Strange virus-- HijackThis log included

[RaboKarabekian]

I'm in the process of cleaning a neighbor's PC for her and have come across a problem. I washed out a load of spyware and had to go through a fair bit of registry editing to get rid of the Lo Thuong/Desktop Search/Edmond Trojan(<-- Cleaned it using instructions found at that link). So far so good. The registry appears clean, and Symantec AV, AdAware, and Spybot S&D all come up clean. Problem is, there's still *loads* of Internet Explorer windows randomly popping up randomly (most of them from: http://banners.searchingbooth.com/advertpro/, if that helps at all).

 

 

 

 

 

 

 

She's running Windows XP and browsing with Firefox, with nothing big running in the background. Any help you can give would be appreciated.

 

 

 

Logfile of HijackThis v1.99.1



Scan saved at 3:26:57 PM, on 4/27/2005



Platform: Windows XP SP2 (WinNT 5.01.2600)



MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)







Running processes:



C:\WINNT\System32\smss[Caution: ExecutableFile]



C:\WINNT\system32\winlogon[Caution: ExecutableFile]



C:\WINNT\system32\services[Caution: ExecutableFile]



C:\WINNT\system32\lsass[Caution: ExecutableFile]



C:\WINNT\system32\svchost[Caution: ExecutableFile]



C:\WINNT\System32\svchost[Caution: ExecutableFile]



C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]



C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]



C:\WINNT\Explorer[Caution: ExecutableFile]



C:\WINNT\system32\LEXBCES[Caution: ExecutableFile]



C:\WINNT\system32\LEXPPS[Caution: ExecutableFile]



C:\WINNT\system32\spoolsv[Caution: ExecutableFile]



C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]



C:\PROGRA~1\SYMANT~1\VPTray[Caution: ExecutableFile]



C:\WINNT\IEXPLOR[Caution: ExecutableFile]



C:\WINNT\WinTask[Caution: ExecutableFile]



C:\WINNT\system\dnaqfrvbcr[Caution: ExecutableFile]



C:\Program Files\Symantec AntiVirus\DefWatch[Caution: ExecutableFile]



C:\WINNT\System32\nvsvc32[Caution: ExecutableFile]



C:\WINNT\System32\svchost[Caution: ExecutableFile]



C:\Program Files\Symantec AntiVirus\Rtvscan[Caution: ExecutableFile]



C:\WINNT\wanmpsvc[Caution: ExecutableFile]



C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware[Caution: ExecutableFile]



C:\Program Files\Symantec AntiVirus\VPC32[Caution: ExecutableFile]



C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]



C:\Documents and Settings\J J\Desktop\HijackThis[Caution: ExecutableFile]







R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank



R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer



R3 - Default URLSearchHook is missing



O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)



O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]"



O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray[Caution: ExecutableFile]



O4 - HKLM\..\Run: [AtxBrw] C:\WINNT\IEXPLOR[Caution: ExecutableFile]



O4 - HKLM\..\Run: [C] C:\WINNT\WinTask[Caution: ExecutableFile]



O4 - HKLM\..\Run: [PopMark] C:\WINNT\WinTask[Caution: ExecutableFile]



O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitevci32[Caution: ExecutableFile]



O4 - HKLM\..\RunServices: [sYSTEM] lsas[Caution: ExecutableFile]



O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect[Caution: ExecutableFile]



O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll



O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll



O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]



O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]



O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll



O14 - IERESET.INF: START_PAGE_URL=http://www.google.com



O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab



O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab



O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/jvm/msjavx86_3805[Caution: ExecutableFile]



O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110773444077



O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB



O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB



O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab



O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab



O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab



O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll



O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]



O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile]



O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]



O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch[Caution: ExecutableFile]



O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox[Caution: ExecutableFile]



O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES[Caution: ExecutableFile]



O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32[Caution: ExecutableFile]



O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)



O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam[Caution: ExecutableFile]



O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]



O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan[Caution: ExecutableFile]



O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc[Caution: ExecutableFile]

[Sharper]

Please ensure that the antivirus and adware removal applications are completely up-to-date before running the scans. This computer currently has a virus and most up-to-date security applications should pick them up. After updating it would be a good idea to scan while in safe-mode, press F8 a few times quickly before the windows loading screen while starting your computer up to enter safe-mode.

[sjiskebab5]

yes wath sharper says i true

 

 

 

first update ur scanners (Ad-Aware SE,Spybot S&D,Norton or Mc affee)

 

 

 

than do scan in secure mode

 

 

 

but...update ur HiJack This cuz its 1.99.1, the current version is 1.99.9

[Mercifull]

yes wath sharper says i true

 

 

 

first update ur scanners (Ad-Aware SE,Spybot S&D,Norton or Mc affee)

 

 

 

than do scan in secure mode

 

 

 

but...update ur HiJack This cuz its 1.99.1, the current version is 1.99.9

 

 

 

 

 

 

 

Actually HJT 1.99.1 is the newest version. also dont run HJT in safemode, if you do it might not pick up some spyware that loads during the normal boot.

[sjiskebab5]

weird than i got a bugged verison aaaaaaaaaaaargh

 

 

 

 

 

 

 

:o :o :o srry bro

[Mercifull]

weird than i got a bugged verison aaaaaaaaaaaargh

 

 

 

 

 

 

 

:o :o :o srry bro

 

 

 

 

 

 

 

Are you sure you are not getting confused with 1.98.9, a previous version of HJT?

[RaboKarabekian]

All the AV and antispyware is fully updated, and I'm pretty sure that's the most recent version of HJT :|. I've run everything in both safemode and normal.

[Vape]

What AV does the computer have? I can't imagine it would be very up to date if it can't detect the W32.Navidad worm :-?

 

 

 

 

 

 

 

As you can see in the hijackthis log, C:\WINNT\WinTask[Caution: ExecutableFile] is running, and this is related to the worm.

 

 

 

 

 

 

 

I suggest you attempt to remove it using Housecall, or if that doesn't get it, use Symantec's removal tool (removes both W32.Navidad and the W32.Navidad.16896 variant.)

 

 

 

 

 

 

 

Once you've done that, post another hijackthis log.

[RaboKarabekian]

Thanks a bunch Cameron-- I'll try that as soon as I get home. She has the full corporate version of Symantac AV, so I dunno why it didn't catch that :? .