Help, computer hijack

February 19, 2007

hey i am quite positive my computer has a trojan i keep gettin redirected to websites when i try and click links while searching on google i ran hijack this and here is what the log said please tell me the nesecary processes to remove if you kno of anything that looks out of place

Logfile of HijackThis v1.99.1

Scan saved at 7:14:30 PM, on 2/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0007)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Scott.HOME-3B54929FDC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Shaw Internet

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161291087640

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconfidenceonline.com/plug-in/WSAS.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...876/mcfscan.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

1,589 · February 19, 2007

I glanced over your log and I don't see anything too alarming/looking like a trojan. Sounds like your host file has been hijacked, though. Your host file is located here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

Open "hosts" with notepad (it's not a folder, it's the actual file) and clear it to just have:

127.0.0.1	   localhost

If that's all you have, besides a bunch of introduction lines with # infront of it, then that's not your problem. Let us know.

By the way, your computer is overboard with security. Windows Defender, AVG Anti-Spyware, Spybot, and a bunch of other anti-virus/internet security things? It's okay to have different scanners, however, if these scanners are running in the background (such as Win. Defender and AVG), then they can sometimes conflict with each other.

February 19, 2007

I also couldn't find anything that seems suspicious. There was a process (low risk) but should be picked by Symantec/Norton Antivirus.

You've too many security tools and online scanners - if you ran all of them and they say you're clean, then you're 99.9% clean.

Also, where exactly do you get redirected to if localhost trick does not work?

44,571 · February 19, 2007

have you tried the repair button in internet options on the advanced tab

6,095 · February 19, 2007

You can paste or upload your logfile into the box on this site and it'll analyze it for you: http://hijackthis.de/

I did that, it there wasn't anything wrong...

5,326 · February 19, 2007

Blue: uneeded crap (imo)

Red: Fix ASAP

epidemic339 said:
Logfile of HijackThis v1.99.1
Scan saved at 7:14:30 PM, on 2/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0007)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Scott.HOME-3B54929FDC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Shaw Internet

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dllNvTaskbarInit

O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161291087640

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconfidenceonline.com/plug-in/WSAS.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...876/mcfscan.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Do another scan with Hijackthis.exe renamed to something else/

February 22, 2007

k i tried running my computer in safe mode norton ad aware professional and avg free addition all froze when they got to the same file in a temporary internet folder so im guess this btcar.com rerouter or dns changer whatever it is called still has some grip in my system any sugestions on fixing it?

February 22, 2007

First rule in cleaning infection is cleaning all your temp files. Clean your browser cache and temp folder and then try running antivirus/antispyware applications.

2,901 · February 22, 2007

Anti-Virus: http://www.avast.com/eng/download-avast-home.html

Registry Cleaner: http://www.ccleaner.com/download/builds.aspx

CoolWebSearch: http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe

Scan and remove Spyware, Adware, hijackers and other malicious software: http://fileforum.betanews.com/detail/Adawa...nal/965718306/1

& http://www.safer-networking.org/en/mirrors/index.html

Protection from Active-X spyware: http://fileforum.betanews.com/detail/Spywa...er/1056258294/1

Firewall: http://www.majorgeeks.com/download.php?det=388

Is your IP crack?: http://www.dshield.org/warning_explanation.php

Secuirty port scanner: https://www.grc.com/x/ne.dll?bh0bkyd2

All those are free for personal use

I hope those helps you

February 22, 2007

epidemic339 said:
hey i am quite positive my computer has a trojan
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

There is your biggest issue. Norton. http://www.symantec.com/symnrt

February 22, 2007

Oh yeah, let's remove a virus by removing the virus scanner! :woot:

44,571 · February 22, 2007

Jack 0Neill said:
There is your biggest issue. Norton. http://www.symantec.com/symnrt

ya you an't kidding

February 22, 2007

k i deleted those things with hijack this and i ran a regestry mechanic it found a wack of things but avg ad aware and norton all still freeze when they get to a certain file in my temporary internet files folder so this btcar.com or dns changer trojan or what ever it is still has its hold on my system what should i do :s

February 22, 2007

Which things? Norton stuff? Are you nuts removing those with hijackthis? Those are legitimate processes by Norton AntiVirus. You should use Add/Remove first if you really want to uninstall software and not removing a few startup entries with hijack this.

Disregard those comments.

Can you use normal, built in cleaner instead of Registry Mechanic (what does it have to to with emptying browser cache anyway?). Go to Tools > Internet Options > Delete in Browsing history part...IE 7 Can clear everything with a click of a button. Then update your virus definitions and scan your computer for viruses. I did not see anything wrong with your HJT log, and I have no idea why are you so eager to remove stuff with it. Simply clear your temp files. Either do it manually, use Windows Disk Cleaner, or CCleaner...update definitions, scan...and that should be it.

Simple Google search comes with this:

http://answers.yahoo.com/question/index?qi...02032704AAYKFFg

http://answers.yahoo.com/question/index?qi...29190243AABCumU

http://www.spywarepoint.com/forums/t43811-...le-problem.html

And this guy was also infected with it...maybe you can read which items he had to remove and see if you have the same malicious entries (which I did not spot):

http://forums.techguy.org/security/538541-...-btcar-com.html

This time, try to do some reading first.

44,571 · February 22, 2007

I didn't say you should remove them with hjthis, I just agreed that norton sucks.

February 22, 2007

richter said:
Which things? Norton stuff? Are you nuts removing those with hijackthis? Those are legitimate processes by Norton AntiVirus.

Legitimately useless.

All he has to do is remove Norton 100%, then install avast and remove the viruses/trojans and other junkware it finds. Duh. Norton sucks, any wannabe tech knows that and will tell people to trash it; so have you not reached that level yet? :p

February 22, 2007

Jack 0Neill said:
Legitimately useless.
All he has to do is remove Norton 100%, then install avast and remove the viruses/trojans and other junkware it finds. Duh. Norton sucks, any wannabe tech knows that and will tell people to trash it; so have you not reached that level yet? :p

Please, we're here to help him and not get into yet another what is better discussion. While I stopped using Norton since 2002, their 2007 lineup is not all that bad (memory wise is on pair with other or has lower usage - tested NIS) and their detection rate (viruses/rootkits in their consumer version, though spyware is not that well) is among the best (according to several test conducted in recent months). So, arguing he should remove Norton and install Avast to remove infections doesn't help. He's got whole lineup of security tools installed which is capable of removing infection he described (latest Spybot definitions will do the trick). He is welcome to uninstall/install whatever he pleases, but blatant ranting how much Norton sucks and suggesting (although it was meant as a joke) removing crucial Norton processes can only screw up his system even worse.

February 23, 2007

k this trojan is still on my system and trust me ive tried a bunch of different things including reading other forum threads on this virus but i must be doing something wrong so if anyone has like a list of instructions i can follow or any good sugestions on some alternative free software that will help me remove this i would apreciate it the most frustrating thing about this virus right now is that i had it about a month ago and now it is back

11,837 · February 23, 2007

epidemic339 said:
k this trojan is still on my system and trust me ive tried a bunch of different things including reading other forum threads on this virus but i must be doing something wrong so if anyone has like a list of instructions i can follow or any good sugestions on some alternative free software that will help me remove this i would apreciate it the most frustrating thing about this virus right now is that i had it about a month ago and now it is back

Disable Norton temporarily and load and run the trial version of NOD32 thats up to date.

February 23, 2007

Why is this thread carrying on?

Remove Norton Anti-Anti-Virus (I've tested 2003-2007 they ALL suck) with SymNRT 2007. All real-deal techs do know this is true. Avast and AntiVir are the two best freeware anti-viruses. Kaspersky and NOD32 are the two best payware.

For spyware you'll want to use Ad-Aware SE and Spybot S&D. Others included Windows Defender, CWShredder, HijackThis, Spyware Blaster.

For additional assistance, use the freeware tool FileMon to see every file access/modify/write attempt maybe by any executable/process on your system, anything running in the background. TCPView will help you see any inbound/outbound network traffic.

After that, you should be clean.

February 25, 2007

k i installed nod32 updated it and ran a scan in safe mode it to gets to a certain point and just closes by itself plz keep any sugestions you guys have coming and preferably not just a harddrive wipe i got way to much on this computer to be considering that

February 25, 2007

It's "impossible" that you can't remove this infection with arsenal you have. You are doing something wrong. Why do you boot into safe mode? Yes I know the usage of it, but it's rarely needed and AVs don't need to operate in safe mode to remove infection.

Simplest solution is to CLEAR (for 100th time) your temp files, run an AV/AT/AS with updated definitions and don't boot into safe mode. It might be the reason software is not functioning in the first place.

If Kaspersky, Ewido (now AVG Antispyware) can't remove infection then nothing can. Download those, update definitions and run full scan (it might take a while) and don't do it from safe mode this time. You're not giving us any info, what infection might be, what problems you experience and most important what you actually did so far...besides messing with HJT and not bothering to read any guides posted before.

February 25, 2007

epidemic339 said:
...and preferably not just a harddrive wipe i got way to much on this computer to be considering that

Use proper spelling and grammar in your posts.

Go out and buy yourself a spindle of CDRs or DVD+/-Rs and backup your data. But yeah, Richter's post says it all...

February 25, 2007

k heres what ive done so far ive removed some registry entries with hijack this i found entries that were rerouting my to a specific ip adress so i removed those avg found a trojan on my system and i removed that aswell and thats bassicly it avg still and other anti viruses i tried still freeze on a certain file in my temp folder and i tried reseting all my internet explorer settings and deleting my temp folder but a paticular file will not delete ive tried running all the scaners in safe and normal mode and unfortunatly im am not the only user on this computer and removing norton is not my choice to make and Kaspersky does not install with norton on my system if any1 has MORE PERCISE directions then remove it with an antivirus i would apreciate it im surely over looking something that none of you guys have mentioned because none of it is working

1,933 · February 25, 2007

lol Was interested in the topic and had some replies, but I gave up after reading that last post. Couldn't make it past the 2nd line. For people that are wanting to help you, you really don't make it easy on them. I kinda give up, if it takes me longer to figure out how the sentences are supposed to be, than the time it takes me to actually read them. One vote to Jeremy of Many...

February 25, 2007

Jack 0Neill said:
Legitimately useless.
All he has to do is remove Norton 100%, then install avast and remove the viruses/trojans and other junkware it finds. Duh. Norton sucks, any wannabe tech knows that and will tell people to trash it; so have you not reached that level yet? :p

You are my hero :rofl:

FTW

epidemic339 said:
k heres what ive done so far ive removed some registry entries with hijack this i found entries that were rerouting my to a specific ip adress so i removed those avg found a trojan on my system and i removed that aswell and thats bassicly it avg still and other anti viruses i tried still freeze on a certain file in my temp folder and i tried reseting all my internet explorer settings and deleting my temp folder but a paticular file will not delete ive tried running all the scaners in safe and normal mode and unfortunatly im am not the only user on this computer and removing norton is not my choice to make and Kaspersky does not install with norton on my system if any1 has MORE PERCISE directions then remove it with an antivirus i would apreciate it im surely over looking something that none of you guys have mentioned because none of it is working

SENTENCES! Please clarify and maybe someone can fur real help you...

Sign In

Help, computer hijack

Question

epidemic339

Link to comment

Share on other sites

29 answers to this question

Recommended Posts

Nightwind Hawk

Link to comment

Share on other sites

richter

Link to comment

Share on other sites

+Warwagon MVC

Link to comment

Share on other sites

MasterC

Link to comment

Share on other sites

zeroday

Link to comment

Share on other sites

epidemic339

Link to comment

Share on other sites

richter

Link to comment

Share on other sites

AimLXJ

Link to comment

Share on other sites

Jack 0Neill

Link to comment

Share on other sites

baskingridge

Link to comment

Share on other sites

+Warwagon MVC

Link to comment

Share on other sites

epidemic339

Link to comment

Share on other sites

richter

Link to comment

Share on other sites

+Warwagon MVC

Link to comment

Share on other sites

Jack 0Neill

Link to comment

Share on other sites

richter

Link to comment

Share on other sites

epidemic339

Link to comment

Share on other sites

Max Veteran

Link to comment

Share on other sites

Guest Jeremy of Many

Link to comment

Share on other sites

epidemic339

Link to comment

Share on other sites

richter

Link to comment

Share on other sites

Guest Jeremy of Many

Link to comment

Share on other sites

epidemic339

Link to comment

Share on other sites

Odom Member

Link to comment

Share on other sites