Getting adware/ Trojans off my comp!

bosstone74 · 05-22-2004, 03:03 PM

Here is a hijack log file

what should I take off?
I've use adaware, Spybot, norton...and I still have **** going on!

Logfile of HijackThis v1.97.7
Scan saved at 11:47:12 PM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\GameShark_Media_Player\Setup.exe
C:\Program Files\ICQ\ICQ.exe
C:\PROGRA~1\JavaSoft\JRE1.4\14266D~1.0\bin\javaw.e xe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Documents and Settings\Bosstone74\Desktop\HijackThis.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\JavaSoft\JRE1.4\1.4.0\bin\javaw.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\OPScan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\System32\winapix.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [nvcod] C:\WINDOWS\System32\nvcod.exe
O4 - HKCU\..\Run: [NortonAV] C:\WINDOWS\System32\ZRDIC7QI.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Startup: Setup.LNK = C:\Program Files\GameShark_Media_Player\Setup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2711ea57...p/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...027.8121643519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Ram000 · 05-23-2004, 03:50 AM

damn, that's a lot of ****. i had this problem a few days ago. by chance, are you getting any dll erros when you start up? judging from my experience, your problems are starting right around the O#'s. sorry, there's not much more help i can offer you since i don't know too much, but that's what it was for me.

Custommx3 · 05-23-2004, 04:32 AM

Spybot 1.3
Cleanup!
Hijackthis!
(just search on google for those)

I see you already use Hijackthis! Looks like Id remove anything that doesnt seem to be realted to a program you run constantly. Id leave the Norton stuff, and thats about it. Almost everything else can be loaded via start.. All programs. I would remove all the startup items in MSCONFIG, its easier to re-enable them.
For those who need the link...
http://www.spychecker.com/program/hijackthis.html

The, rerun Hijackthis! Scan the system, and remove eveything.. Its mostyly browser buttons, and plugins. IF its needed for IE, it wont remove it. (since you disabled the startup crap, Id leave anything that said HKLM\..\Run: beside it alone. Just dont remove them) Put all the backups in a folder incase something backfires u can add them back.

I would then run Spybot 1.3. Immunize my system with it and scan my system for problems and remove them all. Its free
http://www.softpedia.com/public/cat/...10-17-21.shtml

Cleanup! is a cool utility that deletes all the crap off your system like cookies and temp files. MUCH faster than MS disk Cleanup. Its free.
http://cleanup.stevengould.org/

Id defrag, Disable all the hardware you dont use in the bios (serial ports, parallel, Infrared, anything you dont ever use.)

I then would run microsoft bootvis a few times.
http://www.softpedia.com/public/cat/12/2/12-2-1.shtml

I do this stuff all the time to keep my system booting up fast and staying clean.
If you really want to speed up your system too you can remove all those un, needed
Services
http://is-it-true.org/nt/utips/utips76.shtml

Good Luck.

Scouse Monkey · 05-23-2004, 04:51 AM

Back up all your data and REFORMAT!!!!

Pokey · 05-23-2004, 06:24 AM

I second that .... REFORMAT

fondoo · 05-23-2004, 07:57 AM

check out webroot spysweeper. it detects spyware that lavasoft ad-aware doesnt detect. highly recommended by pc magazine and me.

Chairboy · 05-23-2004, 11:38 AM

So, uh, why do you think you have Spyware because of the stuff listed? Everyone here seems to be reacting strongly to the fact that there's a list of files, but what was the criteria to generate them? Pretty much all of those are legit files that are side effects of having things like Norton, Flash, etc installed.

None of the files or registry keys in that list look malicious, what's the beef?

eatyummypuppies · 05-23-2004, 03:26 PM

C:\WINDOWS\System32\GEARSec.exe

That looks suspicious. Also, disable third party browser extentions in IE if you have unwanted toolbars. Or, better yet, try Firefox.

Laidback · 05-23-2004, 03:32 PM

Quote: Originally Posted by eatyummypuppies

C:\WINDOWS\System32\GEARSec.exe

That looks supicious. Also, disable third party browser extentions in IE if you have unwanted toolbars. Or, better yet, try Firefox.

maybe stick gearsec in google

mespork · 05-23-2004, 03:57 PM

You know there is something that would fix all of that and make your computer much more stable and reliable.....I forget what it's called... ummm.....mmmmm.....oh yeah LINUX

frodobaggins · 05-23-2004, 04:39 PM

Quote: Originally Posted by mespork

You know there is something that would fix all of that and make your computer much more stable and reliable.....I forget what it's called... ummm.....mmmmm.....oh yeah LINUX

Linux = Stable
Linux = Reliable
Linux = Less Usable