eliminate xxxserver

Discussion in 'adware, spyware & hijack cleaning' started by pathen77, Jun 1, 2004.

Thread Status:
Not open for further replies.
  1. pathen77

    pathen77 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1
    I've been captured by xxxserver and would be grateful for any assistance.
    I downloaded and ran spybot s&d.
    I have tried many methods to restore my modem sound but have failed everytime. I am running windows 98.
    I downloaded hijackthis. a copy of my log follows;

    Logfile of HijackThis v1.97.7
    Scan saved at 10:41:12, on 01/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPZTSB08.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\DEAMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\C7HKC0QR\HIJACKTHIS[2].EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vuifza.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vuifza.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://vuifza.t.muxa.cc/h.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vuifza.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    O1 - Hosts: 66.40.21.73 auto.search.msn.com
    O2 - BHO: (no name) - {A42F6A2E-5A69-26BC-A893-6E3740A6E407} - C:\PROGRAM FILES\INTRAMEALHTM\COALFREE.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Balm Math - {882A5476-4642-C594-52FF-ED75520ED1D0} - C:\PROGRAM FILES\INTRAMEALHTM\COALFREE.DLL (file missing)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SUCATREF] C:\WIN98\SUCATREF.EXE
    O4 - HKLM\..\Run: [FONTREF] C:\WINDOWS\SYSTEM\FONTREF.EXE
    O4 - HKLM\..\Run: [RUNONCD] C:\WINDOWS\SYSTEM\RUNONCD.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
    O19 - User stylesheet: c:\windows\my.css
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi pathen77,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vuifza.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vuifza.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://vuifza.t.muxa.cc/h.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vuifza.t.muxa.cc/s.php?aid=227 (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    O1 - Hosts: 66.40.21.73 auto.search.msn.com
    O2 - BHO: (no name) - {A42F6A2E-5A69-26BC-A893-6E3740A6E407} - C:\PROGRAM FILES\INTRAMEALHTM\COALFREE.DLL (file missing)

    O3 - Toolbar: Balm Math - {882A5476-4642-C594-52FF-ED75520ED1D0} - C:\PROGRAM FILES\INTRAMEALHTM\COALFREE.DLL (file missing)

    O4 - HKLM\..\Run: [SUCATREF] C:\WIN98\SUCATREF.EXE
    O4 - HKLM\..\Run: [FONTREF] C:\WINDOWS\SYSTEM\FONTREF.EXE
    O4 - HKLM\..\Run: [RUNONCD] C:\WINDOWS\SYSTEM\RUNONCD.EXE

    O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i

    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE

    O19 - User stylesheet: c:\windows\my.css

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot and send the files below to the address in my profile they may be new malware. Please include a link to this thread: https://www.wilderssecurity.com/showthread.php?t=34542
    C:\WIN98\SUCATREF.EXE
    C:\WINDOWS\SYSTEM\FONTREF.EXE
    C:\WINDOWS\SYSTEM\RUNONCD.EXE
    C:\WINDOWS\deamon.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.