Need HiJackThis Analysis ASAP!!! Task manager closes...

This got cut off...

 

 

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud3.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud1.sports.sc5.yahoo.com/java/y/nbast8268_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10b782463668cb78b523/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstaller.cab

 

Can anyone help me please?

Bump...

ANYONE?

I can't interpret the HJT log, but the Task Manager opening momentarily and then closing (probably see the same thing trying to run msconfig) is symptomatic of a couple of different viruses.

I'd suggest your first action would be to run a couple of online scans.

http://housecall.trendmicro.com/

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

are some examples.

http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=17986

Hi, We need to make you aware that many, many logs are being posted.  Because we are few, all volunteers with families and real jobs, we will have to ask you to be patient.  We work the logs in the order they come in, if you would like us to look at your computer please be patient, one of the experts (trained at SpywareInfo & Tom Coyote) will assist with your log as soon as possible. They may ask for a fresh log as rebooting can mutate the newest infections.

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) 

Yes...I can help...but post a fresh log using the new Hijackthis 1.98 version:

Get a quick copy here:

http://www.russelltexas.com/files/hijackthis.exe

Delete all other copies.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)  BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.

 

Logfile of HijackThis v1.98.0
Scan saved at 4:00:28 AM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\msiwin84.exe
C:\program files\creative\PROGRAM\CTMIX32.EXE
C:\WINDOWS\System32\NETSTATT.EXE
C:\WINDOWS\System32\qhtqrmgm.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Karl Jumblatt.KARL.000\Application Data\ucna.exe
C:\WINDOWS\System32\dajpr.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Kazaa Lite\KazaaLite.kpp
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Karl Jumblatt.KARL.000\Local Settings\Temporary Internet Files\Content.IE5\KXY36RCL\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DAC1159-E131-0ECF-D15F-64550BA02D14} - C:\WINDOWS\System32\dnchyhmg.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [System Update Service] csrss32.exe
O4 - HKLM\..\Run: [Microsoft Update] msiwin84.exe
O4 - HKLM\..\Run: [CreativeMixer] c:\program files\creative\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Yahoo Messenger] NETSTATT.EXE
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [usrrqgfhjud] C:\WINDOWS\System32\qhtqrmgm.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [bgburux] C:\WINNT\bgburux.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [System Update Service] csrss32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msiwin84.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Eventlog] C:\WINDOWS\Winupdate.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [Moso] C:\Documents and Settings\Karl Jumblatt.KARL.000\Application Data\ucna.exe
O4 - HKCU\..\Run: [Lpst] C:\WINDOWS\System32\dajpr.exe
O4 - HKCU\..\RunOnce: [Yahoo Messenger] NETSTATT.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud3.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud1.sports.sc5.yahoo.com/java/y/nbast8268_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10b782463668cb78b523/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

thanks

Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere.

See FAQ's 2,3,4 at http://russelltexas.com/malware/faqhijackthis.htm

Run Hijackthis in new folder, scan and check the box left of these numbered line items:

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {3DAC1159-E131-0ECF-D15F-64550BA02D14} - C:\WINDOWS\System32\dnchyhmg.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [System Update Service] csrss32.exe
O4 - HKLM\..\Run: [Microsoft Update] msiwin84.exe
O4 - HKLM\..\Run: [Yahoo Messenger] NETSTATT.EXE
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [usrrqgfhjud] C:\WINDOWS\System32\qhtqrmgm.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [bgburux] C:\WINNT\bgburux.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [System Update Service] csrss32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msiwin84.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [Moso] C:\Documents and Settings\Karl Jumblatt.KARL.000\Application Data\ucna.exe
O4 - HKCU\..\Run: [Lpst] C:\WINDOWS\System32\dajpr.exe
O4 - HKCU\..\RunOnce: [Yahoo Messenger] NETSTATT.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
Comments: DialerPlatform Dialer
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10b782463668cb78b523/netzip/RdxIE601.cab
Comments: Netster
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
Comments: IEPlugin
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
Comments: MediaTickets Installer
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
Comments: MagicAds Adware
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstaller.cab
Comments: PSD TOOLS Adware / BuddyLinks

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE

Show HIDDEN FILES and folders

FAQ 8 and 9 on this page:

http://www.russelltexas.com/malware/faqhijackthis.htm

In Safe Mode Hit Control-Shift-Escape keys at same time and stop these processes if running:

msiwin84.exe
NETSTATT.EXE
qhtqrmgm.exe
Loader.exe
omniscient.exe
\ucna.exe
dajpr.exe
WebRebates1.exe
WebRebates0.exe

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders:

Files:
C:\Windows\System32\wsaupdater.exe,
C:\WINDOWS\System32\dnchyhmg.dll
C:\WINDOWS\System32\csrss32.exe
C:\WINDOWS\System32\msiwin84.exe
C:\WINDOWS\System32\NETSTATT.EXE
C:\WINDOWS\System32\qhtqrmgm.exe
C:\WINDOWS\System32\dajpr.exe

C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\alchem.exe
C:\WINDOWS\msopt.dll
C:\WINDOWS\win32.exe
C:\WINDOWS\twaintec.dll

C:\WINDOWS\Downloaded Program Files\bridge.dll

C:\WINNT\bgburux.exe

C:\Documents and Settings\Karl Jumblatt.KARL.000\Application Data\ucna.exe

Folders:

C:\Program Files\Web_Rebates
C:\Program Files\ClearSearch
C:\Program Files\Common Files\PSD Tools
C:\Program Files\WindowsSA

Exit Explorer...empty Recycle Bin.

Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleanup completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Most of the Internet baddies can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:

1. Latest version
2. Configured correctly for running options
3. New definitions from update feature

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.

Special Comments: After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)  BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.

After following your directions I believe most (if not all) of the malware is gone. here is the lastest HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 9:52:28 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\program files\creative\PROGRAM\CTMIX32.EXE
C:\WINDOWS\System32\sfs.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJack\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37AF4B00-E76A-5ECB-865B-64550BA0284B} - C:\WINDOWS\System32\ascw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] c:\program files\creative\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [System Update Service] csrss32.exe

Thanks for the help.

Hi, while progress is being made, another item has reared its ugly head, and it needs to be cut off. This item looks like this: http://websearch.drsnsrch.com/sidesearch.cgi?id

I would have to believe it is something new, and I can identify at least one item the instructions if followed would have removed, and it is still there. Please allow time for Texruss to view this new log and advise you.

For my own benefit (still in training) I can not see any anti-virus software or a firewall running in your log? If this is true, let us know, and we will give you links to free versions of each. Without this in place, you will continue to get infected and our clean up efforts are a moot point. Thanks...pskelley

Message Edited by pskelley on 07-13-2004 10:43 AM

Yes...it's computer suicide to run without antivirus.

Free AVG:  www.grisoft.com

Trial version of Norton AV:  http://nct.digitalriver.com/0001/

Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:

csrss32.exe
sfs.exe

Fix check these in Hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O2 - BHO: (no name) - {37AF4B00-E76A-5ECB-865B-64550BA0284B} - C:\WINDOWS\System32\ascw.dll
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [System Update Service] csrss32.exe


Reboot to SAFE MODE

Show HIDDEN FILES and folders

These necessary options are explained in FAQ's 8 and 9 on this page:

http://www.russelltexas.com/malware/faqhijackthis.htm

Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:

sfs.exe

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Navigate down the folder structure in left hand window and then in the right window delete the following files and/or folders: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):

C:\WINDOWS\systb.dll
C:\WINDOWS\System32\ascw.dll
C:\WINDOWS\wupdt.exe
C:\Windows\System32\csrss32.exe

C:\Program Files\Web_Rebates    folder

Exit Explorer, empty Recycle Bin, reboot and get an Antivirus program immediately (I advise the trial version of Norton). Get updates and scan your full system in Safe Mode with Norton AV.

Special Comments: The csrss32.exe file is the notorious Naco worm (nicknamed the Nacho virus although it's a worm, not a virus). You may have file damage from it that will require reinstalling Windows over the top of your existing folder.

http://securityresponse.symantec.com/avcenter/venc/data/w32.naco.d@mm.html

Post a fresh log after you get your repairs completed.

Texruss