April 28, 200521 yr I'm in the process of cleaning a neighbor's PC for her and have come across a problem. I washed out a load of spyware and had to go through a fair bit of registry editing to get rid of the Lo Thuong/Desktop Search/Edmond Trojan(<-- Cleaned it using instructions found at that link). So far so good. The registry appears clean, and Symantec AV, AdAware, and Spybot S&D all come up clean. Problem is, there's still *loads* of Internet Explorer windows randomly popping up randomly (most of them from: http://banners.searchingbooth.com/advertpro/, if that helps at all). She's running Windows XP and browsing with Firefox, with nothing big running in the background. Any help you can give would be appreciated. Logfile of HijackThis v1.99.1 Scan saved at 3:26:57 PM, on 4/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss[Caution: ExecutableFile] C:\WINNT\system32\winlogon[Caution: ExecutableFile] C:\WINNT\system32\services[Caution: ExecutableFile] C:\WINNT\system32\lsass[Caution: ExecutableFile] C:\WINNT\system32\svchost[Caution: ExecutableFile] C:\WINNT\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\WINNT\Explorer[Caution: ExecutableFile] C:\WINNT\system32\LEXBCES[Caution: ExecutableFile] C:\WINNT\system32\LEXPPS[Caution: ExecutableFile] C:\WINNT\system32\spoolsv[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\VPTray[Caution: ExecutableFile] C:\WINNT\IEXPLOR[Caution: ExecutableFile] C:\WINNT\WinTask[Caution: ExecutableFile] C:\WINNT\system\dnaqfrvbcr[Caution: ExecutableFile] C:\Program Files\Symantec AntiVirus\DefWatch[Caution: ExecutableFile] C:\WINNT\System32\nvsvc32[Caution: ExecutableFile] C:\WINNT\System32\svchost[Caution: ExecutableFile] C:\Program Files\Symantec AntiVirus\Rtvscan[Caution: ExecutableFile] C:\WINNT\wanmpsvc[Caution: ExecutableFile] C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware[Caution: ExecutableFile] C:\Program Files\Symantec AntiVirus\VPC32[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\Documents and Settings\J J\Desktop\HijackThis[Caution: ExecutableFile] R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray[Caution: ExecutableFile] O4 - HKLM\..\Run: [AtxBrw] C:\WINNT\IEXPLOR[Caution: ExecutableFile] O4 - HKLM\..\Run: [C] C:\WINNT\WinTask[Caution: ExecutableFile] O4 - HKLM\..\Run: [PopMark] C:\WINNT\WinTask[Caution: ExecutableFile] O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitevci32[Caution: ExecutableFile] O4 - HKLM\..\RunServices: [sYSTEM] lsas[Caution: ExecutableFile] O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect[Caution: ExecutableFile] O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.google.com O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/jvm/msjavx86_3805[Caution: ExecutableFile] O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110773444077 O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch[Caution: ExecutableFile] O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox[Caution: ExecutableFile] O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES[Caution: ExecutableFile] O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32[Caution: ExecutableFile] O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan[Caution: ExecutableFile] O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc[Caution: ExecutableFile]
April 28, 200521 yr Please ensure that the antivirus and adware removal applications are completely up-to-date before running the scans. This computer currently has a virus and most up-to-date security applications should pick them up. After updating it would be a good idea to scan while in safe-mode, press F8 a few times quickly before the windows loading screen while starting your computer up to enter safe-mode.
April 28, 200521 yr yes wath sharper says i true first update ur scanners (Ad-Aware SE,Spybot S&D,Norton or Mc affee) than do scan in secure mode but...update ur HiJack This cuz its 1.99.1, the current version is 1.99.9
April 28, 200521 yr yes wath sharper says i true first update ur scanners (Ad-Aware SE,Spybot S&D,Norton or Mc affee) than do scan in secure mode but...update ur HiJack This cuz its 1.99.1, the current version is 1.99.9 Actually HJT 1.99.1 is the newest version. also dont run HJT in safemode, if you do it might not pick up some spyware that loads during the normal boot. Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12
April 28, 200521 yr weird than i got a bugged verison aaaaaaaaaaaargh :o :o :o srry bro Are you sure you are not getting confused with 1.98.9, a previous version of HJT? Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12
April 29, 200521 yr Author All the AV and antispyware is fully updated, and I'm pretty sure that's the most recent version of HJT :|. I've run everything in both safemode and normal.
April 29, 200521 yr What AV does the computer have? I can't imagine it would be very up to date if it can't detect the W32.Navidad worm :-? As you can see in the hijackthis log, C:\WINNT\WinTask[Caution: ExecutableFile] is running, and this is related to the worm. I suggest you attempt to remove it using Housecall, or if that doesn't get it, use Symantec's removal tool (removes both W32.Navidad and the W32.Navidad.16896 variant.) Once you've done that, post another hijackthis log. Where the bloody hell are you?
April 29, 200521 yr Author Thanks a bunch Cameron-- I'll try that as soon as I get home. She has the full corporate version of Symantac AV, so I dunno why it didn't catch that :? .
Create an account or sign in to comment