Mutant version of Hot kiss/xxxserver

Discussion in 'adware, spyware & hijack cleaning' started by s.ahmad3, May 16, 2004.

Thread Status:
Not open for further replies.
  1. s.ahmad3

    s.ahmad3 Registered Member

    Joined:
    May 16, 2004
    Posts:
    3
    i like many others have been infected by xxxkiss. But, it seems that all the files and reg entries that people have been saying to delete arent there, or is failing to clean it. I used spybot initially as i was told this could clean it - it cleaned some files, but it came back. Using hijack this, 99% of the time there are no bad reg entries, but i let the xxxserver come back on purpose to see what entries it did finally edit. The problem is, is that it seems to be using different files than what everyone is saying. I have dialerspy installed, to stop it from dialling out, and it identified the following file as trying to dial out : c:\documen~1\[USER]\Locals~1\temp\4.exe. I have not yet deleted any files or entries, as my attempts at doing so have resulted in failure.


    Here is what i got from hijack this :
    Logfile of HijackThis v1.97.3
    Scan saved at 11:23:43, on 16/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    D:\Program Files\Network Associates\VirusScan\Mcshield.exe
    D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    D:\Program Files\TECSTORM\MOUSE32A.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\WINDOWS\browse.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\DialerSpy\dspy.exe
    D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\ntldial\NTLDIAL.EXE
    D:\Program files\Exampro32\Exampro32.exe
    C:\WINDOWS\System32\wuauclt.exe
    D:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program files\Spybot - Search & Destroy\SpybotSD.exe
    C:\DOCUME~1\Ahmad\LOCALS~1\Temp\nwiz.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Downloaded Progs\hijack this\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.777search.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Program files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Program Files\RivaTuner\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [LWBMOUSE] D:\Program Files\TECSTORM\MOUSE32A.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [browser] C:\WINDOWS\browse.exe /i msnuj
    O4 - HKLM\..\Run: [Hot_Kiss] C:\WINDOWS\Hot_Kiss.exe -n
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [DialerSpy] D:\Program Files\DialerSpy\dspy.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O15 - Trusted Zone: http://www.ntlworld.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2907F741-6F6D-42BC-A233-BA68BD97727A}: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2907F741-6F6D-42BC-A233-BA68BD97727A}: NameServer = 194.168.4.100 194.168.8.100

    im not sure about the last O17 entries. Any help appreciated
     
  2. s.ahmad3

    s.ahmad3 Registered Member

    Joined:
    May 16, 2004
    Posts:
    3
    Just done a search, and have come back with a few suspiscous files :

    c:\windows\prefetch\UK4.EXE-27E8DCCB.pf
    c:\windows\prefetch\JAUK.EXE-2005C116.pf

    At the moment, im leaving them be - i want to make sure i get all the files, and not leave some behind like i have done before.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi s.ahmad3,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.777search.com

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe

    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [browser] C:\WINDOWS\browse.exe /i msnuj
    O4 - HKLM\..\Run: [Hot_Kiss] C:\WINDOWS\Hot_Kiss.exe -n

    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe

    Then surf to
    http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html and download and use the tool offered there.

    Then reboot into safe mode and delete:
    C:\Program Files\VVSN <= entire folder
    C:\WINDOWS\Hot_Kiss.exe
    C:\WINDOWS\browse.exe

    Regards,

    Pieter
     
  4. s.ahmad3

    s.ahmad3 Registered Member

    Joined:
    May 16, 2004
    Posts:
    3
    ok, i followed your instructions to the letter (thank you for your time btw - i tried everything you said apart from the power reg entry - i dont think i would have ever realisd it was malicious). At the moment, everything seems ok, but i guess i wont really know ( as it always attacked about half an hour after i was on internet) till later. Can i just ask, what was the purpose of the virus removal tool - (it came back saying there was no infection btw). Luckily, it hasnt caused me as much pain as it has some people, thanks to dialer spy blocking it (though have probably still lost at least £10). I also deleted the 4.exe file in the temp folder (it had the same icon as the hot kiss dialer, and was only a temp file after all) but left the files in c:\windows\prefetch folder, including the uk5 one and another i spotted called vvsnsomething - should i delete these too? Heres the new log file after cleaning:

    Logfile of HijackThis v1.97.3
    Scan saved at 12:23:40, on 16/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    D:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    D:\Program Files\TECSTORM\MOUSE32A.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Program files\DialerSpy\dspy.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\ntldial\NTLDIAL.EXE
    D:\Downloaded Progs\hijack this\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Program files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Program Files\RivaTuner\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [LWBMOUSE] D:\Program Files\TECSTORM\MOUSE32A.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [DialerSpy] D:\Program files\DialerSpy\dspy.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O15 - Trusted Zone: http://www.ntlworld.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2907F741-6F6D-42BC-A233-BA68BD97727A}: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2907F741-6F6D-42BC-A233-BA68BD97727A}: NameServer = 194.168.4.100 194.168.8.100

    Thank you for your time again
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I made you run the Yaha removal tool because this line indicates that you were at one time infected:
    O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe

    The prefetch folder can be emptied out completely if you want. It's a trick that Windows XP uses to start progams faster.
    http://www.pcmag.com/article2/0,4149,600480,00.asp

    Your log is clean. The O17 entries you were worried about look legit to me.
    The servers belong to Luton Cable Online Ltd

    Now get Windows and IE updated and read https://www.wilderssecurity.com/showthread.php?t=27971 for some more tips on how to keep your computer clean.

    Regards,

    Pieter
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    the O17 entries actually belong to NTL both dial up & broadband so without them you won't connect or find any web sites so leqave themmalone

    and please do this
    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then using windows explorer go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this

    while in the temp folder, select view and select details.

    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.

    select all the files/folders except the today ones and delete them all.

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive
     
Thread Status:
Not open for further replies.