Unknown virus

Dear all,
I Believe I have picked up a virus. Here's what it does. I am running XP. When I start up my computer it is very slow. I opened up task manager and noticed that my proccesser usage is at 100% 98% of this is related to system32exe. The only way I can stop this is to end the process in task manager. Obviously I want to get rid of this. I have downloaded a program called Hyjack this and below is a log of what it reported. It's a long read as unfortunatly this site will not accept the format it is saved in can anyone offer me some guidance. I am no computer wiz so asimplified explaination would be highly appreciated. I look forward to some help Thankyou.

Logfile of HijackThis v1.95.0
Scan saved at 22:58:35, on 15/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\Owner.Julies.002\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searching-4u.com/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://broadband.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://uk4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll (file missing)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - c:\Program Files\Flt\Flt.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem211.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.gvc.co.uk/sunsetview/level1/level2/svideo3.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB

 

Hi MadCatz,

In addition to the entry LWM pointed out I would recommend selecting and fixing the following (for these, you want to make sure that all other windows/programs are closed first)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.searching-4u.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll (file missing)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - c:\Program Files\Flt\Flt.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem211.dll
O10 - Hijacked Internet access by New.Net
O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB

Then do a reboot and delete the following

C:\WINDOWS\nem211.dll

c:\Program Files\Flt (the entire directory)

C:\Program Files\NewDotNet\newdotnet4_88.dll

Once this is done, please rescan with HijackThis and repost the log so we can be sure we got everything.

Thx,

Dan

 

KwBot worm, I'm betting...

 

Could be Mc afee running it's scan

 

system32.exe sounds too trojan'ish to be an antivirus, and if i remember correctly, kwbot uses the filename xms32.exe (not related the programmer of optix)

 

Hi All,

At minimum, the following are candidates for the system32.exe

Kitro.A

Mari

KwBot.C

There are likely more as well.

Regards,

Dan