Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Sunday 24.11.2024 / 02:27
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hijackthis.log please help
Show topics
 
Forums
Forums
hijackthis.log PLEASE Help
  Jump to:
 
Posted Message
bacapsay
Newbie
_ 		25. January 2006 @ 11:17 _ Link to this message    Send private message to this user   
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.net/helps/079057/iehelp.chm::/win.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O19 - User stylesheet: (file missing)
[ + quote]
Advertisement
_ 		__
bacapsay
Newbie
_ 		25. January 2006 @ 11:53 _ Link to this message    Send private message to this user   
Hello,
I opened a email from trusted person and recieved virus/trojan/worm and it's driving me crazy. This seems like a great forum. Any help would be greatly appreciated.
Thank You

Trend Micro results
TROJ_STARTPAGE.W
TROJ_SMALL.ADG
ADW_MINIBUG.A
WORM_GREW.A
[ + quote]
rav009
Senior Member
_ 		25. January 2006 @ 12:42 _ Link to this message    Send private message to this user   
your HJT is messeed up, send it correctly.

do a system scan and save a logfile, then copy and paste that logfile here, ill be glad to help you then.
[ + quote]
Yours Truly; Rav
BitTorrent Safety Guide: http://forums.afterdawn.com/thread_view.cfm/395674
Free Security Software: http://forums.afterdawn.com/thread_view.cfm/292257
The cleverest of all, in my opinion, is the man who calls himself a fool at least once a month. - Fyodor Dostoevsky
mafwanix
Newbie
_ 		25. January 2006 @ 12:56 _ Link to this message    Send private message to this user   
Those items for "Ultimate Bet" look suspicious, unless you're into some sort of online gambling.
[ + quote]

This message has been edited since posting. Last time this message was edited on 25. January 2006 @ 12:58
bacapsay
Newbie
_ 		25. January 2006 @ 13:10 _ Link to this message    Send private message to this user   
Thank You, I'm about to toss my laptop out the window
Here is is:


Logfile of HijackThis v1.99.1
Scan saved at 4:06:32 PM, on 1/25/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\QUICKBOOKS ONLINE BACKUP\OLSYSTRAY.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.net/helps/079057/iehelp.chm::/win.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O19 - User stylesheet: (file missing)
[ + quote]
attar
AfterDawn Addict
_ 		25. January 2006 @ 13:44 _ Link to this message    Send private message to this user   
Have you checked out "about:blank"
I.E hijacker.
Quote:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
This might help:
http://www.softwarepatch.com/tips/about-blank-adware.html

then:
http://www.intermute.com/spysubtract/cwshredder_download.html
[ + quote]

This message has been edited since posting. Last time this message was edited on 25. January 2006 @ 13:54
Atribune
Newbie
_ 		27. January 2006 @ 09:03 _ Link to this message    Send private message to this user   
Run hijackthis again and place a check beside each of the following, once done close all other windows and click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan <--- Kama sutra virus

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.net/helps/079057/iehelp.chm::/win.exe

O19 - User stylesheet: (file missing)

Reboot your computer and reinstall your antivirus software.

You see where I pointed to that O4 and said Kama Sutra virus. It will delete alot of your antivirus files. Leaving you unprotected.

On February 3rd the kama sutra virus is set to delete all files with the following extensions. *.DOC, *.XLS, *.MDE, *.MDB, *.PPT, *.PPS, *.RAR, *.PDF, *.PSD, *.DMP, *.ZIP. Also each month it is set to Have a new payload that is downloaded from a website.

So reinstall your AV after rebooting and update it. Perform a deep scan with your AV. ALso please go [url=http://www.pandasoftware.com/products/activescan.htm][color=red]HERE[/color][/url] to run Panda's ActiveScan[list]
[*]Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan [color=blue](Note: It may take a couple of minutes)[/color]
[*]When download is complete, click on My Computer to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report[/list] and a new hijackthis log.
[ + quote]
bacapsay
Newbie
_ 		27. January 2006 @ 12:30 _ Link to this message    Send private message to this user   
OK here's the Panda ActiveScan


Incident Status Location

Adware:adware/yoursearchengine Not disinfected C:\WINDOWS\INF\info.dat
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Cookies\anyuser@mediaplex[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\anyuser@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Cookies\default@casalemedia[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\default@burstnet[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Cookies\anyuser@mediaplex[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\anyuser@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Cookies\default@casalemedia[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\default@burstnet[2].txt
Spyware:Cookie/go Not disinfected C:\WINDOWS\Cookies\default@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Cookies\default@hitbox[2].txt
Virus:Trj/Qhost.X Disinfected C:\WINDOWS\hosts.20041202-135647.backup
Virus:Trj/Qhost.X Disinfected C:\WINDOWS\hosts.20041202-152317.backup
Virus:Trj/Qhost.X Disinfected C:\WINDOWS\hosts.20041203-101228.backup
And here's latest hijack log

Logfile of HijackThis v1.99.1
Scan saved at 3:27:44 PM, on 1/27/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\QUICKBOOKS ONLINE BACKUP\OLSYSTRAY.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DRWATSON.EXE
C:\PROGRAM FILES\ESPN\GAMECLIENT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
[ + quote]
Atribune
Newbie
_ 		27. January 2006 @ 12:39 _ Link to this message    Send private message to this user   
It looks like panda hasnt updated their detections yet try this scanner

Please do an online scan with [url=http://www.kaspersky.com/virusscanner][color=#3333FF]Kaspersky WebScanner[/color][/url]

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.[list]
[*]The program will launch and then begin downloading the latest definition files:
[*]Once the files have been downloaded click on NEXT

[*]Now click on Scan Settings
[*]In the scan settings make that the following are selected:[list]
[*]Scan using the following Anti-Virus database:
[/list][list][color=#009900]Extended (if available otherwise Standard)[/color]
[/list][list]
[*]Scan Options:
[/list][list][color=#009900]Scan Archives
Scan Mail Bases[/color]
[/list]
[*]Click OK
[*]Now under select a target to scan:[list]Select My Computer
[/list]
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
[list][*]Now click on the Save as Text button:[/list]
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.
[/list]
[ + quote]
bacapsay
Newbie
_ 		28. January 2006 @ 09:43 _ Link to this message    Send private message to this user   
here's my log from Kasperskyscan

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, January 28, 2006 10:52:01
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/01/2006
Kaspersky Anti-Virus database records: 162897
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 65357
Number of viruses found: 4
Number of infected objects: 124
Number of suspicious objects: 0
Duration of the scan process: 17046 sec

Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A0023450.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\A0024077.1 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\A0024078.1 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS118.0/A0022450.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS118.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS116.0/A0022058.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS116.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS110.0/A0022013.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS110.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS100.0/A0020653.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS100.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS109.0/A0021013.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS109.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS99.0/A0020608.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS99.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS98.0/A0019608.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS98.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS102.0/A0020697.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS102.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS101.0/A0020679.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS101.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS95.0/A0018533.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS95.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS93.0/A0018364.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS93.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS92.0/A0017364.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS92.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS91.0/A0016364.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS91.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS82.0/A0014717.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS82.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS81.0/A0014687.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS81.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS84.0/A0014918.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS84.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS105.0/A0020766.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS105.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS83.0/A0014771.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS83.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS89.0/A0015186.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS89.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS78.0/A0014286.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS78.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS80.0/A0014583.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS80.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS79.0/A0014578.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS79.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS77.0/A0014176.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS77.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS76.0/A0013176.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS76.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS75.0/A0013132.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS75.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS74.0/A0013124.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS74.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS72.0/A0013100.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS72.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS71.0/A0013023.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS71.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS68.0/A0012783.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS68.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS65.0/A0012499.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS65.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS64.0/A0012439.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS64.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS57.0/A0011408.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS57.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS56.0/A0011355.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS56.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS60.0/A0011439.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS60.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS59.0/A0011433.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS59.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS55.0/A0011281.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS55.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS54.0/A0011268.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS54.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS53.0/A0011197.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS53.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS52.0/A0010197.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS52.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS51.0/A0009197.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS51.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS50.0/A0008197.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS50.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS6.0/A0003122.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS6.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS10.0/A0006233.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS10.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS9.0/A0006122.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS9.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS66.0/A0012529.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS66.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS70.0/A0012804.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS70.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS2.0/A0001001.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS2.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS4.0/A0001122.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS4.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS3.0/A0001116.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\FS3.0 Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\TEMP\A0025172.CPY Infected: Trojan.WinREG.StartPage
c:\_RESTORE\TEMP\A0025177.CPY Infected: Trojan.WinREG.StartPage
c:\_RESTORE\TEMP\A0025202.CPY Infected: Trojan-Downloader.Win32.Small.aag
c:\_RESTORE\TEMP\A0025232.CPY Infected: Trojan.WinREG.StartPage
c:\_RESTORE\TEMP\A0025237.CPY Infected: Trojan.WinREG.StartPage
c:\_RESTORE\TEMP\A0104477.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0104479.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0106024.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0107491.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112206.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112783.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112784.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112785.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112786.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112787.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112788.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\TEMP\A0112789.CPY Infected: Email-Worm.Win32.Nyxem.e
c:\_RESTORE\ARCHIVE\FS87.CAB/A0014974.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\ARCHIVE\FS87.CAB Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\ARCHIVE\FS94.CAB/A0018444.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\ARCHIVE\FS94.CAB Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\ARCHIVE\FS97.CAB/A0019543.CPY Infected: Trojan.Win32.StartPage.y
c:\_RESTORE\ARCHIVE\FS97.CAB Infected: Trojan.Win32.StartPage.y

Scan process completed.
[ + quote]
Advertisement
_ 		__
 
_
bacapsay
Newbie
_ 		28. January 2006 @ 09:50 _ Link to this message    Send private message to this user   
RAV009-
Any suggestions??
Thanks for help.
[ + quote]
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hijackthis.log please help
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork