1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hijackthis.log PLEASE Help

Discussion in 'Windows - Virus and spyware problems' started by bacapsay, Jan 25, 2006.

  1. bacapsay

    bacapsay Member

    Joined:
    Jan 25, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
    O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.net/helps/079057/iehelp.chm::/win.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O19 - User stylesheet: (file missing)
     
    bacapsay, Jan 25, 2006
    #1
  2. bacapsay

    bacapsay Member

    Joined:
    Jan 25, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    Hello,
    I opened a email from trusted person and recieved virus/trojan/worm and it's driving me crazy. This seems like a great forum. Any help would be greatly appreciated.
    Thank You

    Trend Micro results
    TROJ_STARTPAGE.W
    TROJ_SMALL.ADG
    ADW_MINIBUG.A
    WORM_GREW.A
     
    bacapsay, Jan 25, 2006
    #2
  3. rav009

    rav009 Active member

    Joined:
    Nov 14, 2005
    Messages:
    2,204
    Likes Received:
    0
    Trophy Points:
    66
    your HJT is messeed up, send it correctly.

    do a system scan and save a logfile, then copy and paste that logfile here, ill be glad to help you then.
     
    rav009, Jan 25, 2006
    #3
  4. mafwanix

    mafwanix Member

    Joined:
    Oct 9, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Those items for "Ultimate Bet" look suspicious, unless you're into some sort of online gambling.
     
    Last edited: Jan 25, 2006
    mafwanix, Jan 25, 2006
    #4
  5. bacapsay

    bacapsay Member

    Joined:
    Jan 25, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    Thank You, I'm about to toss my laptop out the window
    Here is is:


    Logfile of HijackThis v1.99.1
    Scan saved at 4:06:32 PM, on 1/25/2006
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\QUICKBOOKS ONLINE BACKUP\OLSYSTRAY.EXE
    C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
    O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.net/helps/079057/iehelp.chm::/win.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O19 - User stylesheet: (file missing)

     
    bacapsay, Jan 25, 2006
    #5
  6. attar

    attar Senior member

    Joined:
    Jun 17, 2005
    Messages:
    11,147
    Likes Received:
    41
    Trophy Points:
    128
    Last edited: Jan 25, 2006
    attar, Jan 25, 2006
    #6
  7. Atribune

    Atribune Member

    Joined:
    Jan 27, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Run hijackthis again and place a check beside each of the following, once done close all other windows and click fix checked.

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan <--- Kama sutra virus

    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.net/helps/079057/iehelp.chm::/win.exe

    O19 - User stylesheet: (file missing)

    Reboot your computer and reinstall your antivirus software.

    You see where I pointed to that O4 and said Kama Sutra virus. It will delete alot of your antivirus files. Leaving you unprotected.

    On February 3rd the kama sutra virus is set to delete all files with the following extensions. *.DOC, *.XLS, *.MDE, *.MDB, *.PPT, *.PPS, *.RAR, *.PDF, *.PSD, *.DMP, *.ZIP. Also each month it is set to Have a new payload that is downloaded from a website.

    So reinstall your AV after rebooting and update it. Perform a deep scan with your AV. ALso please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
    and a new hijackthis log.
     
    Atribune, Jan 27, 2006
    #7
  8. bacapsay

    bacapsay Member

    Joined:
    Jan 25, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    OK here's the Panda ActiveScan


    Incident Status Location

    Adware:adware/yoursearchengine Not disinfected C:\WINDOWS\INF\info.dat
    Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Cookies\anyuser@mediaplex[1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\anyuser@burstnet[2].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Cookies\default@casalemedia[1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\default@burstnet[2].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Cookies\anyuser@mediaplex[1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\anyuser@burstnet[2].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Cookies\default@casalemedia[1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\default@burstnet[2].txt
    Spyware:Cookie/go Not disinfected C:\WINDOWS\Cookies\default@go[2].txt
    Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Cookies\default@hitbox[2].txt
    Virus:Trj/Qhost.X Disinfected C:\WINDOWS\hosts.20041202-135647.backup
    Virus:Trj/Qhost.X Disinfected C:\WINDOWS\hosts.20041202-152317.backup
    Virus:Trj/Qhost.X Disinfected C:\WINDOWS\hosts.20041203-101228.backup
    And here's latest hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 3:27:44 PM, on 1/27/2006
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
    C:\PROGRAM FILES\QUICKBOOKS ONLINE BACKUP\OLSYSTRAY.EXE
    C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DRWATSON.EXE
    C:\PROGRAM FILES\ESPN\GAMECLIENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
    O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

     
    bacapsay, Jan 27, 2006
    #8
  9. Atribune

    Atribune Member

    Joined:
    Jan 27, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    It looks like panda hasnt updated their detections yet try this scanner

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
     
    Atribune, Jan 27, 2006
    #9
  10. bacapsay

    bacapsay Member

    Joined:
    Jan 25, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    here's my log from Kasperskyscan

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Saturday, January 28, 2006 10:52:01
    Operating System: Microsoft Windows Millennium Edition
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 27/01/2006
    Kaspersky Anti-Virus database records: 162897
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    a:\
    c:\
    d:\

    Scan Statistics:
    Total number of scanned objects: 65357
    Number of viruses found: 4
    Number of infected objects: 124
    Number of suspicious objects: 0
    Duration of the scan process: 17046 sec

    Infected Object Name - Virus Name
    c:\_RESTORE\TEMP\A0023450.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\A0024077.1 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\A0024078.1 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS118.0/A0022450.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS118.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS116.0/A0022058.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS116.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS110.0/A0022013.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS110.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS100.0/A0020653.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS100.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS109.0/A0021013.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS109.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS99.0/A0020608.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS99.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS98.0/A0019608.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS98.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS102.0/A0020697.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS102.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS101.0/A0020679.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS101.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS95.0/A0018533.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS95.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS93.0/A0018364.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS93.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS92.0/A0017364.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS92.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS91.0/A0016364.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS91.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS82.0/A0014717.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS82.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS81.0/A0014687.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS81.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS84.0/A0014918.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS84.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS105.0/A0020766.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS105.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS83.0/A0014771.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS83.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS89.0/A0015186.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS89.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS78.0/A0014286.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS78.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS80.0/A0014583.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS80.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS79.0/A0014578.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS79.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS77.0/A0014176.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS77.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS76.0/A0013176.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS76.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS75.0/A0013132.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS75.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS74.0/A0013124.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS74.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS72.0/A0013100.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS72.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS71.0/A0013023.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS71.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS68.0/A0012783.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS68.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS65.0/A0012499.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS65.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS64.0/A0012439.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS64.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS57.0/A0011408.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS57.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS56.0/A0011355.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS56.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS60.0/A0011439.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS60.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS59.0/A0011433.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS59.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS55.0/A0011281.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS55.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS54.0/A0011268.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS54.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS53.0/A0011197.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS53.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS52.0/A0010197.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS52.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS51.0/A0009197.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS51.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS50.0/A0008197.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS50.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS6.0/A0003122.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS6.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS10.0/A0006233.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS10.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS9.0/A0006122.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS9.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS66.0/A0012529.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS66.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS70.0/A0012804.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS70.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS2.0/A0001001.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS2.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS4.0/A0001122.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS4.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS3.0/A0001116.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\FS3.0 Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\TEMP\A0025172.CPY Infected: Trojan.WinREG.StartPage
    c:\_RESTORE\TEMP\A0025177.CPY Infected: Trojan.WinREG.StartPage
    c:\_RESTORE\TEMP\A0025202.CPY Infected: Trojan-Downloader.Win32.Small.aag
    c:\_RESTORE\TEMP\A0025232.CPY Infected: Trojan.WinREG.StartPage
    c:\_RESTORE\TEMP\A0025237.CPY Infected: Trojan.WinREG.StartPage
    c:\_RESTORE\TEMP\A0104477.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0104479.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0106024.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0107491.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112206.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112783.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112784.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112785.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112786.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112787.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112788.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\TEMP\A0112789.CPY Infected: Email-Worm.Win32.Nyxem.e
    c:\_RESTORE\ARCHIVE\FS87.CAB/A0014974.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\ARCHIVE\FS87.CAB Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\ARCHIVE\FS94.CAB/A0018444.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\ARCHIVE\FS94.CAB Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\ARCHIVE\FS97.CAB/A0019543.CPY Infected: Trojan.Win32.StartPage.y
    c:\_RESTORE\ARCHIVE\FS97.CAB Infected: Trojan.Win32.StartPage.y

    Scan process completed.
     
    bacapsay, Jan 28, 2006
    #10
  11. bacapsay

    bacapsay Member

    Joined:
    Jan 25, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    RAV009-
    Any suggestions??
    Thanks for help.
     
    bacapsay, Jan 28, 2006
    #11

Share This Page