This my HJT and Smitfraudfix LOG.PLease help!

A month ago i got infected with a trojan.As i am new to viruschecking i did some online search and got ewido,SmitfraudFix,ad-aware,spybot s&d, and avast av to help me get rid of it.I actually found quite more infections which i have removed using these progs.Problem is that something must be still going on because from time to time i get a blue warning screen (which never showed before the initial infection) after which the pc restarts automatically.
Moreover I can’t update windows cause the same screen appears when I try to install my downloaded updates…http://images.techguy.org/smilies/frown.gif

Any help will be more than appreciated…http://images.techguy.org/smilies/smile.gif

These are the HJT and SmitfraudFix reports:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:39 μμ, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM..\Run: [DeltTray] DeltTray.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [7f8e] C:\WINDOWS\system32\z1201.exe 9idf
O4 - HKLM..\Run: [Cleanup] C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcappins.exe /v=3 /cleanup
O4 - HKLM..\Run: [msci] C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcinfo.exe /insfin
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - blank (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

SmitFraudFix v2.99

Scan done at 21:57:06,93, ’œ« 11/10/2006
Run from C:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spiros\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Spiros\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
“{2C1CD3D7-86AC-4068-93BC-A02304BB3339}”=“DCOM Server 3339”

[HKEY_CLASSES_ROOT\CLSID{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]
@=“blank”

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]
@=“blank”

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=“”

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

PS: I’ve used rootkitrevealer for this pe386-msguard-lzx32 infection but the app found nothing…

Hi kaiman,

A quick Google search reveals that AVG anti-rootkit is being recommended for removal of pe386.

Scroll the page here until you come to ‘Download and install AVG Antirootkit Beta’ and follow the instructions:

http://www.castlecops.com/p838675-Need_my_HJT_log_checked.html

This entry in your HijackThis! log looks very suspicious. If you can find the file, try submitting it to VirusTotal and see if it is detected as malware:

http://www.virustotal.com/en/indexf.html

O4 - HKLM..\Run: [7f8e] C:\WINDOWS\system32\z1201.exe 9idf

You should have have HijackThis! fix the entry if iis detected as malware. Boot into safe mode after fixing it and delete the file.

You can also fix the following entry with HijackThis!

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - blank (file missing)

THanks for the quick answer.Trying out the avg program.Unfortunately I can’t the file u said to send to virus total.
I’ll post the results…!

You may need to enable viewing of hidden files:

http://www.bleepingcomputer.com/tutorials/tutorial62.html

:slight_smile: Hi Kaiman :

 Where did you find that outdated ver ( 2.99 ) of
 Smitfraudfix ? The latest ver is 2.109 . There may
 be more detected if you use the latest version !?

I downloaded AVG rootkit tool and followed the instructions.Seems to have worked cause I managed to update Windows all right.I got Smitfraudfix from http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
I will enable hidden files and check again.
I will also try to get the latest Smitfraudfix ver and rescan.I’ll post the new reports.
Thanks for the responses. :slight_smile:

:slight_smile: Hi Kaiman :

  Very strange ; at the top of the link you quoted, it says
 "v2.110" ( a new "update" from yesterday ), so very
  surprised your posted Scan Result shows "2.99" !?

Got the updated ver.Had the 2.99 and didnt bother to check for upd… :-[
I’ll run tomorrow and post new reports.
Thanks Spiritsongs :slight_smile:

Ran AVG rootkit tool with ADS spy and added the fix.reg file to the registry.
These are fresh smitfraudfix and HJT reports:

SmitFraudFix v2.110

Scan done at 16:03:11,51, ’�« 18/10/2006
Run from C:\Program Files\Virus\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spiros

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spiros\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{2C1CD3D7-86AC-4068-93BC-A02304BB3339}”=“DCOM Server 3339”

[HKEY_CLASSES_ROOT\CLSID{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]
@=“blank”

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID{2C1CD3D7-86AC-4068-93BC-A02304BB3339}\InProcServer32]
@=“blank”

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=“”

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 4:19:54 μμ, on 18/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [DeltTray] DeltTray.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [7f8e] C:\WINDOWS\system32\z1201.exe 9idf
O4 - HKLM..\Run: [msci] C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcinfo.exe /insfin
O4 - HKLM..\Run: [Cleanup] C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcappins.exe /v=3 /cleanup
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - blank (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

At the momment i can’t access fsecure.com to get blacklight.Is this necessary?

:slight_smile: Hi Kaiman :

  First off, when using Smitfraudfix, ONLY the latest version
  should be used AND all "old" versions should be
  uninstalled .
  I see from your latest Smitfraudfix log, that "pe386" is
  still there !? And I was unable to find any info as to IF
 "DCOM Server 3339" should be on your computer !?
  Since HJT & Smitfraudfix logs are best analyzed by
  volunteer Experts on antiSPYWARE forums AND you have
  Spybot, perhaps you should ask for help on THEIR
  Support Forums @ http://forums.spybot.info  !?

Will do.Thanks for the reply Spiritsongs .

Though I have to say I’ve come across a similar problem in one of those forums where the smitfraudfix reports before and after removal of the pe386 with AVG antirootkit and ADS spy where exactly like mine(as far as pe386 is concerned).The volunteer expert suggested to the infected user that a final report such as my last post suggested that pe386 was gone…!?

:)  Hi :

I rarely recommend the Spybot Support Forums, though they have good Experts
there and their “turnaround” time may be “slow” !? I usually recommend the
forums at www.landzdown.com that also have very good Experts, but their
“turnaround” time seems to be very quick . There are several very good forums.

This is a positive result for pe386:

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

This seems to be a negative one:

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

Kaiman, have you taken the advice in my post?

This entry in your HijackThis! log looks very suspicious. If you can find the file, try submitting it to VirusTotal and see if it is detected as malware:

http://www.virustotal.com/en/indexf.html

O4 - HKLM..\Run: [7f8e] C:\WINDOWS\system32\z1201.exe 9idf

You should have have HijackThis! fix the entry if it is detected as malware. Boot into safe mode after fixing it and delete the file.

You can also fix the following entry with HijackThis!

O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - blank (file missing)

The DCOM Server entry has the file missing tag, so it may well be inactive. If you can fix the entry with HijackThis! and it doesn’t come back, I shouldn’t worry about it.

The z1201.exe I am almost 100% sure is malware, so you really need to remove it.

The inability to access the BlackLight site may be due to malware entries in the hosts file.

http://en.wikipedia.org/wiki/Hosts_file

Once again Spiritsongs, sending people away to another forum while somebody is trying to help them here is only going to really piss off the person trying to help, and I don’t seem to be the only person you have annoyed in this way:

Eptaylor I dont want to be rude but I have deleted almost all of your posts. They all keep telling users to go to other forums. If thats what they wanted they would have joined there in the first place!

http://forum.ccleaner.com/index.php?act=Print&client=printer&f=9&t=2887

Hi FreewheelinFrank! :slight_smile:
I enabled hidden files but I still can’t find z1201.exe.Auto and manual search in windows/system32…
I’ll try fix with HJT anyway…this and dcomserver.
Thanks for the reply!! :wink:

You’re right about the hosts file…BTW

These thing sometimes have hidden protection: if you fix them with HijackThis! and they come back, please let me know: there are firmer measures that can be taken to delete them!

Don’t forget to boot into safe mode and see if you can find the file z1201.exe and delete it after fixing the entry.

You're right about the hosts file..BTW

Not a big surprise. :wink: Malware often tries to block anti-malware sites here.

Well edited the hosts file…everything is ok now
Fixed dcomserver and z1201with HJT
These are my new logs from HJT and Smitfraudfix

Logfile of HijackThis v1.99.1
Scan saved at 5:50:01 μμ, on 21/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [DeltTray] DeltTray.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [msci] C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcinfo.exe /insfin
O4 - HKLM..\Run: [Cleanup] C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcappins.exe /v=3 /cleanup
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

SmitFraudFix v2.110

Scan done at 23:04:12,43, �¨ 20/10/2006
Run from C:\Program Files\Virus\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spiros

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spiros\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{2C1CD3D7-86AC-4068-93BC-A02304BB3339}”=“DCOM Server 3339”

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=“”

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Booted into safe mode but still couldn’t find z1201.exe.

The HijackThis! log looks good. Any problems remaining?

There are a couple of entries for the Yahoo! toolbar (uninstalled?) which are unnecessary and you can fix them. They are highlighted as unnecessaily in the following saved report. The unknown entries are legit.

http://hijackthis.de/logfiles/ec0748d764d351ce68134f0fe40be352.html

If you can download BlackLight now, I’d recommend running it just to check for hidden files:

http://www.f-secure.com/blacklight/

I noticed you posted on thatcomputerguy.us as well.

http://forums.thatcomputerguy.us/index.php?showtopic=19842

Trevuren there also recommended AVG anti-rootkit, and is also recommending ADS Spy (another program which will check for hidden files) and ComboFix, which targets various spyware infections:

http://www.windowsbbs.com/showthread.php?t=57442

You may well want to run these as a double check.

Well I ran blacklight and found 0 positives.
I ran combofix too and this is the log file:

Spiros - 06-10-22 12:50:07,21 Service Pack 2
ComboFix 06.10.19 - Running from: “C:\Documents and Settings\Spiros\My Documents\Utils”

((((((((((((((((((((((((((((((( Files Created from 2006-09-22 to 2006-10-22 ))))))))))))))))))))))))))))))))))

2006-10-16 19:11 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-10-07 15:01 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-07 15:01 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-07 15:01 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-07 15:01 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-02 17:26 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-25 23:04 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2006-09-23 17:46 507 --a------ C:\WINDOWS\stat.exe
2006-09-23 17:46 0 --a------ C:\WINDOWS\bot1.exe
2006-09-23 16:06 66,604 --a------ C:\WINDOWS\system32\lzx32.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-22 12:49 -------- d-------- C:\Program Files\Hijack this
2006-10-22 12:40 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-20 23:27 -------- d-------- C:\Program Files\Virus
2006-10-20 23:27 -------- d-------- C:\Documents and Settings\Spiros\Application Data\abelhadigital.com
2006-10-20 22:55 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-18 16:45 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-16 23:36 -------- d-------- C:\Program Files\Messenger
2006-10-16 23:35 -------- d-------- C:\Program Files\Windows Media Player
2006-10-16 23:35 -------- d-------- C:\Program Files\Internet Explorer
2006-10-16 19:13 -------- d-------- C:\Documents and Settings\Spiros\Application Data\ATI
2006-10-16 19:11 -------- d-------- C:\Program Files\ATI Technologies
2006-10-11 23:44 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-11 22:32 -------- d–h----- C:\Program Files\InstallShield Installation Information
2006-10-07 01:10 73 --a------ C:\WINDOWS\system32\ssprs.dll
2006-10-07 01:10 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2006-10-02 22:36 -------- d-------- C:\Program Files\Outlook Express
2006-10-02 22:36 -------- d-------- C:\Program Files\Common Files\System
2006-10-02 18:01 -------- d-------- C:\Documents and Settings\Spiros\Application Data\Talkback
2006-10-01 23:33 -------- d-------- C:\Program Files\ToniArts
2006-09-30 20:27 -------- d-------- C:\Program Files\BitLord
2006-09-30 20:21 -------- d-------- C:\Program Files\Torrent Harvester
2006-09-30 15:39 -------- d-------- C:\Program Files\Marvell
2006-09-27 16:09 -------- d—s---- C:\Documents and Settings\Spiros\Application Data\Microsoft
2006-09-25 18:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 18:40 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-09-25 18:40 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-09-25 18:39 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-09-25 18:39 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-09-25 18:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-09-25 18:37 24560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-09-23 18:59 -------- d-------- C:\Program Files\Common Files
2006-09-23 15:10 -------- d-------- C:\Program Files\Lavasoft
2006-09-23 15:10 -------- d-------- C:\Documents and Settings\Spiros\Application Data\Lavasoft
2006-09-23 12:49 -------- d-------- C:\Program Files\FXpansion
2006-09-23 12:48 -------- d-------- C:\Program Files\BFDXFL
2006-09-20 23:07 -------- d-------- C:\Program Files\Yahoo!
2006-09-20 17:48 -------- d-------- C:\Documents and Settings\Spiros\Application Data\Macromedia
2006-09-20 17:16 -------- d-------- C:\Program Files\Zone Labs
2006-09-20 17:13 -------- d-------- C:\Program Files\YooApplications
2006-09-13 08:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 15:20 -------- d-------- C:\Program Files\PhotoFiltre
2006-09-10 10:47 -------- d-------- C:\Program Files\Samsung
2006-08-25 18:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 16:46 720896 --a------ C:\WINDOWS\iun6002.exe
2006-08-23 05:11 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-08-23 04:53 260096 --------- C:\WINDOWS\system32\ati2dvag.dll
2006-08-23 04:53 1723904 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-08-23 04:47 114688 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-08-23 04:46 86016 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-08-23 04:46 77824 --a------ C:\WINDOWS\system32\Oemdspif.dll
2006-08-23 04:46 41984 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-08-23 04:46 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2006-08-23 04:45 413696 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-08-23 04:44 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2006-08-23 04:38 2401984 --------- C:\WINDOWS\system32\ati3duag.dll
2006-08-23 04:33 303104 --a------ C:\WINDOWS\system32\ATIDEMGR.dll
2006-08-23 04:33 2510752 --------- C:\WINDOWS\system32\ativvaxx.dll
2006-08-23 04:27 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-08-23 04:24 5140480 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-08-23 04:21 221184 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-08-23 04:19 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-08-23 04:14 290816 --------- C:\WINDOWS\system32\ati2cqag.dll
2006-08-21 16:05 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2006-08-21 15:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 12:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 14:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 16:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“Zone Labs Client”=“"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"”
“DeltTray”=“DeltTray.exe”
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”
“H2O”=“C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe”
“RegistryMechanic”=“”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“msci”=“C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcinfo.exe /insfin”
“Cleanup”=“C:\DOCUME~1\Spiros\LOCALS~1\Temp\200692319012_mcappins.exe /v=3 /cleanup”
“ATICCC”=“"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"”
“DeviceDiscovery”=“C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe”

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
“{438755C2-A8BA-11D1-B96B-00A0C90312E1}”=“Browseui preloader”
“{8C7461EF-2B13-11d2-BE35-3078302C2030}”=“Component Categories cache daemon”
“{2C1CD3D7-86AC-4068-93BC-A02304BB3339}”=“DCOM Server 3339”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=“”
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“ewido anti-spyware 4.0”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
“ClearRecentDocsOnExit”=dword:00000001
“NoRecentDocsMenu”=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=“”
“legalnoticetext”=“”
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
“PostBootReminder”=“{7849596a-48ea-486e-8937-a2a3009f31a9}”
“CDBurn”=“{fbeb8a05-beee-4442-804e-409d6c4515e9}”
“WebCheck”=“{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”
“SysTray”=“{35CEC8A3-2BE6-11D2-8773-92E220524153}”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

Completion time: 06-10-22 12:50:33.42
C:\ComboFix.txt … 06-10-22 12:50

:slight_smile:

As your HijackThis! log looks clean, and nothing is showing up on BlackLight, as far as I can see, your computer is clean.

You may want to post the ComboFix log at thatcomputerguy.us so the person who recommended it can check it over. It obviously contains a list of running processes, applications and drivers and their start up locations, very much like a HijackThis! log.

Nothing leaps out as suspicious to me, but you should really get an expert to look at it. I’m sure Trevuren at thatcomputerguy.us will be able to tell you if there’s anything amiss in the log.