Hijackthis log after a nightmare with XXXserver

Discussion in 'adware, spyware & hijack cleaning' started by peanuts, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    Good morning,
    I recently managed to infect my pc with the 1on1/xxxserver and its been an absolute nightmare trying to get rid of it, not to mention costly.
    I stumbled across some advice on another forum and am hoping that my system is clean again.
    I really didnt know just how sneaky these people can be!
    I started out by downloading Spybot search and destroy, as well as ad-aware6.
    I then added winpatrol to my system
    I ran them both (seperately) and they found all sorts of things, cleaned/fixed them and they kept coming back.
    I then found a registry search to highlight these nasties.
    so last night was the first time in ages I was able to surf without my browser diverting to these horrid servers.
    I have since downloaded and installed Zonealarm firewall package.
    before I shut everything down last night I ran spybot again and it found 10 unknowns, mostly about:blank (??)
    it also found arcacia (??) and I keep getting a xer0x come up (on the spybot fix page)
    I have since run hijackthis and have the following log.
    ********************************************************
    Logfile of HijackThis v1.97.7
    Scan saved at 21:14:36, on 16/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\S_MENU.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\SERVICES.EXE
    C:\PROGRAM FILES\ROADANGEL\ROADANGEL.EXE
    C:\WINDOWS\SYSTEM\MSHTA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Andy
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\sys_ext.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\csrss.exe /i
    O4 - HKLM\..\Run: [httpd] C:\WINDOWS\s_menu.exe /i
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe
    O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerP\Am32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Road Angel.lnk = C:\Program Files\RoadAngel\RoadAngel.exe
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
    O19 - User stylesheet: C:\WINDOWS\sample.txt

    *******************************************************

    I hope you are able to help as this has been driving me mad, we only use our pc once in a blue moon and this episode has really taught us an (expensive) lesson!!
    thank you for your time

    Andy
     
    Last edited: Jun 17, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi peanuts,


    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\sys_ext.dll

    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\csrss.exe /i
    O4 - HKLM\..\Run: [httpd] C:\WINDOWS\s_menu.exe /i

    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe

    O8 - Extra context menu item: Web Search - c:\windows\ex.htm

    O19 - User stylesheet: C:\WINDOWS\sample.txt

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\WINDOWS\csrss.exe
    C:\WINDOWS\s_menu.exe
    C:\WINDOWS\System\services.exe

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    Thanks Pieter,
    when I downloaded hijackthis as a zip, I unzipped it and dragged the hjt.exe to my desktop, is this what you mean?
    I will carry out your suggestions tonight when I get home and post back tomorrow.
    thanks again

    Andy
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Andy,

    The easiest is to make a separate folder for it on the desktop, so you will have something to keep the backups and hijackthis together.

    Regards,

    Pieter
     
  5. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    ok, ran CWShredder and it found an IEregistry or something although all the rest came up not present:)
    then I booted to safe mode and deleted S_menu.exe and services.exe but couldnt find csrss.exe at all.
    while in safe mode and looking in the windows folder I found 7.exe and 8.exe, I didnt delete these yet (until I get your advice) but they look remarkably like two of the registry values associated with 1on1 xxxserver dont they?
    I then booted back into normal mode and have the following log from hijackthis.
    *********************************************************
    Logfile of HijackThis v1.97.7
    Scan saved at 19:04:06, on 18/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ROADANGEL\ROADANGEL.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Andy & Martine McArthur
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerP\Am32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Road Angel.lnk = C:\Program Files\RoadAngel\RoadAngel.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net

    *********************************************************
    when trying to dial up my pc crashed twice which is a very rare thing and its got very slow indeed.
    (maybe its because its a very basic spec?)
    thanks for looking at this and helping me, it is much appreciated.
    Regards
    Andy
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi peanuts,

    I was actually very happy with your log until I read the last lines.

    Try fixing these two as well:
    O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerP\Am32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    They are not spyware but not always necessary and it might speed things up a bit.

    Regards,

    Pieter
     
  7. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    Thanks Pieter,
    its running a lot faster now and (fingers crossed) free of nasties.
    :)
    regards
    Andy
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.