Here's the log from HiJack This:

Logfile of HijackThis v1.99.1
Scan saved at 5:00:14 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\xsjizavm.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steinbachnutcrackers.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O2 - BHO: (no name) - {523DE7AF-91B1-6BFE-6E84-032D3E62CD8D} - C:\WINDOWS\system32\mrlfskc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {df397028-1dd1-11b2-800b-b91d442583d7} - C:\WINDOWS\system32\N7mpPPQk.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xsjizavm.exe] C:\WINDOWS\system32\xsjizavm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Please read and follow all instructions and post all required logs or reports, anything less will slow your process. Use "Post Reply" to post the information in the instructions and stay in the same topic. Please complete the instructions in the numbered order.

1) Please include the results of the free anti virus scan as described in the instructions.

2) Please tell me what this is: "Integrity threats detected", if these are error messages, post them "word for word"

3) this may be a Vundo trojan, please return to here: C:\Program Files\HijackThis\HijackThis.exe and rename HJT, call it bwill.exe or whatever you wish, we may get a look at Vundo in the next log if present.

4) http://forums.security-central.us/showthread.php?t=3165 <<< you have this program on board, please follow those instructions and post the scan results.
Be sure to delete or at least quarantine anything it finds.

Restart the computer and post the results of the free online antivirus scan you used, the scan results from AVG anti-Spyware, any error messages you receive "word for word" and a new HJT log.

Thanks

I am adding to this topic because I have noticed you have no antivirus program running on the computer. AvG Anti-Spyware is NOT an anti-virus program. If you need a free one, choose one from these and download, install and run it.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/

1. The free anti-virus scan from Bit Defender found nothing.

2."Integrity threats detected" is a balloon that pops up in the notification area of the taskbar. When you click on the balloon, it takes you to a screen which is titled "Personal Security Center" and tells you you should download and install "Ultimate Fixer" which comes at a fee.

3. I ran VundoFix which also found nothing.

4. I also ran AVG 7.5 free anti-virus software, which found 54 items. It took care of 51, but said the other 3 would require a system restart. When I restarted the system, the screen went blank and would not reboot until I unplugged the battery of the laptop and waited before plugging it back in.

We seem to have a communication problem here. These are the instructions I posted:

Restart the computer and post the results of the free online antivirus scan you used, the scan results from AVG anti-Spyware, any error messages you receive "word for word" and a new HJT log.

I am adding to this topic because I have noticed you have no antivirus program running on the computer. AvG Anti-Spyware is NOT an anti-virus program. If you need a free one, choose one from these and download, install and run it.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
1) If Bit Defender found nothing, run another one, let's get a second opinion. The instructions are to post the scan results. I want to see them.

2) Sounds like it may be Smitfraud, follow these ONLY directions:

http://siri.geekstogo.com/SmitfraudFix.php <<< download Smifraudfix from here.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

3) All I requested was that you rename HJT.exe?

4) Post the scan results.

If I am to continue, you are going to have to follow directions. Post the results of an online antivirus scan, the C:\rapport.txt from Smitfraudfix, the scan results from AVG AntiSpyware and a NEW HiajckThis log.

Thanks

I tried to do what you asked. I ran an online scan using Trend Micro's housecall.

I downloaded the Smitfraudfix.exe file and ran it. I did the scan and then started in safe mode to do the clean as the directions said I should do. When I started the clean function, my computer froze then tried to restart. During the boot up process an error message comes up that says "autochk program not found - skipping AUTOCHECK" then it just loops back and tries to reboot again and again.

I tried to start up in safe mode, but even that does not boot up...just keeps looping back over and over.

This is a major problem with the Smitfraudfix tool. Here is another one and I am sure there are more. As soon as I have information from the tool creator, I will post it for you. Can you insure me that you ran only the "Search" Function. Let me know if you figure out how to correct the issues and do not attempt to use the tool again.

Thanks

http://forums.spywareinfo.com/index.php?act=ST&f=18&t=97272


I need to edit this post to call you attention to this:
2) Sounds like it may be Smitfraud, follow these ONLY directions:

This is what you said:

I downloaded the Smitfraudfix.exe file and ran it. I did the scan and then started in safe mode to do the clean as the directions said I should do. When I started the clean function, my computer froze then tried to restart. During the boot up process an error message comes up that says "autochk program not found - skipping AUTOCHECK" then it just loops back and tries to reboot again and again.
Once again you have failed to follow the posted instructions. No instructions to run the clean funchion in safe mode were posted for you?

I will post additional information about the issue as I receive it.

I'm sorry...I was following the directions given by the program you asked me to download and run. I guess I should have only done step 1. At any rate, I've now turned the laptop over to an expert and hope they will be able to fix the problem. Thanks for your attempts to help. Sorry if I caused some heartburn.

Thanks for the feedback, I have the information that was posted by the creator of Smitfraudfix in case it helps your expert, it is as follows:
_________________________________________________________________

SmitfraudFix 2.169 Bug remove execution permissions from the %SYSTEM% folder.
If your system has been corrupted restore NTFS Permissions with this procedure:

- Install a new Windows version on a different HardDrive or in a different Folder. DO NOT CHOSE TO REINSTALL IN THE SAME FOLDER.
or Plug the harddrive on a working Windows.

- At this time you can boot on a windows system that can deals with NTFS perms.
- To view this security tab on Windows Home computers, download: ftp://ftp.microsoft.com/bussys/winnt/winn...scm/scesp4i.exe
- Double click to extract the content in a folder.
- Right Click on setup.inf. Install. REFUSE ALL FILE REPLACEMENT.

- Browse to the C:\Windows\system32\ folder. (the altered %SYSTEM% folder)
- Right click, properties, security tab
- Select System, click on Authorise Full Control, Apply
- Select Every One, click on Authorise Full Control, Apply
- Ok

- If the disk was plugged in another computer, plug it back to the original box.
- Boot the computer on the original Windows. (if a new system was installed select the original windows when booting).
- Download swxcacls: http://www.xs4all.nl/~fstaal01/downloads/swxcacls.exe
- Save it in the C:\ root folder
- open a CMD windows (WINDOWS+R keys, type cmd, enter)
- type: cd c:\
- type: swxcacls C:\Windows\system32 /GE:F /i enable

if a new system was installed you can edit C:\boot.ini:
- Right Click on My computer
- Advanced, Start and restauration parameters button, modify Button.

Regards
S!Ri
_________________________________________________________________

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Additional information if it helps your technician:

From the creator of Smitfraudfix


I've just edited and modified the procedure.

Thanks to Bobbi Flekman who has notified me some advices on the swxcacls command:
It is better to type:

swxcacls C:\Windows\system32 /GE:F /Reset enable

Instead of the previous command.

Best regards
S!Ri

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks