Removing Trojan

Discussion in 'System Security & Infection Support' started by Hummingbird, Apr 1, 2007.

  1. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    ok so my dad's computer's been acting really slow off and on for a couple months and spybot didn't find anything and norton anti-virus didn't find anything either but my dad tried this free spyware scan from pcpitstop.com and it supposedly found a trojan. i did a google search for the trojan name it gave me and it apparently does exist. to remove the trojan, pcpitstop says you have to purchase the whole version of their free test.

    is there any way to get rid of the trojan without buying the pcpitstop full version thing? i went to start>search and did a search for different parts of the trojan name and it didn't find anything, although i know the whole point of trojans is that they're hard to find/get rid of so i'm not shocked that windows couldn't find anything.

    so how the heck do i get rid of this thing on my dad's computer without reloading windows?
     
    Hummingbird, Apr 1, 2007
    #1
    1. Advertisements

  2. Hummingbird

    TheOneGreatX VIP Member

    Joined:
    Apr 27, 2004
    Messages:
    1,276
    Likes Received:
    16
    Location:
    US
    did you update spybot and norton before you ran them?
    also download, update, and try Ad-aware.
     
    TheOneGreatX, Apr 1, 2007
    #2
    1. Advertisements

  3. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    oh yeah we update norton and spybot like every freakin day. and we've done scans like 17 time each over the course of a month and they never find this thing that pcpitstop says is there.

    i think my dad already has ad-aware. i'll check and update it and do a search with it . . .
     
    Hummingbird, Apr 1, 2007
    #3
  4. Hummingbird

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    Don't pay much attention to the results of the scan. Trust your spybot and Ad-aware. Also run hijack this and post your logs and I'll take a look for you.

    A lot of times those free tests will tell you that you have a trojan to scare you into buying their software.
     
    Last edited: Apr 3, 2007
    Zeus, Apr 1, 2007
    #4
  5. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    ok here's what hijack this said:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:10:08 PM, on 4/1/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis1-99-1.exe
    C:\Documents and Settings\Administrator\Desktop\aawsepersonal.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" /startup
    O4 - HKLM\..\Run: [ncoOSCheck] C:\Program Files\Norton Confidential\osCheck.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120086113259
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    and ad-aware just found 2 tracking cookies (real player and windows media player i, imagine).
     
    Hummingbird, Apr 2, 2007
    #5
  6. Hummingbird

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    That machine is as clean as a whistle. More than likely all that Symantec junk is causing the machine to run slowly with background scans at unexpected times.
    I always remove the consumer version of Symantec products and install AVG Free (http://free.grisoft.com) and turn on the Windows firewall. This greatly speeds up machines that I work on.
     
    Fenis-Wolf, Apr 2, 2007
    #6
  7. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    really? awesome.

    well i have the same programs my dad does and mine doesn't pull the slow crap all the time. i think his is a duron 1.3 and mine's an amd athlon 64 2800+. both with 512mb ram. would there be that much of a difference?

    he has the norton confidential installed, though, and i don't. he's worried that if he does online banking that he should have the norton confidential, too. he read in some pc mag that norton confidential was the thing to have if you do online backing. i dunno. i never installed it, but i don't do anything like that online.

    ok i did ctrl alt del to see what all was running in his background and the biggest things were an svchost.exe run by SYSTEM at 25,260k and an explorer.exe run by my dad's user name at 27,416k and something called LUCOM~1.exe run by SYSTEM at 14, 320k. any of these things mean anything to ya'll? is the one large svchost one the norton confidential?
     
    Hummingbird, Apr 2, 2007
    #7
  8. Hummingbird

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    svchost.exe run by SYSTEM - Generic Host Process for Win32 Services

    explorer.exe run by user name - Windows Explorer

    LUCOM~1.exe run by SYSTEM - [SIZE=-1]liveupdate in symantec products

    :)
    [/SIZE]
     
    Zeus, Apr 3, 2007
    #8
  9. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    schweet.

    so anybody think it would be ok for him to do online banking and such without norton confidential? i'm sure that 99% of people who do stuff like that don't have any program like confidential . . .
     
    Hummingbird, Apr 4, 2007
    #9
  10. Hummingbird

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    As long as you keep your spyware tools and anti-virus tools up to date, he will be fine doing the online banking without confidential.

    I do all of my banking online without it.
     
    Zeus, Apr 4, 2007
    #10
  11. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    i figured it was a pretty useless program. that's why i never bothered to install it.

    thanks for everything, Zeus!
     
    Hummingbird, Apr 4, 2007
    #11
  12. Hummingbird

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    You are welcome. That's what I'm here for.
     
    Zeus, Apr 5, 2007
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.