My system is infected with adware/pornware

[ilugd]

Even though i don't use internet explorer, but firefox, internet explorer keeps opening around once every two hours with some ads of porn sites and casinos.
I tried adaware but it couldn't find any infection
Hijackthis gave me this log. Could someone point out to me what entries are to be removed?

Logfile of HijackThis v1.99.1
Scan saved at 12:10:34 PM, on 24/07/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Quick IP Config\QuickIPConfig.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Ahead\Nero\nero.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Jeba Singh Emmanuel\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *in.rd.yahoo.com/customize/ie/defaults/sp/msgr8/**in.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *in.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *in.rd.yahoo.com/customize/ie/defaults/su/msgr8/**in.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *in.rd.yahoo.com/customize/ie/defaults/sp/msgr8/**in.search.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = *in.rd.yahoo.com/customize/ie/defaults/su/msgr8/**in.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.50.0\gears.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [REF LIES SIXTH LITE] C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [QuickIPConfig] C:\Program Files\Quick IP Config\QuickIPConfig.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [CURBBALL] C:\DOCUME~1\JEBASI~1\APPLIC~1\LOGOME~1\CopyProcDownload.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.50.0\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.50.0\gears.dll
O9 - Extra button: CADE - {605E5D27-BFA0-471F-87ED-98A2623D633C} - C:\Program Files\CADE\Web\new.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - *www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184433152421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - *fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2E46D58-6D6B-49A2-9509-D083ADF55540}: NameServer = 203.94.243.70,4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe

 

[aryayush]

WOW! You sure have a lot of startup items.

 

[abhijangda]

scan with spybot or adaware.

 

[infra_red_dude]

never heard of these two:
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

what are they? better check them out.

 

[Vishal Gupta]

^^ thnx.

@ilugd
Boot into safe mdoe and fix these:

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REF LIES SIXTH LITE] C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe" /svc (file missing)

These entries will also speed up ur system.

 

[sakumar79]

A few other strange entries:

O4 - HKLM\..\Run: [REF LIES SIXTH LITE] C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe
O4 - HKCU\..\Run: [CURBBALL] C:\DOCUME~1\JEBASI~1\APPLIC~1\LOGOME~1\CopyProcDownload.exe

One more thing - you can turn off updaters for Quicktime, Real Player, Java etc if you dont use them often. You can also turn off igfxtray and hkcmd if you dont need them.

Arun

EDIT: Just noticed Vishal beat me to it by three minutes... But I do think the CopyProcDownload program may also be malicious - if you dont know what it is, chances are it is a malware.

 

[Liggy]

I would suggest a better av scaner then yahoo's or pest patrol or whatever it is called now ( CA\ eTrust ). was this free? I think everyone pointed out the nasties there, run another hijack this and compare with this one, are all those values removed now?
if it is only IE that pop open you can always remove IE form add remove prog, window components!

 

[Vishal Gupta]

^^ Spyware use default web browser to pop up those ads. there will be no benefit to remove IE from system and one more thing, u can't remove IE from "Add/Remove programs -> Windows Components". It'll only remove IE shortcut from Desktop.

 

[ilugd]

thanks everyone for your help. I will do these right away. (I was a bit in the blues the past few days. Didn't visit the forum too often.)

 

[anandk]

www.hijackthis.de also does a good job at auto-analysing logfiles instantly.

 

[ilugd]

thanks. I tried the other suggestions above, but still get the same popups. But I guess I didn't do those in safe mode. Does that make a significant difference?

 

[shady_inc]

u can try posting ur hijackthis log in this forums.read their rules carefully before posting though.

 

[ds_rajat]

Hey buddy, download AVG Anti-Spyware absolutely free from here:

*free.grisoft.com/doc/20/lng/us/tpl/v5

Also try Ad-aware SE free:

*www.download.com/3405-8022-5153545.html

 

[sakumar79]

Usually, it is better to remove viruses in safe mode... Also, make sure you remove all System Restore points before you proceed, and create a new system restore point after it...

Arun

 

[ilugd]

did in safe mode. submitted to www.hijackthis.de and removed all entries it said even remotely suspicious. And I did this in safe mode. But the problem still persists. I am a bit confused about this line

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

i will try to download the other softwares and do a scan.
Thank you all for your continued help.

 

[gxsaurav]

This file is installed with iTunes/QuickTime. Leave it.

 

[ilugd]

oh, thanks

some blasted idiot told me that i was too much of a self righteous prick for using only purchased software. I figured once would not hurt and installed the cd of soldier of fortune he gave me. And guess what? Infected!!
Backdoor.theef.111

Fck him!!

some blasted idiot told me that i was too much of a self righteous prick for using only purchased software. I figured once would not hurt and installed the cd of soldier of fortune he gave me. And guess what? Infected!!
Backdoor.theef.111

Fck him!!

 

[navjotjsingh]

I don't think just fixing via Hijackthis would solve the problem. You should manually delete the files:
C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\five play drive.exe
C:\Documents and Settings\All Users\Application Data\each new axis love\Stop does.exe

If error appears that files in use, kill via Task manager and then delete them.

Also check Add/Remove Programs option from control panel. Sometimes spywares comes with their own uninstallers. Try them and then remove the leftovers.

Scan the PC with Kaspersky/Nod 32 and Adaware 2007, Spybot, SpySweeper and a-squared. Also check for rootkits to ensure 100% protection.

 

[ilugd]

hosts file was filled with entries made by cid to 127.0.0.1. Removed those.
Thanks. Online scan is going on. Will do that then reboot in safe mode and remove the ^^^ above files.

Thanks again for all your help.

 

[vish786]

never heard of these two:
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

what are they? better check them out.

those files make ur audio work. (hardware dependent files).