Looking a lot better, but still have a few symptoms:
1. When I open IE (I normally use Opera, but IE is what triggers this thing) and attempt to go somewhere, I'm still getting an occasional ad popup
2. Still getting a Dialer.Trojan warning by NortonAV. It can delete one of the files associated with it, but the other is access denied. Here's a screeny (accidentally deleted the trojan screeny from a post above, so they'll both look like this one now):
[IMG]http://www.m00k.net/images/trojan.jpg[/IMG]
Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:14:09 AM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\brad.edwards\Desktop\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124732804238
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wp.fsi
O17 - HKLM\Software\..\Telephony: DomainName = wp.fsi
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wp.fsi
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
And here's my ewido log:
--------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:05:12 AM 7/6/2006
+ Scan result:
C:\WINDOWS\system32\gebawus.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\regperf.exe -> Downloader.Zlob.wo : Cleaned with backup (quarantined).
C:\Documents and Settings\Configuresoft\Cookies\configuresoft@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Configuresoft\Cookies\configuresoft@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@ehg-comcast.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@ehg-microsoft.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\brad.edwards@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@spylog[2].txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@vdn.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\brad.edwards\Cookies\brad.edwards@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
::Report end
I'll try running NortonAV in SafeMode to kill the Trojan. Anything else I should do?
![http://www.m00k.net/images/threat.jpg[/IMG]](http://www.m00k.net/images/threat.jpg%5B/IMG%5D){kind=link}
![http://www.m00k.net/images/threat_note.jpg[/IMG]](http://www.m00k.net/images/threat_note.jpg%5B/IMG%5D){kind=link}
![http://www.m00k.net/images/trojan.jpg[/IMG]](http://www.m00k.net/images/trojan.jpg%5B/IMG%5D){kind=link}
![http://www.m00k.net/images/trojan_ap.jpg[/IMG]](http://www.m00k.net/images/trojan_ap.jpg%5B/IMG%5D){kind=link}
![http://www.stevewolfonline.com/Downloads/DMR/Visuals/dunno.gif[/IMG]](http://www.stevewolfonline.com/Downloads/DMR/Visuals/dunno.gif%5B/IMG%5D){kind=link}