y65.html popups, virus scanner popups, possible virus?

[Kayeita]

I must apologize in advance, I am not very computer savvy, but something happened to my computer and now there are pop ups everywhere!

I have done everything in the 5 steps outlined in the sticky.

A few notes: Panda ActiveScan will not run for me. It says there are errors on the page when it gets to the part where I could click for it to scan my computer. I think I may be having a javascript issue?

Ad Aware SE, when running the Lavasoft VX2 Cleaner says the following message: Possible New Variant Found. Please submit the file file contained in C:\vx2logs.txt for anslysis.

The log says:
Posssible new VX2 variant file:
C:\WINDOWS\system32\irpol5731.dll

While posting this, these are an example of the popups I am getting:

http://www.mediapurchases.com/normal/yyy65.html

http://www.health-yshopping.com/normal/yyy65.html


http://www.blow-outsales.com/normal/yyy65.html

http://www.realcoupon-s.com/normal/yyy65.html

I'm not sure what other info to post, other than I'm *thisclose* to wiping and reinstalling, except I have pictures of my kids uploaded that I had not burned to CDrom yet, and I would be devastated to lose them. Please let me know if you require any more info from me.

Here's the Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:43 PM, on 2/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122398293245
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...3/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...99/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\irpol5731.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[Jag11]

Hi and welcome to TSF

I'm Jet Ian, and I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. Please be patient with me during this time.

We also recommend that you Subscribe to this thread so that when I or the other experts replied, you will get an email notification. To do this: Click on then and make sure you set it to Instant notification by email.

[Jag11]

Thanks for being patient...

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal).

L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[Kayeita]

Here is the first log:

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 608 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 720 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1916 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1452 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\fp2403fqe.dll
Successfully Deleted: C:\WINDOWS\system32\fp2403fqe.dll
Deleting: C:\WINDOWS\system32\i2420choef4c0.dll
Successfully Deleted: C:\WINDOWS\system32\i2420choef4c0.dll
Deleting: C:\WINDOWS\system32\irjsl5171.dll
Successfully Deleted: C:\WINDOWS\system32\irjsl5171.dll
Deleting: C:\WINDOWS\system32\irnql5551.dll
Successfully Deleted: C:\WINDOWS\system32\irnql5551.dll
Deleting: C:\WINDOWS\system32\n08olal31dq.dll
Successfully Deleted: C:\WINDOWS\system32\n08olal31dq.dll
Deleting: C:\WINDOWS\system32\wtvdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wtvdmod.dll
Deleting: C:\WINDOWS\system32\wvnotify.dll
Successfully Deleted: C:\WINDOWS\system32\wvnotify.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fp2403fqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\fp2403fqe.dll
C:\WINDOWS\system32\i2420choef4c0.dll
C:\WINDOWS\system32\irjsl5171.dll
C:\WINDOWS\system32\irnql5551.dll
C:\WINDOWS\system32\n08olal31dq.dll
C:\WINDOWS\system32\wtvdmod.dll
C:\WINDOWS\system32\wvnotify.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3E7A1E73-81C4-458C-B3C0-7F92D49FE6C0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E7A1E73-81C4-458C-B3C0-7F92D49FE6C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E7A1E73-81C4-458C-B3C0-7F92D49FE6C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E7A1E73-81C4-458C-B3C0-7F92D49FE6C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\cobcatq.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F8990531-1292-47C7-95C4-6A5BBDC2A8F7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8990531-1292-47C7-95C4-6A5BBDC2A8F7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8990531-1292-47C7-95C4-6A5BBDC2A8F7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8990531-1292-47C7-95C4-6A5BBDC2A8F7}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtvdmod.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1CFC31F2-F084-47A9-B8AB-BC0BE395F887}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1CFC31F2-F084-47A9-B8AB-BC0BE395F887}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1CFC31F2-F084-47A9-B8AB-BC0BE395F887}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1CFC31F2-F084-47A9-B8AB-BC0BE395F887}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C09FF3A5-DB5E-4628-A331-A03A8FD2C793}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C09FF3A5-DB5E-4628-A331-A03A8FD2C793}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C09FF3A5-DB5E-4628-A331-A03A8FD2C793}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C09FF3A5-DB5E-4628-A331-A03A8FD2C793}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{3E7A1E73-81C4-458C-B3C0-7F92D49FE6C0}"=-
"{F8990531-1292-47C7-95C4-6A5BBDC2A8F7}"=-
"{1CFC31F2-F084-47A9-B8AB-BC0BE395F887}"=-
"{C09FF3A5-DB5E-4628-A331-A03A8FD2C793}"=-
[-HKEY_CLASSES_ROOT\CLSID\{3E7A1E73-81C4-458C-B3C0-7F92D49FE6C0}]
[-HKEY_CLASSES_ROOT\CLSID\{F8990531-1292-47C7-95C4-6A5BBDC2A8F7}]
[-HKEY_CLASSES_ROOT\CLSID\{1CFC31F2-F084-47A9-B8AB-BC0BE395F887}]
[-HKEY_CLASSES_ROOT\CLSID\{C09FF3A5-DB5E-4628-A331-A03A8FD2C793}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/fp2403fqe.dll (164 bytes security) (deflated 4%)
adding: dlls/guard.tmp (164 bytes security) (deflated 4%)
adding: dlls/i2420choef4c0.dll (164 bytes security) (deflated 5%)
adding: dlls/irjsl5171.dll (164 bytes security) (deflated 4%)
adding: dlls/irnql5551.dll (164 bytes security) (deflated 5%)
adding: dlls/n08olal31dq.dll (164 bytes security) (deflated 6%)
adding: dlls/wtvdmod.dll (164 bytes security) (deflated 4%)
adding: dlls/wvnotify.dll (164 bytes security) (deflated 5%)
adding: backregs/1CFC31F2-F084-47A9-B8AB-BC0BE395F887.reg (188 bytes security) (deflated 70%)
adding: backregs/3E7A1E73-81C4-458C-B3C0-7F92D49FE6C0.reg (188 bytes security) (deflated 70%)
adding: backregs/C09FF3A5-DB5E-4628-A331-A03A8FD2C793.reg (188 bytes security) (deflated 70%)
adding: backregs/F8990531-1292-47C7-95C4-6A5BBDC2A8F7.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)


Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:04:25 AM, on 2/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122398293245
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...3/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...99/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\fp2403fqe.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[Jag11]

Thanks for the logs, before we proceed, just want to inform you that you have no Anti-Virus installed. You really need to have one because this will serve as your shield to the bad guys over the internet. The one I use is AVG, it's free. Once you've downloaded it, install it as soon as possible, because this is important.

==========================================================

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Download ATF Cleaner by Atribune, save it to your Desktop. We will use this later.

==========================================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\fp2403fqe.dll (file missing)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...3/cpbrkpie.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

==========================================================

Show Hidden Files and Folders. Click Start » My Computer » Tools » Folder Options. Select the View tab. Check Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm, then OK to exit.

==========================================================

Boot into Safe Mode. Please restart your computer and as soon as it starts to boot, tap F8 repeatedly. A menu should appear, select Safe Mode from the menu and then hit Enter on your keyboard. (this will take a while, so don't worry, just wait)

==========================================================

Delete Files and Folders

Find and delete this file:

• C:\WINDOWS\SYSC00.exe

NOTE: Please let us know if there were any files or folders that you couldn't delete or find.

==========================================================

Run ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

Click Exit on the Main menu to close the program.

==========================================================

Run an online scan at Panda's ActiveScan

Perform an online scan with Internet Explorer at Panda ActiveScan

• Click on Free use ActiveScan located on the top right hand corner.
• Click Scan your PC & a 'pop up' window shall appear. (ensure that your pop up blocker doesn't block it)
• Click Scan Now.
• Enter your e-mail address & click Scan Now. (begins downloading 8 MB Panda's ActiveX controls)

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report.

Please post that log in your next reply.

==========================================================

Please post this log(s) on your next reply:

• HijackThis (new)
• Panda

Please also provide details of any problems you encountered while performing the above steps and update us on how the computer behaves now.

[Kayeita]

Thank you for your help, Jet Ian. I am having problems with the instructions.

I cannot download AVG. I click it and nothing happens. I right click it and select "Save As" and the download box shows up but appears to be idling.

I cannot use Panda. I think my javascript is not working. It loads up and it has a little error on page. When doing initial scans for spyware/malware, I think somehow my javascript got messed up, as well as my touchpad & scroll button for my laptop do not work correctly. I have had this happen before in the past, but I did not know how to fix it, so I reinstalled my computer. I may have to do the same thing again, but I want to be able to burn my photos off first, I hope I can do that!


I did everything else though, and at least have a new HijackThis log. The popups are gone, but the issues I am having now are the javascript one and my touchpad (if I tap to "click" with it, it does not respond) and the scroll button does not work.

Logfile of HijackThis v1.99.1
Scan saved at 1:47:28 AM, on 2/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122398293245
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...99/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[Kayeita]

I forgot I have firefox installed as well, and I'm able to get AVG to d/l using that (it is downloading now). I tried Panda in firefox but it said I have to use IE. =(

[Jag11]

Welcome back Kayeita.

Ok, we will try to fix all your problems one by one.

First, about your problem at Panda (the javascript). You might want to try to re-install Java, visit this page to download Java.

Second, about TouchPad. I think that's not malware-related, so try re-installing the drivers of it. If you don't know that, or do not have that, go to the manufacturer's website, all you need is the laptop's model number to get the right driver.

Alright, I hope that will solve your 'other' problems, now we need to get back on the ride.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

==========================================================

Run an online scan at Kaspersky

• Please go here to run Kaspersky Online Virus Scanner.
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan, select My Computer.
• This will scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button, and save it to your Desktop.
• Copy and paste that information in your next post.

==========================================================

Please post this log(s) on your next reply:

• HijackThis (new)
• Kaspersky

[Kayeita]

Ok. I uninstalled and reinstalled Java. It did not help the javascript issue. I still cannot use Panda. I will look for the driver for my touchpad once I am clean of viruses.

Installing Java also installed this Google Toolbar. I don't really like things put into my browser, but I must have missed when it asked if it could install this. Is this bad? Should I uninstall Java once again and get rid of this toolbar thing?

The reason I brought those issues up is that even once I got infected, they both worked fine. I think that somehow they got removed (the javascript ability & the touchpad driver) while I was doing fixes. I'm sure I will be able to figure those out though.... even though the Javascript issue is really annoying (I remember doing several google searches on how to try to fix that last time it happened, before I gave up and just formatted).

I installed AVG last night and did a scan, it removed 7 viruses.

I did everything else you told me to do in the previous post. Here is the new Hijack This file:

Logfile of HijackThis v1.99.1
Scan saved at 2:14:09 PM, on 2/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122398293245
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...99/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

And here is the Kaspersky online scan. This is ugly.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, February 22, 2006 14:11:46
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 22/02/2006
Kaspersky Anti-Virus database records: 178168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 51226
Number of viruses found: 8
Number of infected objects: 91
Number of suspicious objects: 2
Duration of the scan process: 7578 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/fp2403fqe.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/i2420choef4c0.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/irjsl5171.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/irnql5551.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/n08olal31dq.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/wtvdmod.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dlls/wvnotify.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\fp2403fqe.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\i2420choef4c0.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\irjsl5171.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\irnql5551.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\n08olal31dq.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\wtvdmod.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\Owner\Desktop\l2mfix\dlls\wvnotify.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017587.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017588.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017600.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017601.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017625.exe Infected: not-a-virus:Monitor.Win32.NetMon.a
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017643.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017644.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017653.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017654.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017661.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017663.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017694.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017701.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017951.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017958.exe/data0010 Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017958.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017989.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP227\A0017990.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018378.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018379.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018393.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018394.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018409.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018410.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018419.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018420.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018433.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018434.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018436.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018443.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018447.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018451.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018455.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018459.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018463.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018467.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018471.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018489.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018493.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018499.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018501.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018507.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018512.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018522.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018649.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP228\A0018655.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP229\A0018664.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP229\A0018665.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP229\A0018689.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP229\A0018831.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP229\A0018835.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP230\A0018843.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP230\A0018844.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP230\A0018854.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP230\A0018871.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP230\A0019012.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP230\A0019016.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019044.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019048.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019055.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019059.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019065.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019071.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019072.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019073.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019074.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{59B4CDBC-710A-42B6-838D-2A76E50F5324}\RP232\A0019075.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\cpbrkpie.ocx Infected: not-a-virus:AdWare.Win32.Coupons
C:\WINDOWS\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\WINDOWS\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\pf78.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\repairs302972994.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai

Scan process completed.


I await patiently for your advice as to what I do next. =)

[Kayeita]

A kindly little bump since it has been over 24hours since I replied to this post, with no response. =)

[Jag11]

Quote:

Installing Java also installed this Google Toolbar. I don't really like things put into my browser, but I must have missed when it asked if it could install this. Is this bad? Should I uninstall Java once again and get rid of this toolbar thing?

It is not bad, and yes, you can remove it from your browser. If that's Internet Explorer:

• Open IE.
• Click on View » Toolbars.
• Then remove Google Toolbar from there.

Quote:

The reason I brought those issues up is that even once I got infected, they both worked fine. I think that somehow they got removed (the javascript ability & the touchpad driver) while I was doing fixes. I'm sure I will be able to figure those out though.... even though the Javascript issue is really annoying (I remember doing several google searches on how to try to fix that last time it happened, before I gave up and just formatted).

Ok, I think Panda is just the problem and the reason why your javascript is not working. Try to go here and tell us what happened.

We'll just clean the files what Kaspersky found for now. By the way, most of these are just backups made by the tools we have used last time, and the others are just your System Restore points, we just need to flush them and you're all clean.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Please find and delete these files:

• C:\WINDOWS\cpbrkpie.ocx
• C:\WINDOWS\pf78.exe
• C:\WINDOWS\system32\repairs302972994.dll

Then delete this folder:

• C:\Documents and Settings\Owner\Desktop\l2mfix\

==========================================================

Then to flush System Restore:

• Click Start » Run » ( type: SYSDM.CPL ) » OK
• Click the System Restore tab.
• Check - Turn off System Restore.
• Click Apply.
• Uncheck - Turn off System Restore.
• Click OK.

==========================================================

Then scan with Kaspersky again and then post the results.

[Kayeita]

Thanks again for the help. Here is the new Kaspersky log. I will follow the link and find out more about the Java situation, I just wanted to get this part done because it takes almost 2 hours for this scan to go through. hehehe. YOu did not ask for another Hijack This, if you need one again please let me know and I'll do another scan of that too.

I will leave the google toolbar if it's not a bad thing. It blocks pop ups, so why not? I was just scared it was also spyware or something.


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 23, 2006 19:17:54
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/02/2006
Kaspersky Anti-Virus database records: 178275
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43735
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 2
Duration of the scan process: 5947 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip Suspicious: Password-protected-EXE

Scan process completed.

[Jag11]

Sorry, please post a new HJT log before we proceed.

[Kayeita]

Here we go! I should have assumed. =)

Logfile of HijackThis v1.99.1
Scan saved at 9:44:55 PM, on 2/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ntvdm.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122398293245
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...99/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[Kayeita]

Quote:

Ok, I think Panda is just the problem and the reason why your javascript is not working. Try to go here and tell us what happened.

I clicked it and yes, Javascript worked fine, so it just must be that Panda does not like me for some reason. =) Sorry I did not do this earlier!

[Jag11]

Good. HJT log is clean, Kaspersky found nothing, and your javascript is now OK. We're all done, except that touchpad of yours, you said you'll just get the drivers when we're finished cleaning, I think you can download them now! Congratulations, your system is now clean!

Before I leave you with the steps to keep your computer clean and prevent re-infection, please post one more time to confirm that you don't have any more problems - so we can mark this thread as SOLVED.

Have a good day!

==========================================================

1.) Re-Hide System Files and Folders:

• Click Start
• Open My Computer
• Select the Tools menu and click Folder Options
• Select the View tab
• Deselect the Show hidden files and folders option
• Select the Hide protected operating system files option
• Click Yes to confirm
• Click OK

2.) Reset and Re-enable your System Restore

We need to do this to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

• Click Start » Run » ( type: SYSDM.CPL ) » OK
• Click the System Restore tab.
• Check - Turn off System Restore.
• Click Apply.
• Uncheck - Turn off System Restore.
• Click OK.

3.) How to Prevent Re-Infection

Please take your time reading on this list, it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Windows Updates (a must!) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this, open Internet Explorer, then and select Tools » Windows Update, and follow the online instructions from there.
• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
• Firewall (a must!) - It is definitely a must have. Two good free versions are Kerio and ZoneAlarm.
• Anti-Virus (a must!) - It is also a must have. Two good programs are Avast and AVG, they're both free.
  Note: You must only use 1 (one) AV because if you have 2 AVs, it will conflict with each other and will only make your system slow.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

[Kayeita]

Thanks for all of your help, Jet Ian.

I downloaded the driver for my touchpad, and when I look in my system, it says it is the same driver. Should I uninstall the one I have and install the one I downloaded? I just don't know what is up with this stupid thing! =)

Anyway everything seems to be working just fine now. I am greatful for this website, I must have been lucky to have stumbled upon it the way I did, and now I can keep my pictures! Yay!

And yes, I will install the protective software you mentioned, the stuff I don't already have installed from attaining help.

Oh, I also guess I can uninstall the Panda software since it did not work anyway? =) What about the Kaspersky, should I keep that installed?

Thanks again! You guys rock!

[Jag11]

Hello Kayeita.

Quote:

I downloaded the driver for my touchpad, and when I look in my system, it says it is the same driver. Should I uninstall the one I have and install the one I downloaded? I just don't know what is up with this stupid thing! =)

Yep, we need to re-install it to find some luck. Uninstall it, then install it again.

Quote:

Anyway everything seems to be working just fine now. I am greatful for this website, I must have been lucky to have stumbled upon it the way I did, and now I can keep my pictures! Yay!

And yes, I will install the protective software you mentioned, the stuff I don't already have installed from attaining help.

Oh, I also guess I can uninstall the Panda software since it did not work anyway? =) What about the Kaspersky, should I keep that installed?

That's a very good news.

About Panda and Kaspersky.. They are not programs, they are "online virus scanners" so nothing to worry about Kayeita.

Just post again if you still have more problems.

- Jet Ian

[Kayeita]

Yay! My touch pad scrollie button works again! =)

Quote:

About Panda and Kaspersky.. They are not programs, they are "online virus scanners" so nothing to worry about Kayeita.

They both show up in my add/remove programs list. I'll just remove them. I'm sure if I ever need them again... well, I'll be on this forum again asking for help! hehe!

Would my system now be considered clean to update to windows service pack 2? I can bring forward questions about SP2 to the appropriate thread, but I just want to make sure I'd have the 'clean stamp' to move forward with that.

Thanks so much!

[Jag11]

I'm glad your touchpad works again.

And yes, you can now update to SP2 since your computer is clean. Any questions again just leave them here.