Solved: Trojan or Virus Norton cannot detect. HELP!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
Last night my computer started behaving very oddly. Little symantech windows started opening in my desktop every 1-2 minutes. The title of the window reads "Symantec Email Proxy" and the message translates (my computer is configured in Spanish) to something like this: " Unable to send email message, server did not accept. Delivery Error #..." an email address shows up and a short message such as "Hey" or "Hi", and an "Accept" button. Like I said, this thing happens every 1-2 minutes in which 20 or more of those windows open up. I´ve updated and run Norton antivirus (2003) a few times, House Call online virus scan, Ad-Aware, and Spybot, and none of them solved the problem (although they did get rid of a lot of Spyware. I decided to run "Hijack this" and send you guys the log, see what you think (thanx in advance):
Logfile of HijackThis v1.97.7
Scan saved at 21:13:32, on 16/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\AIM95\aim.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Documents and Settings\Javi\Configuración local\Archivos temporales de Internet\Content.IE5\IDQL1Z9A\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\ARCHIV~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {59D4AB50-E3BD-1BEA-A8D0-5B6245E59D5B} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {23273A1C-C870-43C4-A3E3-67DC98630AC6} (IntSOFTEC Class) - http://213.229.160.209/dialers/it.cab
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.juegos-flash.com/ruboskizo2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37615.2302893519
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E3A20A-7474-439C-B7F2-53EE889B7440}: NameServer = 80.58.0.33,80.58.32.97
 

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
I forgot to add that if I restart the computer and disconect the internet a message appears warning me that the computer will turn off in 60 seconds
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
pepsXp, You need to move hijackthis.exe into a folder on your hard drive and not run it from Temporary Internet files location.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Run HJT again and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {59D4AB50-E3BD-1BEA-A8D0-5B6245E59D5B} - (no file)
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O16 - DPF: {23273A1C-C870-43C4-A3E3-67DC98630AC6} (IntSOFTEC Class) - http://213.229.160.209/dialers/it.cab

Close all applications and browser windows before you click "fix checked".
 

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
Ok, sorry I took so long to answer back. I'll try your advice too, cybertech, I'll write back as soon as I have some results. THNX
 

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
OK, so I did what you guys advised (thanx TOGG and Cybertech) but if I have the NetskyV virus, Norton still does not recognize it. As for the Hijack this, every time I restart the computer, the lines you asked me to check, cybertech, appear again after I fixed them. Of Course, the computer keeps trying to mass send emails, and Norton keeps trying to block the emails, slowing the computer, and opening a bizillion warning windows every minute or so. I'm just frazzled. I'm open to suggestions. Thanx anyways TOGG and Cybertech, I appreciate it.
 

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
if it's of any help, I just ran Hijack this again:
Logfile of HijackThis v1.97.7
Scan saved at 20:29:32, on 17/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\svchost.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\AIM95\aim.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Documents and Settings\Javi\Escritorio\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\ARCHIV~1\POPUPP~1\PopLib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.juegos-flash.com/ruboskizo2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37615.2302893519
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E3A20A-7474-439C-B7F2-53EE889B7440}: NameServer = 80.58.0.33,80.58.32.97
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Run HJT again and put a check:

O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.juegos-flash.com/ruboskizo2.cab

Close all browser windows and applications before clicking "fix checked".

Reboot in safe mode, click here to see how,

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Locate and delete: C:\WINDOWS\svchost.exe --> file

Reboot and let us know how it's going...
 

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
OK, so here is the deal, I've run your advice twice, but after reeboting into normal mode again, I find that C\WINDOWS\svchost.exe is back again. Not only that, but I find that I have 3 more svchosts, two svchost.exe in C\WINDOWS\system32\svchost.exe, another one in C\WINDOWS\system32dllcache and a ".pf" file, C\WINDOWS\Prefetch\svchost.exe-3530F672.pf,
any advice on that?
 
Joined
Oct 9, 2001
Messages
9,396
C\WINDOWS\system32 is the correct location for the file.........and there will be multiple instances of it running,that is normal.

Go to Start > run, enter cmd

At the prompt enter:

del C\WINDOWS\svchost.exe
Press enter.
Browse to:C\WINDOWS\Prefetch and delete everything in there.......Use safe mode if needed.
Let us know if all goes well.
;)
 

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
I've deleted C\WINDOWS\Prefetch 5 times now, and every time I reboot the computer, the file shows up again, and of course the computer continues to open a bizillion windows.
 

pepsXp

Thread Starter
Joined
Nov 14, 2003
Messages
108
Here is is:

Logfile of HijackThis v1.97.7
Scan saved at 17:27:45, on 18/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Javi\Escritorio\HijackThis.exe
C:\Archivos de programa\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\ARCHIV~1\POPUPP~1\PopLib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37615.2302893519
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E3A20A-7474-439C-B7F2-53EE889B7440}: NameServer = 80.58.0.33,80.58.32.97
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top