Hijackthis log after a nightmare with XXXserver

Discussion in 'adware, spyware & hijack cleaning' started by peanuts, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    Good morning,
    I recently managed to infect my pc with the 1on1/xxxserver and its been an absolute nightmare trying to get rid of it, not to mention costly.
    I stumbled across some advice on another forum and am hoping that my system is clean again.
    I really didnt know just how sneaky these people can be!
    I started out by downloading Spybot search and destroy, as well as ad-aware6.
    I then added winpatrol to my system
    I ran them both (seperately) and they found all sorts of things, cleaned/fixed them and they kept coming back.
    I then found a registry search to highlight these nasties.
    so last night was the first time in ages I was able to surf without my browser diverting to these horrid servers.
    I have since downloaded and installed Zonealarm firewall package.
    before I shut everything down last night I ran spybot again and it found 10 unknowns, mostly about:blank (??)
    it also found arcacia (??) and I keep getting a xer0x come up (on the spybot fix page)
    I have since run hijackthis and have the following log.
    ********************************************************
    Logfile of HijackThis v1.97.7
    Scan saved at 21:14:36, on 16/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\S_MENU.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\SERVICES.EXE
    C:\PROGRAM FILES\ROADANGEL\ROADANGEL.EXE
    C:\WINDOWS\SYSTEM\MSHTA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Andy
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\sys_ext.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\csrss.exe /i
    O4 - HKLM\..\Run: [httpd] C:\WINDOWS\s_menu.exe /i
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe
    O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerP\Am32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Road Angel.lnk = C:\Program Files\RoadAngel\RoadAngel.exe
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
    O19 - User stylesheet: C:\WINDOWS\sample.txt

    *******************************************************

    I hope you are able to help as this has been driving me mad, we only use our pc once in a blue moon and this episode has really taught us an (expensive) lesson!!
    thank you for your time

    Andy
     
    Last edited: Jun 17, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi peanuts,


    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\sys_ext.dll

    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\csrss.exe /i
    O4 - HKLM\..\Run: [httpd] C:\WINDOWS\s_menu.exe /i

    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe

    O8 - Extra context menu item: Web Search - c:\windows\ex.htm

    O19 - User stylesheet: C:\WINDOWS\sample.txt

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\WINDOWS\csrss.exe
    C:\WINDOWS\s_menu.exe
    C:\WINDOWS\System\services.exe

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    Thanks Pieter,
    when I downloaded hijackthis as a zip, I unzipped it and dragged the hjt.exe to my desktop, is this what you mean?
    I will carry out your suggestions tonight when I get home and post back tomorrow.
    thanks again

    Andy
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Andy,

    The easiest is to make a separate folder for it on the desktop, so you will have something to keep the backups and hijackthis together.

    Regards,

    Pieter
     
  5. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    ok, ran CWShredder and it found an IEregistry or something although all the rest came up not present:)
    then I booted to safe mode and deleted S_menu.exe and services.exe but couldnt find csrss.exe at all.
    while in safe mode and looking in the windows folder I found 7.exe and 8.exe, I didnt delete these yet (until I get your advice) but they look remarkably like two of the registry values associated with 1on1 xxxserver dont they?
    I then booted back into normal mode and have the following log from hijackthis.
    *********************************************************
    Logfile of HijackThis v1.97.7
    Scan saved at 19:04:06, on 18/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ROADANGEL\ROADANGEL.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Andy & Martine McArthur
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerP\Am32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Road Angel.lnk = C:\Program Files\RoadAngel\RoadAngel.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net

    *********************************************************
    when trying to dial up my pc crashed twice which is a very rare thing and its got very slow indeed.
    (maybe its because its a very basic spec?)
    thanks for looking at this and helping me, it is much appreciated.
    Regards
    Andy
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi peanuts,

    I was actually very happy with your log until I read the last lines.

    Try fixing these two as well:
    O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerP\Am32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    They are not spyware but not always necessary and it might speed things up a bit.

    Regards,

    Pieter
     
  7. peanuts

    peanuts Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    6
    Thanks Pieter,
    its running a lot faster now and (fingers crossed) free of nasties.
    :)
    regards
    Andy
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.