A couple of observations...Chris will soon jump in and give more explicit removal procedures. I'm sure I missed a couple.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

Sanford Wallace, the infamous king of spam, owns (or used to) smartbotpro.net

R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL

BHO...scummy spyware

O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe

N -case Spyware  http://support.microsoft.com/?kbid=317714

O4 - HKLM\..\Run: [DJQWA] C:\WINNT\DJQWA.exe
O4 - HKCU\..\Run: [DKQXBHOUB] C:\WINNT\DKQXBHOUB.exe

  Looks like hostile .exe files to me.

All the best,

Texruss

Message Edited by Texruss on 03-28-2004 09:28 PM

TexrUss, bjswift has a CWS infection, and some items that can be removed by Spybot and/or ad-aware. It is my practice to recommend those programs first in this sort of situation for two reason.
1) they clean better than manual methods can.
2) the user having used those tools may be more willing to use them in the future, which will help keep them cleaner.

You have missed a few also, this way we get to use hijackthis after these programs on a much smaller problem.
Those that you missed, some of the CWS lines, Hotbar activeX control, GMT startup and  CMEsys.EXE.

Some tools that you may wish to use for the future (you may already use some of them), CWShedder (start from a short cut with a /debug flag), Pacmans startup list http://www.sysinfo.org/startuplist.php, Spywareblaster - link on my website (Right click the main body and search) for bad activeX controls and lastly the BHO/Toolbar list http://sysinfo.org/bholist.php. I also use spybot (advanced menu) - excludes, products, right click, export list to have a list of objects that it targets.


bjswift

Download then unzip and run CWShredder to clean up clicking FIX to have it remove all it finds.

cwshredder from here
or from here
or download page from here

then :-

Spybot S&D and Ad-Aware

1) SpyBot Search and Destroy
After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', have SpyBot remove all the items it marks in red.

2) Get Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.

Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .

please post a new hijackthis log after a reboot.

>Those that you missed, some of the CWS lines, Hotbar activeX control, GMT startup and  CMEsys.EXE

Ah...the Gator folks...I'd like Steve Irwin to throttle them. >;->

Thanks,

Texruss

OK BJ...we'll wait for you to come back on that log...check out F-Secure for some info on Netsky.D for the sick home computer.

Later,

Texruss