PDA

View Full Version : critical system errors


Badger21
2006-12-15, 13:05
I get a flashing bomb warning triangle in the system tray with a balloon that pops up that states: "Sysem detected virus activities. They may cause critical system failure. Please, use AntiSpyware software to clean and protect your system from parasite programs. Click this balloon to get all available software." This program hijacked my internet explorer but I cleaned out all cookies, etc which released it. Attached is the HiJack log and on line scan log.

Logfile of HijackThis v1.99.1
Scan saved at 6:36:30 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\OmniPagePro14.0\Opware14.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Documents and Settings\Paul\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160858920656
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.2 [ENU]) - http://bp.piedmontng.com/ddrint/work/iedpwenu.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


I have followed all of the instructions from before you post.
Badger21
2006-12-15, 13:13
Here is the online virus scan results, It was too big to include on the first post.

BitDefender Online Scanner
Scan report generated at: Thu, Dec 14, 2006 - 23:51:25
Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;
Statistics
Time 02:18:06
Files 916004
Folders 15086
Boot Sectors 6
Archives 8593
Packed Files 109239
Results
Identified Viruses 9
Infected Files 33
Suspect*Files 2
Warnings 0
Disinfected 0
Deleted Files 37
Engines Info
Virus Definitions 339086
Engine build AVCORE v1.0 (build 2368) (i386) (Nov 16 2006 11:31:19)
Scan plugins 14
Archive plugins 38
Unpack plugins 6
E-mail plugins 6
System*plugins 1
Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes
Scanned File
*Status
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\263B6D79.exe=>(Quarantine-2) Detected with: Application.Dialer.FN
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\263B6D79.exe=>(Quarantine-2) Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\263B6D79.exe=>(Quarantine-2) Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\263E1775.exe=>(Quarantine-2) Detected with: Application.Dialer.FN
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\263E1775.exe=>(Quarantine-2) Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\263E1775.exe=>(Quarantine-2) Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP216\A0030573.exe Infected with: Trojan.Downloader.Zlob.AEM
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP216\A0030573.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP216\A0030573.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030584.exe Infected with: Trojan.Downloader.Zlob.AEM
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030584.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030584.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030601.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030601.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030601.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030602.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030602.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030602.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030603.dll Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030603.dll Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030603.dll Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030605.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030605.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP217\A0030605.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030621.exe Infected with: Trojan.Downloader.Zlob.AEM
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030621.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030621.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030638.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030638.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030638.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030639.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030639.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030639.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030640.dll Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030640.dll Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030640.dll Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030642.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030642.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP218\A0030642.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030658.exe Infected with: Trojan.Downloader.Zlob.AEM
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030658.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030658.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030675.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030675.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030675.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030676.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030676.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030676.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030677.dll Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030677.dll Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030677.dll Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030679.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030679.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030679.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030685.dll Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030685.dll Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030685.dll Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030686.exe Infected with: Trojan.Downloader.Zlob.AEM
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030686.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030686.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030687.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030687.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030687.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030704.exe Infected with: Trojan.Downloader.Zlob.AEM
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030704.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030704.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030732.dll Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030732.dll Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030732.dll Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030733.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030733.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030733.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030734.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030734.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030734.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030737.exe Infected with: Trojan.Downloader.Zlob.AEM
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030737.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030737.exe Deleted
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030738.exe Infected with: Trojan.Downloader.Zlob.AEL
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030738.exe Disinfection failed
C:\System Volume Information\_restore{D93B85DA-B87E-4BD6-92A4-06DB3CE9529C}\RP219\A0030738.exe Deleted
F:\System Volume Information\_restore{614E99A6-084A-4882-BB25-D57FC70BDFBC}\RP45\A0010516.exe Infected with: DeepScan:Generic.Malware.SFMWH@mmg.B6CB6A59
F:\System Volume Information\_restore{614E99A6-084A-4882-BB25-D57FC70BDFBC}\RP45\A0010516.exe Disinfection failed
pskelley
2006-12-15, 22:33
Welcome to the forum, sounds like one of the Smitfraud infections, are you receiving and other symptoms, like popups? If so, where are they directing you. Let's check for Smitfraud like this:

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

Thanks
Badger21
2006-12-16, 12:28
I did as instructed here is the report.



SmitFraudFix v2.130

Scan done at 6:22:28.57, Sat 12/16/2006
Run from C:\Documents and Settings\Paul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\qrzsyr.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Paul


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Paul\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Paul\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{01b55afa-f451-474b-9e91-c35b24d02641}"="boob"

[HKEY_CLASSES_ROOT\CLSID\{01b55afa-f451-474b-9e91-c35b24d02641}\InProcServer32]
@="C:\WINDOWS\system32\qrzsyr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01b55afa-f451-474b-9e91-c35b24d02641}\InProcServer32]
@="C:\WINDOWS\system32\qrzsyr.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2006-12-16, 12:47
Thanks for returning that report, you can see the infection is still on your computer:

http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed, please do this:

1) Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

2) Your Java program is badly out of date, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_12\ >>> please install the newest version and uninstall all old versions in Add Remove programs.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Follow these instruction to clean your System Restore files. Turn them off, reboot, turn them on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

5) Follow these instructions to clean the Symantec\Norton AntiVirus\Quarantine\:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506

6) Start > Run > type "cleanmgr" without the quotes then OK. Allow cleanmgr to run and I suggest you delete what Windows finds.

Restart the computer and post the report from Smitfraudfix and a new HJT log. Please let me know how your computer is running now.

Thanks
Badger21
2006-12-16, 16:55
Followed all instructions attached is the Hijackthis log. The Smitfraud Report will be posted next. The balloon and bomb are gone.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:09 AM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\OmniPagePro14.0\Opware14.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Hijack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160858920656
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.2 [ENU]) - http://bp.piedmontng.com/ddrint/work/iedpwenu.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Badger21
2006-12-16, 16:56
Log

SmitFraudFix v2.130

Scan done at 9:12:51.92, Sat 12/16/2006
Run from C:\Documents and Settings\Paul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{01b55afa-f451-474b-9e91-c35b24d02641}"="boob"

[HKEY_CLASSES_ROOT\CLSID\{01b55afa-f451-474b-9e91-c35b24d02641}\InProcServer32]
@="C:\WINDOWS\system32\qrzsyr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01b55afa-f451-474b-9e91-c35b24d02641}\InProcServer32]
@="C:\WINDOWS\system32\qrzsyr.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\qrzsyr.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2006-12-16, 17:27
Thanks for returning your information and the feedback. Your logs all look good, how is the computer running now? If you are back to normal, I would say you are good to go.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks and a Merry Christmas to you:present:
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.