will not be able to protect outgoing mail [SMTP protocol]. Error:10044
3) avast! – avast! will not be able to protect news [NNTP protocol]. Error:10044
4) avast! – avast! will not be able to protect incoming mail [IMAP protocol]. Error:10044
5) avast! – avast! will not be able to protect incoming mail [POP3 protocol].  Error:10044 

Is there any other solution to solve my problems? I feel very lost. If things persist, I intend to reformat my com. But I read about this particular guy who was infected with the same virus as me. He reformat his com several times but still the virus came back. Is it because he perform a quick format? If I do a full format,will it be ok? Thanxs a lot...

[FreewheelinFrank]

Please post another HijackThis! log so we can see if the suspicious entries are gone.

If they are not gone, there is more we can do to remove them.

Don't worry. We are not finished yet. I don't think you need to think about flattening your system just yet.

[Cdngrl]

Hi guys,

all tidy now - got Zone Alarm going, Firefox, Avast, Spybot and Ad-Aware...whew.  I think I will be upgrading to XP based on some dialogue I've read on this site and your recommendations as well.
I've a P4, 3Ghz, 1G RAM, 200 G HD so I should be alright.

thanks again.

C