1on1 hot_kiss trojan HELP!!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

nogura

Thread Starter
Joined
Apr 11, 2004
Messages
1
Hi; I'm SO glad that there are people like you guys around who are A) Able to help computer thickos such as myself and B) willing to!

Basically I'm on the net when Norton Anti Virus says that it has intercepted and killed the Trojan.ByteVerify bug. I'm pleased and carry on surfing. But then an icon appears on my taskbar for the 1on1 chat service at £1.50 a minute and pops up. At the same time my startpage is set to 123found.com and the virus switches off the sound on my modem and tries to redial an XXXSERVER which has been added to my dialups. The number is listed as 5551212, (how can this be premium rate when its not a 09000 number? [in fact when I dial it from my phone the number is said not to exist] I'm not that tech savvy to understand these things unfortuanately.
I deleted the hot_kiss (came back as 1on1 when deleted) file from C:\Windows and reset my homepage (and checked that my critical updates had all been installed). Then I checked files which had been created / modified within the last few minutes. As well as the chat dialer thing it said that csrss.exe had been created in C:\Windows (I turned off archive and hidden settings etc and tried to delete it, but it wouldnt let me <maybe for the best as I wasn't 100% sure it was involved, but I think it is).

I downloaded and ran ad-aware 6; Spy-bot and Xoft spy, but they never found anything apart from a couple of minor vulnerabilites which I corrected. The online trojan scan and CWShredder never found anything (which is worrying as I know it detects similar trojans).

So, I'm sorry for going on, but I'm trying to be as thorough as possible.

On TaskManager it says that the processes running are -

Image Name User Name
1on1.exe Andrew
ApntEx.exe Andrew
Apoint.exe Andrew
CARPSERV.EXE Andrew
ccApp.exe Andrew
ccEvtMgr.exe SYSTEM
Client Interface.exe SYSTEM
CPDNSE~1.EXE SYSTEM
CSRSS.EXE Andrew
CSRSS.EXE SYSTEM
EXPLORER.EXE Andrew
HijackThis.exe Andrew
iexplore.exe Andrew
LSASS.EXE SYSTEM
Model.exe SYSTEM
MSMSGS.EXE Andrew
MSNMSGER.EXE Andrew
MSOFFICE.EXE Andrew
Navapsvc.exe SYSTEM
NOTEPAD.EXE Andrew
QtaET2S.EXE Andrew
QTTASK.EXE Andrew
SERVICES.EXE SYSTEM
SMSS.EXE SYSTEM (I've heard this can be affected by trojans?)
SPOOLSV.EXE SYSTEM
SVCHOST.EXE SYSTEM
SVCHOST.EXE SYSTEM
SVCHOST.EXE NETWORK SERVICE
SVCHOST.EXE LOCAL SERVICE
System SYSTEM
System Idle Processes SYSTEM
taskmgr.exe Andrew
WINLOGON.EXE SYSTEM
wordpad.exe Andrew

Start>Run>MSconfig then the startup tab gives
carpserv
Apoint
QtET2S
ccApp
ccRegVfy
qttask
csrss
1on1
MsnMsgr
Microsoft Office
Symantec Fax Edition Port
<My instincts would be to untick the 1on1 and csrss boxes; but I'll leave all those sort of desicisons to you people who know about these things>

I ran Hijack this and saved the log file shown below <but Norton Antivirus said this file was infected with the Bloodhound.Exploit.6 virus ---- is this normal?

Logfile of HijackThis v1.97.7
Scan saved at 18:39:22, on 11/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\1on1.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\CLIMAT~1\execs\Model.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [1on1] C:\WINDOWS\1on1.exe -n
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\bla.MHT!http://216.115.95.98//7ble.chm::/wincfgid.exe
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.5031365741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Now, please tell me what I have to do to get all this stuff right .......... The less technical the better, as I'm worried about either deleting the wrong thing or missing something important. My instinct would be to click fix on these entries ...>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [1on1] C:\WINDOWS\1on1.exe -n

If it involves things like editing registries, then I'd be greatful if I could have the step by step instructions! Thanks very much.

Andrew
 
Joined
Oct 9, 2001
Messages
9,396
Not a bad instinct Andrew(y)

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windowsincluding this one and "fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [1on1] C:\WINDOWS\1on1.exe -n
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\bla.MHT!http://216.115.95.98//7ble.chm::/wincfgid.exe

Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete:
C:\WINDOWS\csrss.exe [MAKE SURE ITS THE ONE IN THAT EXACT LOCATION]
C:\WINDOWS\1on1.exe
C:\bla.MHT


let us know if its ok after.
;)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top