hijack this log - xxxserver

Discussion in 'adware, spyware & hijack cleaning' started by littlebobble, May 21, 2004.

Thread Status:
Not open for further replies.
  1. littlebobble

    littlebobble Registered Member

    Joined:
    May 21, 2004
    Posts:
    1
    Hello,

    I'm having recurrent problems with the xxxserver/1on1/hotkiss bug. I've run spybot, adware and hijackthis (aswell as having norton antivirus on board).
    This is my Hijackthis log. Please could someone help me and tell me what to do with all this. I've also enclosed some other suspicious lsass.exe and svchost.exe files (a forum on modemhelp.net suggested I run them by you guys before deleting something crucial). I'd be grateful for any advice you can give - I'm about to chuck my laptop in the bin!
    (I posted this as a guest on 6th May, but got no replies, so I hope I'm doing this the right way).

    Logfile of HijackThis v1.97.7
    Scan saved at 19:28:43, on 06/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Norton Speed Disk\nopdb.exe
    C:\WINDOWS\System32\S3hotkey.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\WINDOWS\System32\ESB.exe
    C:\WINDOWS\csrss.exe
    C:\Program Files\Norton Utilities\SYSDOC32.EXE
    C:\Documents and Settings\robin smith\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
    O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7993.5451736111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...321/mcfscan.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com...ex/HMAtchmt.ocx

    The additional suspicious lsass.exe/svchost.exe files:
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\system32\dllcache\svchost.exe
    C:\WINDOWS\DocumentsandSettings\Administrator\localsettings\temp\WER2.tmp.dir00
    C:\WINDOWS\DocumentsandSettings\Administrator\localsettings\temp\WER13.tmp.dir00
    C:\WINDOWS\DocumentsandSettings\Administrator\localsettings\temp\WER4.tmp.dir00
     
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hi littlebobble,

    Those files you mention are suspect.


    First, can you find this file and copy and then zip it.
    C:\WINDOWS\csrss.exe
    Then send it to Gavin at submit@diamondcs.com.au
    Note that it is not the valid csrss.exe, which is in the Windows\system32 folder.


    If you can't find it, try enabling hidden files http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5


    Then fix this line in hijackthis, make sure all other windows are closed.

    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i

    Then reboot into safe mode and find

    C:\WINDOWS\csrss.exe <--- delete file, rememeber the good one is in the system32 folder, so don't touch that one.

    Safe mode instructions http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Then you want to run an A/V online scan
    http://www.pandasoftware.com/activescan/com/
    http://housecall.trendmicro.com/
    http://www.bitdefender.com/bd/site/downloads.php?menu_id=21
    http://us.mcafee.com/root/catalog.asp?catid=free
    http://security.symantec.com/sscv6/default...id=ie&venid=sym



    I see Norton products, but I don't see Norton Antivirus in your start up or running processes. You need to get at least an anti virus to run resident to prevent any future infections.


    After cleaning up the virus/trojan, you should delete all temporary files as described here : http://www.techtv.com/callforhelp/stepone/jump/0,24331,10827,00.html


    Then post a new hijackthis log to ake sure you are clean.
     
    Last edited: May 22, 2004
Thread Status:
Not open for further replies.