hijack this log - xxxserver

Hello,

I'm having recurrent problems with the xxxserver/1on1/hotkiss bug. I've run spybot, adware and hijackthis (aswell as having norton antivirus on board).
This is my Hijackthis log. Please could someone help me and tell me what to do with all this. I've also enclosed some other suspicious lsass.exe and svchost.exe files (a forum on modemhelp.net suggested I run them by you guys before deleting something crucial). I'd be grateful for any advice you can give - I'm about to chuck my laptop in the bin!
(I posted this as a guest on 6th May, but got no replies, so I hope I'm doing this the right way).

Logfile of HijackThis v1.97.7
Scan saved at 19:28:43, on 06/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\csrss.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Documents and Settings\robin smith\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7993.5451736111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...321/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com...ex/HMAtchmt.ocx

The additional suspicious lsass.exe/svchost.exe files:
C:\WINDOWS\ServicePackFiles\i386\lsass.exe
C:\WINDOWS\system32\dllcache\svchost.exe
C:\WINDOWS\DocumentsandSettings\Administrator\localsettings\temp\WER2.tmp.dir00
C:\WINDOWS\DocumentsandSettings\Administrator\localsettings\temp\WER13.tmp.dir00
C:\WINDOWS\DocumentsandSettings\Administrator\localsettings\temp\WER4.tmp.dir00

 

Hi littlebobble,

Those files you mention are suspect.


First, can you find this file and copy and then zip it.
C:\WINDOWS\csrss.exe
Then send it to Gavin at submit@diamondcs.com.au
Note that it is not the valid csrss.exe, which is in the Windows\system32 folder.


If you can't find it, try enabling hidden files http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5


Then fix this line in hijackthis, make sure all other windows are closed.

O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i

Then reboot into safe mode and find

C:\WINDOWS\csrss.exe <--- delete file, rememeber the good one is in the system32 folder, so don't touch that one.

Safe mode instructions http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Then you want to run an A/V online scan
http://www.pandasoftware.com/activescan/com/
http://housecall.trendmicro.com/
http://www.bitdefender.com/bd/site/downloads.php?menu_id=21
http://us.mcafee.com/root/catalog.asp?catid=free
http://security.symantec.com/sscv6/default...id=ie&venid=sym



I see Norton products, but I don't see Norton Antivirus in your start up or running processes. You need to get at least an anti virus to run resident to prevent any future infections.


After cleaning up the virus/trojan, you should delete all temporary files as described here : http://www.techtv.com/callforhelp/stepone/jump/0,24331,10827,00.html


Then post a new hijackthis log to ake sure you are clean.