Norton A.V. reports Trojan Horse-MY COMP. IS CRACKING-HELP! (+Hijack log)

Discussion in 'adware, spyware & hijack cleaning' started by Reverend Pahomije, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. Reverend Pahomije

    Reverend Pahomije Registered Member

    Jul 11, 2004
    Hello to everyone,
    This one's a big issue (at least for me), so please take a good look and assist me in fighting this menace. I'm literally going insane.
    It seems that two days ago I picked a virus or spyware or whatever, and my (updated) Norton Antivirus 2004 has gone insane-it reports Trojan Horse in "C:\WINDOWS\hosts" and "C:\WINDOWS\system32\drivers\etc\hosts". As it cannot delete these files, it starts detecting them all over again until I shut down my computer.
    I opened C:\WINDOWS folder, and the "hosts" file is changing 2-3 times per minute. I managed to read it in Wordpad and it looks as if it's redirecting some websites to an unknown address. What's more, "Google" search is either not working (site cannot be opened) or redirected to some blue-screen-site with "Detected SPYware! System error #384".
    I used updated Ad-Aware 6.0.
    Also, my computer is running about 60% slower.

    Logfile of HijackThis v1.97.7
    Scan saved at 22:08:08, on 11/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\CoolHeckTest\error ball 32.exe
    C:\Program Files\connxmgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Modules\svccvt.exe
    C:\Program Files\Modules\msinit.exe
    C:\Program Files\Modules\mmgrv.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\eBayTBar.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = (obfuscated)
    O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\Program Files\eBay\eBay Toolbar\\eBayBand.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Djordje\Application Data\iefeatsl\msiesh.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\Program Files\eBay\eBay Toolbar\\eBayBand.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Programi\PopUp Killer\popupkiller.EXE
    O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Online Special] C:\WINDOWS\swchost.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [AutoUpdate] C:\WINDOWS\System32\msupdate.exe
    O4 - HKLM\..\Run: [PIX501] C:\WINDOWS\System32\msprotect.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
    O4 - HKLM\..\Run: [mmsys] C:\WINDOWS\System32\mmgr.exe
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [gplfork] C:\PROGRA~1\CoolHeckTest\error ball 32.exe
    O4 - HKLM\..\Run: [taskmgr] C:\Program Files\connxmgr.exe
    O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [taskmgr] C:\Program Files\connxmgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Windows Startup.lnk = C:\WINDOWS\winstartup.exe
    O4 - Global Startup: Runner.LNK = C:\Program Files\Netscape\Communicator\Program\Runner.EXE
    O4 - Global Startup: eBay Toolbar.LNK = ?
    O4 - Global Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: ImageFox.lnk = ?
    O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\Symantec\WinFax\WTNSETUP.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: eBay Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: Yahoo! Chat -
    O16 - DPF: {001F2570-5DF5-11D3-B991-00A0C9BB0874} (eBay Helper Object) -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
    O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88D4D2B8-0A38-40FE-9B94-7AA414C4FEF7}: NameServer =
    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini (file missing)
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

    If there's any thread related to this one or if anyone had this same kind of problem, please just post a link.
    Thank You all in advance for Your kind help,
    Pahomije :( :mad: :'(
Thread Status:
Not open for further replies.