Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » h91746.exe

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

h91746.exe

Reply
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 24-04-2006, 01:28 PM
Newbie
D-A-L Newbie
  
Join Date: Apr 2006
Posts: 2
byoung22@gmail.com Is a beginner here at D-A-L
h91746.exe
My computer keeps trying to run the above mentioned program. HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 7:52:24 AM, on 4/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C:\WINDOWS\TEMP\win18A.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\way\LOCALS~1\Temp\Rar$EX00.954\HijackT his.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presar io&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139930933902
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O17 - HKLM\Software\..\Telephony: DomainName = cottagegrove.beconinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winhnr32 - C:\WINDOWS\SYSTEM32\winhnr32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 25-04-2006, 05:49 AM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: h91746.exe
Welcome to DAL,



Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have available backups in case you fix the wrong thing or I make a mistake. Very important.


Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please and a new hijackthis log. Thanks.


Then...



Go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..


I need Ewido log
I need BitDefender log
I need a new hijackthis log

Thanks
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 25-04-2006, 01:11 PM
Newbie
D-A-L Newbie
  
Join Date: Apr 2006
Posts: 2
byoung22@gmail.com Is a beginner here at D-A-L
Re: h91746.exe
BitDefender Online Scanner



Scan report generated at: Tue, Apr 25, 2006 - 07:53:08





Scan path: C:\;D:\;E:\;







Statistics

Time
01:11:33

Files
437661

Folders
4872

Boot Sectors
2

Archives
9543

Packed Files
38608




Results

Identified Viruses
9

Infected Files
17

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
16




Engines Info

Virus Definitions
371826

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\way\Local Settings\Temp\sdexe.exe
Infected with: Trojan.Downloader.Purityscan.W

C:\Documents and Settings\way\Local Settings\Temp\sdexe.exe
Disinfection failed

C:\Documents and Settings\way\Local Settings\Temp\sdexe.exe
Deleted

C:\Documents and Settings\way\Local Settings\Temp\svshost.exe
Infected with: Trojan.Dropper.Vb.KK

C:\Documents and Settings\way\Local Settings\Temp\svshost.exe
Disinfection failed

C:\Documents and Settings\way\Local Settings\Temp\svshost.exe
Deleted

C:\Documents and Settings\way\Local Settings\Temp\win57.tmp.exe
Infected with: Trojan.Dropper.Vb.KK

C:\Documents and Settings\way\Local Settings\Temp\win57.tmp.exe
Disinfection failed

C:\Documents and Settings\way\Local Settings\Temp\win57.tmp.exe
Deleted

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\marinefree.exe=>wise0053
Detected with: Application.Adware.NewDotNet.Dropper

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\marinefree.exe=>wise0053
Deleted

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\marinefree.exe
Update failed

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\marinefree.exe=>wise0054=>(RAR Sfx o)=>WhAgent.exe
Detected with: Application.Spyware.WebHancer.A

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\marinefree.exe=>wise0054=>(RAR Sfx o)=>WhAgent.exe
Disinfection failed

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\marinefree.exe=>wise0054=>(RAR Sfx o)=>WhAgent.exe
Deleted

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\marinefree.exe=>wise0054=>(RAR Sfx o)
Update failed

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\snowycottagefree.exe=>wise0053
Detected with: Application.Adware.NewDotNet.Dropper

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\snowycottagefree.exe=>wise0053
Deleted

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\snowycottagefree.exe
Update failed

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\snowycottagefree.exe=>wise0054=>(RAR Sfx o)=>WhAgent.exe
Detected with: Application.Spyware.WebHancer.A

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\snowycottagefree.exe=>wise0054=>(RAR Sfx o)=>WhAgent.exe
Disinfection failed

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\snowycottagefree.exe=>wise0054=>(RAR Sfx o)=>WhAgent.exe
Deleted

C:\Documents and Settings\way\My Documents\Currant Docs 05\My Documents\Current Docs\snowycottagefree.exe=>wise0054=>(RAR Sfx o)
Update failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP77\A0016674.exe
Infected with: Trojan.Downloader.Purityscan.W

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP77\A0016674.exe
Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP77\A0016674.exe
Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP77\A0016677.exe
Infected with: Trojan.Downloader.Purityscan.BT

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP77\A0016677.exe
Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP77\A0016677.exe
Deleted

C:\WINDOWS\system32\winhnr32.dll
Infected with: Backdoor.Vuro.A

C:\WINDOWS\system32\winhnr32.dll
Disinfection failed

C:\WINDOWS\system32\winhnr32.dll
Delete failed

C:\WINDOWS\Temp\jimabjid.exe
Infected with: Trojan.Dialer.EE

C:\WINDOWS\Temp\jimabjid.exe
Disinfection failed

C:\WINDOWS\Temp\jimabjid.exe
Deleted

C:\WINDOWS\Temp\lmbgfhid.exe
Infected with: Trojan.Dialer.EE

C:\WINDOWS\Temp\lmbgfhid.exe
Disinfection failed

C:\WINDOWS\Temp\lmbgfhid.exe
Deleted

C:\WINDOWS\Temp\mhellhid.exe
Infected with: Trojan.Dialer.EE

C:\WINDOWS\Temp\mhellhid.exe
Disinfection failed

C:\WINDOWS\Temp\mhellhid.exe
Deleted

C:\WINDOWS\Temp\winCF9.tmp.exe
Infected with: Trojan.Dialer.OY

C:\WINDOWS\Temp\winCF9.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\winCF9.tmp.exe
Deleted

C:\WINDOWS\Temp\winD33.tmp.exe
Infected with: Trojan.Dialer.OY

C:\WINDOWS\Temp\winD33.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\winD33.tmp.exe
Deleted

C:\WINDOWS\Temp\winD47.tmp.exe
Infected with: Trojan.Dialer.OY

C:\WINDOWS\Temp\winD47.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\winD47.tmp.exe
Deleted

C:\WINDOWS\winres.dll
Infected with: Trojan.Startpage.EX

C:\WINDOWS\winres.dll
Disinfection failed

C:\WINDOWS\winres.dll
Deleted

Logfile of HijackThis v1.99.1
Scan saved at 8:11:05 AM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\TEMP\winD5C.tmp.exe
C:\DOCUME~1\way\LOCALS~1\Temp\Rar$EX00.829\HijackT his.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presar io&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139930933902
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O17 - HKLM\Software\..\Telephony: DomainName = cottagegrove.beconinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winhnr32 - C:\WINDOWS\SYSTEM32\winhnr32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:34:11 AM, 4/25/2006
+ Report-Checksum: CF64FEE9

+ Scan result:

C:\Documents and Settings\way\Cookies\way@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@indigio.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@microsoftoffice.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@microsoftuk.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@msninvite.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@news.com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@programs.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@sprintnlc.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\way\Cookies\way@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\way\Local Settings\Temp\bpmppind.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\way\Local Settings\Temp\win49.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\way\Local Settings\Temp\win4C.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\way\Local Settings\Temp\win50.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\way\Local Settings\Temp\win62.tmp.exe -> Downloader.IstBar.eq : Cleaned with backup
C:\WINDOWS\Temp\accalapd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\afehblid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\affogled.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ajnlfimd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\becepkfd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\behlekmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\bfijphed.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\blabgjmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\bmkpbfjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\bohehkid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\bophoomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\cdfablmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\clajlomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\Cookies\way@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\deiibmmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\dejjgeed.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\eaheihjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\eedpcdmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\egfiepkd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ehegcnmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ekcmkjed.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\eogpkced.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ephdfopd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\fbfolcid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\fcgoakmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\fcpocjfd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\feokdpfd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\fijdjjmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\flheoaed.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\fmpfnamd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\fpomniid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\gahpkiid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\gclgejjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\gebmfcpd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\genmbemd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\giaiedod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\glmjngjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\gmilclmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\golbjcjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\hacoflmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\hajgibed.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\hamojjid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\heacacmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\hfaajbmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\hgjiheid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\iapajfmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ifpbihid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ihbiomjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ihchiied.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\iieggmid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ilpiapnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\imicnmmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ioagaepd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jaendnnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\japicmed.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jcmmfejd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jdjglmpd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jeckhdpd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jffnmoid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jhedanid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jimcohmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jkofmgmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jmfmkimd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\kchllpnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\kkkdgkjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\kkoidfmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\kljebpjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\kmgdfnfd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\lbafpbjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ldnegbmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ldnjdfid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\libbpmmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\llbnjnmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\lmimgifd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mbeckgfd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mcgchmnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mcgmipmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mellahmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mffcfdmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mfoncljd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mhogdfed.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mieihofd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mkijmimd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\momppond.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\mpphdhid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\nafkknjd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ngbloned.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ngbmnged.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\nkhojnmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\nnbekkid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\nnmolgmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\npapfpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\oaliopid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\oangnaid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\oaofmgid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ocpdgond.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ofaninkd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\olikaajd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\opdepemd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\pedmpbid.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\pgkefped.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\ppggllfd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\win17E.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win183.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win18A.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win198.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup


::Report End
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 25-04-2006, 11:43 PM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: h91746.exe
Hi,



Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have avaiable backups in case you fix the wrong thing or I make a mistake. Very important.



You have a broken internet connection.

Go here to fix your broken internet connection;

http://www.snapfiles.com/download/dlwinsockxpfix.html

Run the tool and reboot


Remove weatherBug if it is the free version, it contains spyware.


Are you familiar with this cottagegrove stuff below?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O17 - HKLM\Software\..\Telephony: DomainName = cottagegrove.beconinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cottagegrove.beconinc.com


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done


Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat


Run hijackthis and click on scan button and put checks next to these:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1---if the free version

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

O20 - Winlogon Notify: winhnr32 - C:\WINDOWS\SYSTEM32\winhnr32.dll


make sure all browser windows are closed and click FIX


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Hunt for and delete if present:

C:\Program Files\AWS < folder---delete if the free version(WeatherBug)
C:\WINDOWS\SYSTEM32\winhnr32.dll < file



Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter each time you type in "Y" until black box disappears.

Then:


Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Reboot

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start


Post a new HJT log for further review

How is it behaving now?
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Forum Jump


All times are GMT +1. The time now is 04:28 PM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav