Have also removed all the entries listed in the attached Hijack log under autorun entries. They came back on reboot. Also, all my Wallpaper is gone except for a warning about being infected with "Jojan-spy.HTML.Smitfraud.c". I managed to get rid of the wallpaper but the progam that generated the warning is still on my taskbar and I CAN'T get rid of it. The icon is a red dot with a white exclamation point in the middle. This seems to be associated with a file in System32 called 'Intel32.exe', which comes up on TrojanHunter as a possible trojan file. It also is listed by Microsoft (with the same icon) as a legitimate file.
Any suggestion, since I can't get any local removal tools to run on the computer? If I have to format, I'll be running LinSpire from now on.
here is my Hijack This log.
StartupList report, 7/3/2005, 1:50:32 AM
StartupList version: 1.52
Started from : D:\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\RunDll32.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\System32\intel32.exe
F:\Program Files\Messenger\msmsgs.exe
F:\windows\fbduves.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\System32\HPZipm12.exe
D:\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,F:\WINDOWS\System32\c_93cwiz.exe,F:\Documents and Settings\Cal Aylsworth.WHITEBOX\Application Data\Explorer\c_93cwiz.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
ATIPTA = F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HP Component Manager = "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
QuickTime Task = "F:\Program Files\QuickTime\qttask.exe" -atboottime
intel32.exe = F:\WINDOWS\System32\intel32.exe
Browser Shedule = F:\WINDOWS\System32\c_93cwiz.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background
uaribnx = f:\windows\fbduves.exe
ewvfycv = f:\windows\fbduves.exe
awwuobu = f:\windows\fbduves.exe
ripgumb = f:\windows\fbduves.exe
yeymuhq = f:\windows\fbduves.exe
ajbmvuo = f:\windows\fbduves.exe
rgkuhmv = f:\windows\fbduves.exe
jpwlgja = f:\windows\fbduves.exe
wgfqewp = f:\windows\fbduves.exe
lnbhemk = f:\windows\fbduves.exe
vjywngj = f:\windows\fbduves.exe
mmrmnwt = f:\windows\fbduves.exe
sovurxx = f:\windows\fbduves.exe
froppbn = f:\windows\fbduves.exe
ypsynro = f:\windows\lpmhhne.exe
dwneqhg = f:\windows\lpmhhne.exe
nrhwiba = f:\windows\lpmhhne.exe
vaicyab = f:\windows\epnqccm.exe
korkovc = f:\windows\epnqccm.exe
vvsryuo = f:\windows\epnqccm.exe
vvqhlvf = f:\windows\epnqccm.exe
nxmarau = f:\windows\tvvgspw.exe
rghxltq = f:\windows\tvvgspw.exe
uhkixop = f:\windows\tvvgspw.exe
gxrbhvq = f:\windows\tvvgspw.exe
grpvtqw = f:\windows\cwmkdwk.exe
eyctohy = f:\windows\cpujbsr.exe
Browser Shedule = F:\WINDOWS\System32\c_93cwiz.exe
icgkkhw = f:\windows\cpujbsr.exe
rxefpqn = f:\windows\cpujbsr.exe
nirncsn = f:\windows\cpujbsr.exe
cpfyohf = f:\windows\dmhecsb.exe
--------------------------------------------------
Shell & screensaver key from F:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe,c_93cwiz.exe
SCRNSAVE.EXE=F:\WINDOWS\System32\ssmyst.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Programs\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Programs\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - f:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[Support.com Configuration Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\tgctlcm.dll
CODEBASE = http://www.comcastsu...oad/tgctlcm.cab
[Microsoft Office Template and Media Control]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab
[QuickTime Object]
InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab
[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.t...all/xscan60.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = F:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....467&clcid=0x409
[Office Update Installation Engine]
InProcServer32 = F:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc2.cab
[RdxIE Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab
[WUWebControl Class]
InProcServer32 = F:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1115009805390
[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab
[{88D758A3-D33B-45FD-91E3-67749B4057FA}]
CODEBASE = http://dm.screensave.../sinstaller.cab
[PhxStudent.OeSetup15]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\PhxStudent15.ocx
CODEBASE = https://mycampus.pho...hxStudent15.CAB
[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
Protocol #1: F:\WINDOWS\System32\flsmngr.dll
Protocol #2: F:\WINDOWS\System32\flsmngr.dll
Protocol #14: F:\WINDOWS\System32\flsmngr.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: F:\WINDOWS\system32\SHELL32.dll
CDBurn: F:\WINDOWS\system32\SHELL32.dll
WebCheck: F:\WINDOWS\System32\webcheck.dll
SysTray: F:\WINDOWS\System32\stobject.dll
Browser Messenger: *Registry value not found*
--------------------------------------------------
End of report, 8,391 bytes
Report generated in 0.125 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only