Spam-N-Rice
Thread Starter
- Joined
- Sep 5, 2004
- Messages
- 4
This webdialer seems to pop up at start up and ever hour and can't get rid of it. internet explorer has also been hijacked. I've updated the files for both Adawrae and Spybot. Both Adaware and Spybot S&D has detected the hijack but has been unsuccessful at permanently removing it. Adaware & Spybot S&D doesn't even detect the webdialer.
I need help. Here is the HijackThis log.
Logfile of HijackThis v1.98.2
Scan saved at 9:54:05 AM, on 9/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlb.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\bentaa\beremote.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\nethi32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\FreeRam XP PRo\FreeRAM XP Pro 1.40.exe
C:\WINNT\ors-.exe
C:\WINNT\SPs-PEs-32.exe
C:\WINNT\system32\ntSPntPE.exe
C:\WINNT\orhh64or.exe
C:\WINNT\system32\ors-SPPE.exe
C:\WINNT\system32\nt32s-.exe
C:\WINNT\system32\orPEhhs-.exe
C:\WINNT\system32\sy32.exe
C:\WINNT\explorer.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\odbccr32.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Kyocera Wireless Corp.
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BEC15DCD-6C71-A3A0-22AE-3BCF2936CA3E} - C:\WINNT\addnl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ExcelAutoSave] regedit /s C:\Apps\MSOffice\excel.reg
O4 - HKLM\..\Run: [EudoraINISetup] C:\Program Files\Eudora\EudoraINISetup.EXE /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [nethi32.exe] C:\WINNT\nethi32.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRam XP PRo\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [odbccr32] C:\WINNT\system32\odbccr32.exe
O4 - HKCU\..\Run: [ors-] C:\WINNT\ors-.exe
O4 - HKCU\..\Run: [SPs-PEs-32] C:\WINNT\SPs-PEs-32.exe
O4 - HKCU\..\Run: [ntSPntPE] C:\WINNT\system32\ntSPntPE.exe
O4 - HKCU\..\Run: [orhh64or] C:\WINNT\orhh64or.exe
O4 - HKCU\..\Run: [ors-SPPE] C:\WINNT\system32\ors-SPPE.exe
O4 - HKCU\..\Run: [nt32s-] C:\WINNT\system32\nt32s-.exe
O4 - HKCU\..\Run: [orPEhhs-] C:\WINNT\system32\orPEhhs-.exe
O4 - HKCU\..\Run: [sy32] C:\WINNT\system32\sy32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: http://ithil.intra.kyocera-wireless.com
O15 - Trusted Zone: http://maus.intra.kyocera-wireless.com
O15 - Trusted Zone: http://minus.intra.kyocera-wireless.com
O15 - Trusted Zone: http://tirith.intra.kyocera-wireless.com
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metrobankdirect.com/download/Authentic/VBAuthentic.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E27DFDA8-7292-49F1-BDC6-25B3993E8E08} (IDeRMA41.ctlRMATool) - http://plm/iDweb2004-1/Core_sys/cab/IDeRMA41.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.kyocera-wireless.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.kyocera-wireless.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.kyocera-wireless.com
I need help. Here is the HijackThis log.
Logfile of HijackThis v1.98.2
Scan saved at 9:54:05 AM, on 9/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlb.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\bentaa\beremote.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\nethi32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\FreeRam XP PRo\FreeRAM XP Pro 1.40.exe
C:\WINNT\ors-.exe
C:\WINNT\SPs-PEs-32.exe
C:\WINNT\system32\ntSPntPE.exe
C:\WINNT\orhh64or.exe
C:\WINNT\system32\ors-SPPE.exe
C:\WINNT\system32\nt32s-.exe
C:\WINNT\system32\orPEhhs-.exe
C:\WINNT\system32\sy32.exe
C:\WINNT\explorer.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\odbccr32.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnixi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Kyocera Wireless Corp.
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BEC15DCD-6C71-A3A0-22AE-3BCF2936CA3E} - C:\WINNT\addnl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ExcelAutoSave] regedit /s C:\Apps\MSOffice\excel.reg
O4 - HKLM\..\Run: [EudoraINISetup] C:\Program Files\Eudora\EudoraINISetup.EXE /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [nethi32.exe] C:\WINNT\nethi32.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRam XP PRo\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [odbccr32] C:\WINNT\system32\odbccr32.exe
O4 - HKCU\..\Run: [ors-] C:\WINNT\ors-.exe
O4 - HKCU\..\Run: [SPs-PEs-32] C:\WINNT\SPs-PEs-32.exe
O4 - HKCU\..\Run: [ntSPntPE] C:\WINNT\system32\ntSPntPE.exe
O4 - HKCU\..\Run: [orhh64or] C:\WINNT\orhh64or.exe
O4 - HKCU\..\Run: [ors-SPPE] C:\WINNT\system32\ors-SPPE.exe
O4 - HKCU\..\Run: [nt32s-] C:\WINNT\system32\nt32s-.exe
O4 - HKCU\..\Run: [orPEhhs-] C:\WINNT\system32\orPEhhs-.exe
O4 - HKCU\..\Run: [sy32] C:\WINNT\system32\sy32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: http://ithil.intra.kyocera-wireless.com
O15 - Trusted Zone: http://maus.intra.kyocera-wireless.com
O15 - Trusted Zone: http://minus.intra.kyocera-wireless.com
O15 - Trusted Zone: http://tirith.intra.kyocera-wireless.com
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metrobankdirect.com/download/Authentic/VBAuthentic.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E27DFDA8-7292-49F1-BDC6-25B3993E8E08} (IDeRMA41.ctlRMATool) - http://plm/iDweb2004-1/Core_sys/cab/IDeRMA41.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.kyocera-wireless.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.kyocera-wireless.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.kyocera-wireless.com