View Full Version : Please help with my hijack file

02-02-2005, 10:27 AM
I was told to restart my computer in safe mode and romove this file C:\WINDOWS\svhost.exe I did this and i'm still having this Norton Pop-up saying I have this virus. What else do I need to do?

Logfile of HijackThis v1.99.0
Scan saved at 11:16:56 PM, on 1/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\AIM\aim.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spyware\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCA6497B-B75D-4BCD-9CD9-946058C0E8BD}: NameServer =,
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Here's the error message that pops up... like at least 6 times when I right click on anything.

Virus Message (http://www.celestialproductions.com/errormessage.gif)

HELP! thanks

02-02-2005, 10:52 AM
There are other sites where people wade through Hijackthis logs more often. Have you followed all of the Symantic advice on this page (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.i.html)

02-02-2005, 11:00 AM
Yes I did everything the site told me too do. Do you have another forum that I could go too that may be able to help me faster? thanks

02-02-2005, 11:32 AM
What message do you get from Norton AV.

02-02-2005, 11:38 AM
You could Google to see what forums are doing HijackThis logs. This is one thread (http://www.techsupportforum.com/showthread.php?t=34981) that seems to indicate that it may be partly a Nortons fault. Have you tried any other scan, maybe one of the on-line scans?

Edit: Davesdad the Norton message is in original post

03-02-2005, 12:24 AM
svchost.exe is legitimate, you can have multiple instances as well and that is ok.

I do not see the svhost.exe that you are talking about, my find on FireFox does not show it on this page except where you typed it originally.

Not sure what is going on here??????? You need svchost.exe.

03-02-2005, 12:44 AM
Yeah that link to the techsupportforum.com thread is probably it.

The juicy part is:

I'm just wondering. Could that Beasty trojan been quarantined by Norton and it's giving you a false positive? See if you can view the quarantined items and delete Beasty if found.

I've seen Norton Antivirus do this before myself.

03-02-2005, 08:56 AM
Symantec's removal instructions - http://www.symantec.com/avcenter/venc/data/backdoor.beasty.family.html

You could try restarting in safemode, running Ccleaner ( www.ccleaner.com ) first, then Norton scan. Trojans have to be started up, and unless "attached" to a legit dll , then they won't start in safemode. Windows has a habit of protecting files/services it started up , be they good or bad.

03-02-2005, 09:12 AM

the hijacker is written slightly differently then svhost.exe which is required by windows. sorry I have forgotten exactly how, but look for a slight
variance in the way its typed, by comparing with with the correct file.

eg. the correct one is svhost.exe whereas the hijackjer could be sVhost.exe
or sv_host.exe or Svhost.exe

good luck,


Murray P
03-02-2005, 09:24 AM
Svchost.exe is legit. Entrys for svhost, scvhost and varients are malware, named to disguise there true nature. You don't appear to have the bad kind.

Blimmin helpful of Nortons not to include a path to the file, can you check the Nortons log to find out where the file is/was.

As far as I can tell, the only sus listings in your HJ log is:

Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

What's Extra, *cough* a browser enhancement?


O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab

Add server/provider is it or legitimate player?