i need help!! (hijack this???)

recently i have been botherd by 'hot_kiss' xxxserver.

i have read the comments of other members all of whos problems have been fixed with 'hijack this'

what is hijack this an where can i find it??

many thanks
Griogair

 

Hi Griogair,

Please follow the instructions posted here:
https://www.wilderssecurity.com/showthread.php?t=15913
Post the log as a reply in this topic.

Regards,

Pieter

 

thanks for your help.

if i copy paste the hijack this log....would someone be able to rid me of hot_kiss?

cheers
griogair

 

We have had some sucesses sofar.

Regards,

Pieter

 

haha...cheers!!

Logfile of HijackThis v1.97.7
Scan saved at 16:00:16, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\deamon.exe
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\EzButton System V2.1\EzButton.exe
C:\DOCUME~1\GRIOGA~1\LOCALS~1\Temp\nwiz.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Griogair Stewart\Desktop\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [DC1300 Monitor] C:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\deamon.exe /i
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V2.1\EzButton.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qgggdeii.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38130.1332060185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{497E577E-FEB0-467E-AD9D-8BBBA999745C}: NameServer = 195.92.195.94 195.92.195.95


hope this means more to you than me!

griogair

 

Hi Griogair,

Cool. You have a new version.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\deamon.exe /i

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qgggdeii.exe

Then reboot into safe mode and delete:
C:\Program Files\Internet Explorer\qgggdeii.exe

Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folder.

In Add/Remove Software uninstall P2P Networking

Could you please mail me a (preferably zipped) copy of:
C:\WINDOWS\deamon.exe
Use the address in my profile please.

Regards,

Pieter

 

haha!! im starting to think i dont want the deamon.exe file....i made a copy on my desctop so i could zip it (winrar) was stoppin it...i sent you a coppy which i presume you have now...it wont delete!!!!!

any advice?
griogair

 

Delete the critter, Griogair.

Do it in safe mode. That works.

deamon.exe - packed with PE-Pack
deamon.exe - infected by TrojanDownloader.Win32.Delf.br

Regards,

Pieter

 

cheers mate!

got rid of it in safe mode.

realy impressed with your forum, and your quickness to reply.
this site will be the first i point friends in similar situations to.
nice one!

cheers!
Griogair,scotland

 

Glad we could help

Please read: Why did I get infected in the first place

Regards,

Pieter