HiJack This, browser hijack(Resolved)

[Snowy33]

Alright here it is:

I'm basically having the same problem as this thread http://forum.networktechs.com/showthread.php?p=7419 . I have done all the initial cleaning and have attached the hijack this file, however, I can't run it in normal mode. AVG anti-spyware found nothing and the Windows Defender scan was also clean. Upon restart into normal mode Windows Defender found a "Possible Hosts File Hijack located in c:\windows\system32\drivers\etc\hosts" I used the remove action and it was successful. I have also added the log from the Kaspersky online scan, let me know if there is any other info I need to post. Any help would be greatly appreciated.

[jholland1964]

Hi,
I am not certain what you mean when you say you cannot run HJT in normal mode. The log you posted looks to be in normal mode to me.
The first thing I notice, other than the host files of course, is that you are running two, or portions of two anti-virus programs, Norton and AVG. This is an absolute No-No.
These running processes indicate Norton Anti-virus'
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

You need to go to Add/Remove and Uninstall everything listed as Norton and Symantec.
You may need to reboot if prompted.
Once that is complete then do a file search by going to Start, Search, Files and Folders, "C" drive and first search for files named Symantec. If any are found delete them. Next do the same for files named Norton, if any are found, delete them.
Once you have removed the extra anti-virus program
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.[*] Type Y to begin the cleanup process.[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.[*] Press any Key and it will restart the PC.[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[Snowy33]

Alright I've done all required steps, and have posted the reports. However, when I started up the computer I received another virus alert from AVG "Trojan horse Downloader.Agent.INL located C:\Documents and Settings\Compaq_Owner\Desktop\install.exe" along with the previous Windows Defender alert. Just thought I'd let you know.

[Snowy33]

Sorry, here is the pasted report.


SDFix: Version 1.63

06/02/2007 - 0:37:33.71

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282

Client IP-IPX Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\winlogon.lnk - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*isabled:BackWeb for Presario"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*isabled:Earthlink"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\ \system32\\sessmgr.exe:*isabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTor rent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFile s%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\Compaq_Owner\Desktop\Divx\Brayden's ****\A Taste of Chasey Lain - Vivid XXX [DVDRIP][Pornstars][www.sexotorrent.com]\Thumbs.db
C:\Documents and Settings\Compaq_Owner\Desktop\Office\MSDE2000\SQLR ESLD.DLL
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 3 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SQLRESLD.DLL
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SQLRESLD.DLL
C:\WINDOWS\system32\gtitxpw\winlogon.exe
C:\hiberfil.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 3 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\AUTORUN.INF
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 3 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SETUP.INI
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 3 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SETUP.RLL
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 3 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SQLRESLD.DLL
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 3 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\ORK\AUTORUN.INF
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\AUTORUN.INF
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\OFFICE1.CAB
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\FILES\OSP\1033\OSP1.CAB
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SETUP.INI
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SETUP.RLL
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\MSDE2000\SQLRESLD.DLL
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\ORK\AUTORUN.INF
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\ORK\ORK.CAB
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\SHAREPT\CFGQUIET.INI
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\SHAREPT\OWS10.CAB
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Temporary Directory 4 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2005.zip\SHAREPT\SETUPSE.INI

Finished

[jholland1964]

Somethings were removed but obviously some nasty items remain.
Here are the next steps I want you to follow;
Go to this link;
Follow each and every step exactly as given, skipping of course the download of Windows Defender since you have it and also download of HJT. But then follow every other download recommendation.
Follow the directions for running the programs in safe mode exactly and allow each program to delete whatever is found. Save the AVG Anti-spy log and post it back here with a new log from HiJackThis that you will run in NORMAL mode once the other steps are complete.

[Snowy33]

I have done the required steps here are the files.

[jholland1964]

Wonderful! Glad to help.
Judy