RaboKarabekian

Thanks a bunch Cameron-- I'll try that as soon as I get home. She has the full corporate version of Symantac AV, so I dunno why it didn't catch that :? .

All the AV and antispyware is fully updated, and I'm pretty sure that's the most recent version of HJT :|. I've run everything in both safemode and normal.

I'm in the process of cleaning a neighbor's PC for her and have come across a problem. I washed out a load of spyware and had to go through a fair bit of registry editing to get rid of the Lo Thuong/Desktop Search/Edmond Trojan(<-- Cleaned it using instructions found at that link). So far so good. The registry appears clean, and Symantec AV, AdAware, and Spybot S&D all come up clean. Problem is, there's still *loads* of Internet Explorer windows randomly popping up randomly (most of them from: http://banners.searchingbooth.com/advertpro/, if that helps at all). She's running Windows XP and browsing with Firefox, with nothing big running in the background. Any help you can give would be appreciated. Logfile of HijackThis v1.99.1 Scan saved at 3:26:57 PM, on 4/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss[Caution: ExecutableFile] C:\WINNT\system32\winlogon[Caution: ExecutableFile] C:\WINNT\system32\services[Caution: ExecutableFile] C:\WINNT\system32\lsass[Caution: ExecutableFile] C:\WINNT\system32\svchost[Caution: ExecutableFile] C:\WINNT\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\WINNT\Explorer[Caution: ExecutableFile] C:\WINNT\system32\LEXBCES[Caution: ExecutableFile] C:\WINNT\system32\LEXPPS[Caution: ExecutableFile] C:\WINNT\system32\spoolsv[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\VPTray[Caution: ExecutableFile] C:\WINNT\IEXPLOR[Caution: ExecutableFile] C:\WINNT\WinTask[Caution: ExecutableFile] C:\WINNT\system\dnaqfrvbcr[Caution: ExecutableFile] C:\Program Files\Symantec AntiVirus\DefWatch[Caution: ExecutableFile] C:\WINNT\System32\nvsvc32[Caution: ExecutableFile] C:\WINNT\System32\svchost[Caution: ExecutableFile] C:\Program Files\Symantec AntiVirus\Rtvscan[Caution: ExecutableFile] C:\WINNT\wanmpsvc[Caution: ExecutableFile] C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware[Caution: ExecutableFile] C:\Program Files\Symantec AntiVirus\VPC32[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\Documents and Settings\J J\Desktop\HijackThis[Caution: ExecutableFile] R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray[Caution: ExecutableFile] O4 - HKLM\..\Run: [AtxBrw] C:\WINNT\IEXPLOR[Caution: ExecutableFile] O4 - HKLM\..\Run: [C] C:\WINNT\WinTask[Caution: ExecutableFile] O4 - HKLM\..\Run: [PopMark] C:\WINNT\WinTask[Caution: ExecutableFile] O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitevci32[Caution: ExecutableFile] O4 - HKLM\..\RunServices: [sYSTEM] lsas[Caution: ExecutableFile] O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect[Caution: ExecutableFile] O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.google.com O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/jvm/msjavx86_3805[Caution: ExecutableFile] O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110773444077 O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch[Caution: ExecutableFile] O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox[Caution: ExecutableFile] O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES[Caution: ExecutableFile] O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32[Caution: ExecutableFile] O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan[Caution: ExecutableFile] O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc[Caution: ExecutableFile]

There's a couple of my stranger ones...