Help! I know that I have a virus or worm in my system, since yeseterday, my system generated an error message referring to the rpc service and nt authority system and did a spontaneous shutdown. I went to the rpc service properties, then recovery, and set all failures to "take no action" to stop the spontaneous shutdown. I had the same symptom last month 'coz my system was infected by the nachi worm. But I got rid of it using my AVG antivirus program and the stinger.exe removal tool from McAfee. But now, I can't get rid of whatever this virus/worm is 'coz I don't know what it is! I already updated my AVG, ran it, and I also ran almost all the virus removal tools from Symantec and McAfee, to no avail. I scanned for spyware using Spybot and it got rid of all the spyware and adware it detected. I also checked all the processes that were running in my system, and they seem to be valid. Finally, I ran HijackThis and here's the log. Please tell me what could have infected my system. Please, please, pleasssse!!! I don't wanna have to reformat my hard drive. Thanks in adavance =) Logfile of HijackThis v1.97.7 Scan saved at 12:22:54 PM, on 1/10/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.exe C:\WINDOWS\GeniusKB.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Alset\HelpExpress\Roanne\HXDL.exe C:\Program Files\Creative\ShareDLL\MediaDet.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\PROGRA~1\GetRight\GETRIGHT.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\unzipped\hijackthis\HijackThis.exe O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\SysShield Tools\Internet Eraser\PKExt.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.exe /t O4 - HKLM\..\Run: [CHotKey] GeniusKB.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Roanne\Client\HelpExp.exe O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Roanne\HXDL.exe -from="HXIUL.EXE" -to="HXIUL.EXE" O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: CuteShield Internet Eraser (HKCU) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8510B699-9C96-49EA-9175-FB4765BEC5A6}: NameServer = 210.14.16.5 202.57.125.1

The worm, W32.Blaster.Worm and its variants, exploits a security issue that was addressed by Microsoft Security Bulletin MS03-026. This worm also has the potential to exploit a similar issue that is addressed by Microsoft Security Bulletin MS03-039. These issues concern a vulnerability in the Remote Procedure Call (RPC) function. Important Information New Security Update: There is a new security issue addressed by Microsoft Security Bulletin MS03-39 that could potentially be affected by the Blaster worm. To get the update or How to Tell If the Worm Is Affecting Your Computer - read the bottom of this webpage, you will see the windows error that comes up, see if it is what you are getting : go to, http://www.microsoft.com/security/incident/blast.asp.

Patch up both Windows and IE to SP1 upgrades at the windowsupdate site and ensure you get all security related updates onto that unprotected system, or inevitably you will have to reformat at some point. Repost a new log afterwards.