| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 53999 | 2005-02-01 21:27:00 | Please help with my hijack file | paragone (6714) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 320521 | 2005-02-01 21:27:00 | I was told to restart my computer in safe mode and romove this file C:\WINDOWS\svhost . exe I did this and i'm still having this Norton Pop-up saying I have this virus . What else do I need to do? Logfile of HijackThis v1 . 99 . 0 Scan saved at 11:16:56 PM, on 1/31/2005 Platform: Windows XP SP1 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP1 (6 . 00 . 2800 . 1106) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\csrss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr . exe C:\WINDOWS\Explorer . EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc . exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc . exe C:\WINDOWS\System32\LXSUPMON . EXE C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr . exe C:\WINDOWS\System32\DeltTray . exe C:\Program Files\Common Files\Symantec Shared\ccApp . exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr . exe C:\WINDOWS\system32\LEXBCES . EXE C:\WINDOWS\system32\LEXPPS . EXE C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Norton AntiVirus\navapsvc . exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc . exe C:\WINDOWS\System32\msiexec . exe C:\Program Files\Adobe\Photoshop CS\Photoshop . exe C:\Program Files\AIM\aim . exe C:\HiJackThis\HijackThis . exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6 . 0\Acrobat\ActiveX\AcroIEHelper . dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spyware\SPYBOT~1\SDHelper . dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6 . 0\Acrobat\AcroIEFavClient . dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt . dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm . ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt . dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6 . 0\Acrobat\AcroIEFavClient . dll O4 - HKLM\ . . \Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON . EXE RUN O4 - HKLM\ . . \Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr . exe O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck . exe O4 - HKLM\ . . \Run: [DeltTray] DeltTray . exe O4 - HKLM\ . . \Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp . exe" O4 - HKLM\ . . \Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt . exe O4 - HKLM\ . . \Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon . exe O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL . EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim . exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related . htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related . htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4 . DDv4) - . drivershq . com/DD_v4 . CAB" target="_blank">www . drivershq . com O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - . rovion . com/Controls/Rovion . cab" target="_blank">www . rovion . com O17 - HKLM\System\CCS\Services\Tcpip\ . . \{FCA6497B-B75D-4BCD-9CD9-946058C0E8BD}: NameServer = 24 . 29 . 99 . 18,24 . 29 . 99 . 17 O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc . exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr . exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc . exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr . exe O23 - Service: LexBce Server - Lexmark International, Inc . - C:\WINDOWS\system32\LEXBCES . EXE O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing . exe O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc . exe O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor . exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan . exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ . exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc . exe O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc . exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc . exe Here's the error message that pops up . . . like at least 6 times when I right click on anything . Virus Message ( . celestialproductions . com/errormessage . gif" target="_blank">www . celestialproductions . com) HELP! thanks |
paragone (6714) | ||
| 320522 | 2005-02-01 21:52:00 | There are other sites where people wade through Hijackthis logs more often. Have you followed all of the Symantic advice on this page (securityresponse.symantec.com) | PaulD (232) | ||
| 320523 | 2005-02-01 22:00:00 | Yes I did everything the site told me too do. Do you have another forum that I could go too that may be able to help me faster? thanks | paragone (6714) | ||
| 320524 | 2005-02-01 22:32:00 | What message do you get from Norton AV. | Davesdad (923) | ||
| 320525 | 2005-02-01 22:38:00 | You could Google to see what forums are doing HijackThis logs. This is one thread (www.techsupportforum.com) that seems to indicate that it may be partly a Nortons fault. Have you tried any other scan, maybe one of the on-line scans? Edit: Davesdad the Norton message is in original post |
PaulD (232) | ||
| 320526 | 2005-02-02 11:24:00 | svchost.exe is legitimate, you can have multiple instances as well and that is ok. I do not see the svhost.exe that you are talking about, my find on FireFox does not show it on this page except where you typed it originally. Not sure what is going on here??????? You need svchost.exe. |
zqwerty (97) | ||
| 320527 | 2005-02-02 11:44:00 | Yeah that link to the techsupportforum.com thread is probably it. The juicy part is: I'm just wondering. Could that Beasty trojan been quarantined by Norton and it's giving you a false positive? See if you can view the quarantined items and delete Beasty if found. I've seen Norton Antivirus do this before myself. |
gibler (49) | ||
| 320528 | 2005-02-02 19:56:00 | Symantec's removal instructions - www.symantec.com You could try restarting in safemode, running Ccleaner ( www.ccleaner.com ) first, then Norton scan. Trojans have to be started up, and unless "attached" to a legit dll , then they won't start in safemode. Windows has a habit of protecting files/services it started up , be they good or bad. |
pheonix (36) | ||
| 320529 | 2005-02-02 20:12:00 | gidday, the hijacker is written slightly differently then svhost.exe which is required by windows. sorry I have forgotten exactly how, but look for a slight variance in the way its typed, by comparing with with the correct file. eg. the correct one is svhost.exe whereas the hijackjer could be sVhost.exe or sv_host.exe or Svhost.exe good luck, robby |
Robby (3123) | ||
| 320530 | 2005-02-02 20:24:00 | Svchost . exe is legit . Entrys for svhost, scvhost and varients are malware, named to disguise there true nature . You don't appear to have the bad kind . Blimmin helpful of Nortons not to include a path to the file, can you check the Nortons log to find out where the file is/was . As far as I can tell, the only sus listings in your HJ log is: Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related . htm What's Extra, *cough* a browser enhancement? and O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - . rovion . com/Controls/Rovion . cab" target="_blank">www . rovion . com Add server/provider is it or legitimate player? |
Murray P (44) | ||
| 1 | |||||