1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan or Virus Norton cannot detect. HELP!!

Discussion in 'Virus & Other Malware Removal' started by pepsXp, Apr 16, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    Last night my computer started behaving very oddly. Little symantech windows started opening in my desktop every 1-2 minutes. The title of the window reads "Symantec Email Proxy" and the message translates (my computer is configured in Spanish) to something like this: " Unable to send email message, server did not accept. Delivery Error #..." an email address shows up and a short message such as "Hey" or "Hi", and an "Accept" button. Like I said, this thing happens every 1-2 minutes in which 20 or more of those windows open up. I´ve updated and run Norton antivirus (2003) a few times, House Call online virus scan, Ad-Aware, and Spybot, and none of them solved the problem (although they did get rid of a lot of Spyware. I decided to run "Hijack this" and send you guys the log, see what you think (thanx in advance):
    Logfile of HijackThis v1.97.7
    Scan saved at 21:13:32, on 16/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Archivos de programa\AIM95\aim.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Documents and Settings\Javi\Configuración local\Archivos temporales de Internet\Content.IE5\IDQL1Z9A\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\ARCHIV~1\POPUPP~1\PopLib.dll
    O2 - BHO: (no name) - {59D4AB50-E3BD-1BEA-A8D0-5B6245E59D5B} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {23273A1C-C870-43C4-A3E3-67DC98630AC6} (IntSOFTEC Class) - http://213.229.160.209/dialers/it.cab
    O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.juegos-flash.com/ruboskizo2.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37615.2302893519
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27E3A20A-7474-439C-B7F2-53EE889B7440}: NameServer = 80.58.0.33,80.58.32.97
     
  2. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    I forgot to add that if I restart the computer and disconect the internet a message appears warning me that the computer will turn off in 60 seconds
     
  3. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,898
  4. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    Thanx TOGG,
    I try your advice and keep you informed
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    pepsXp, You need to move hijackthis.exe into a folder on your hard drive and not run it from Temporary Internet files location.
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and check:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: (no name) - {59D4AB50-E3BD-1BEA-A8D0-5B6245E59D5B} - (no file)
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O16 - DPF: {23273A1C-C870-43C4-A3E3-67DC98630AC6} (IntSOFTEC Class) - http://213.229.160.209/dialers/it.cab

    Close all applications and browser windows before you click "fix checked".
     
  7. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    Ok, sorry I took so long to answer back. I'll try your advice too, cybertech, I'll write back as soon as I have some results. THNX
     
  8. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    OK, so I did what you guys advised (thanx TOGG and Cybertech) but if I have the NetskyV virus, Norton still does not recognize it. As for the Hijack this, every time I restart the computer, the lines you asked me to check, cybertech, appear again after I fixed them. Of Course, the computer keeps trying to mass send emails, and Norton keeps trying to block the emails, slowing the computer, and opening a bizillion warning windows every minute or so. I'm just frazzled. I'm open to suggestions. Thanx anyways TOGG and Cybertech, I appreciate it.
     
  9. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    if it's of any help, I just ran Hijack this again:
    Logfile of HijackThis v1.97.7
    Scan saved at 20:29:32, on 17/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\WINDOWS\svchost.exe
    C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Archivos de programa\AIM95\aim.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Documents and Settings\Javi\Escritorio\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\ARCHIV~1\POPUPP~1\PopLib.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.juegos-flash.com/ruboskizo2.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37615.2302893519
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27E3A20A-7474-439C-B7F2-53EE889B7440}: NameServer = 80.58.0.33,80.58.32.97
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check:

    O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.juegos-flash.com/ruboskizo2.cab

    Close all browser windows and applications before clicking "fix checked".

    Reboot in safe mode, click here to see how,

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Locate and delete: C:\WINDOWS\svchost.exe --> file

    Reboot and let us know how it's going...
     
  11. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    OK, so here is the deal, I've run your advice twice, but after reeboting into normal mode again, I find that C\WINDOWS\svchost.exe is back again. Not only that, but I find that I have 3 more svchosts, two svchost.exe in C\WINDOWS\system32\svchost.exe, another one in C\WINDOWS\system32dllcache and a ".pf" file, C\WINDOWS\Prefetch\svchost.exe-3530F672.pf,
    any advice on that?
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    C\WINDOWS\system32 is the correct location for the file.........and there will be multiple instances of it running,that is normal.

    Go to Start > run, enter cmd

    At the prompt enter:

    del C\WINDOWS\svchost.exe
    Press enter.
    Browse to:C\WINDOWS\Prefetch and delete everything in there.......Use safe mode if needed.
    Let us know if all goes well.
    ;)
     
  13. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    I've deleted C\WINDOWS\Prefetch 5 times now, and every time I reboot the computer, the file shows up again, and of course the computer continues to open a bizillion windows.
     
  14. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Post your log again.
    ;)
     
  15. pepsXp

    pepsXp Thread Starter

    Joined:
    Nov 14, 2003
    Messages:
    108
    Here is is:

    Logfile of HijackThis v1.97.7
    Scan saved at 17:27:45, on 18/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Javi\Escritorio\HijackThis.exe
    C:\Archivos de programa\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\ARCHIV~1\POPUPP~1\PopLib.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37615.2302893519
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27E3A20A-7474-439C-B7F2-53EE889B7440}: NameServer = 80.58.0.33,80.58.32.97
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Trojan Virus
  1. indeepcrap
    Replies:
    22
    Views:
    1,173
  2. K1979
    Replies:
    26
    Views:
    1,642
  3. JDStreet
    Replies:
    18
    Views:
    1,413
  4. Sumfeg
    Replies:
    0
    Views:
    728
  5. dreamy.dancer
    Replies:
    6
    Views:
    1,713
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221005

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice