1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

1on1 hot_kiss trojan HELP!!!

Discussion in 'Virus & Other Malware Removal' started by nogura, Apr 11, 2004.

Thread Status:
Not open for further replies.
  1. nogura

    nogura Thread Starter

    Joined:
    Apr 11, 2004
    Messages:
    1
    Hi; I'm SO glad that there are people like you guys around who are A) Able to help computer thickos such as myself and B) willing to!

    Basically I'm on the net when Norton Anti Virus says that it has intercepted and killed the Trojan.ByteVerify bug. I'm pleased and carry on surfing. But then an icon appears on my taskbar for the 1on1 chat service at £1.50 a minute and pops up. At the same time my startpage is set to 123found.com and the virus switches off the sound on my modem and tries to redial an XXXSERVER which has been added to my dialups. The number is listed as 5551212, (how can this be premium rate when its not a 09000 number? [in fact when I dial it from my phone the number is said not to exist] I'm not that tech savvy to understand these things unfortuanately.
    I deleted the hot_kiss (came back as 1on1 when deleted) file from C:\Windows and reset my homepage (and checked that my critical updates had all been installed). Then I checked files which had been created / modified within the last few minutes. As well as the chat dialer thing it said that csrss.exe had been created in C:\Windows (I turned off archive and hidden settings etc and tried to delete it, but it wouldnt let me <maybe for the best as I wasn't 100% sure it was involved, but I think it is).

    I downloaded and ran ad-aware 6; Spy-bot and Xoft spy, but they never found anything apart from a couple of minor vulnerabilites which I corrected. The online trojan scan and CWShredder never found anything (which is worrying as I know it detects similar trojans).

    So, I'm sorry for going on, but I'm trying to be as thorough as possible.

    On TaskManager it says that the processes running are -

    Image Name User Name
    1on1.exe Andrew
    ApntEx.exe Andrew
    Apoint.exe Andrew
    CARPSERV.EXE Andrew
    ccApp.exe Andrew
    ccEvtMgr.exe SYSTEM
    Client Interface.exe SYSTEM
    CPDNSE~1.EXE SYSTEM
    CSRSS.EXE Andrew
    CSRSS.EXE SYSTEM
    EXPLORER.EXE Andrew
    HijackThis.exe Andrew
    iexplore.exe Andrew
    LSASS.EXE SYSTEM
    Model.exe SYSTEM
    MSMSGS.EXE Andrew
    MSNMSGER.EXE Andrew
    MSOFFICE.EXE Andrew
    Navapsvc.exe SYSTEM
    NOTEPAD.EXE Andrew
    QtaET2S.EXE Andrew
    QTTASK.EXE Andrew
    SERVICES.EXE SYSTEM
    SMSS.EXE SYSTEM (I've heard this can be affected by trojans?)
    SPOOLSV.EXE SYSTEM
    SVCHOST.EXE SYSTEM
    SVCHOST.EXE SYSTEM
    SVCHOST.EXE NETWORK SERVICE
    SVCHOST.EXE LOCAL SERVICE
    System SYSTEM
    System Idle Processes SYSTEM
    taskmgr.exe Andrew
    WINLOGON.EXE SYSTEM
    wordpad.exe Andrew

    Start>Run>MSconfig then the startup tab gives
    carpserv
    Apoint
    QtET2S
    ccApp
    ccRegVfy
    qttask
    csrss
    1on1
    MsnMsgr
    Microsoft Office
    Symantec Fax Edition Port
    <My instincts would be to untick the 1on1 and csrss boxes; but I'll leave all those sort of desicisons to you people who know about these things>

    I ran Hijack this and saved the log file shown below <but Norton Antivirus said this file was infected with the Bloodhound.Exploit.6 virus ---- is this normal?

    Logfile of HijackThis v1.97.7
    Scan saved at 18:39:22, on 11/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\csrss.exe
    C:\WINDOWS\1on1.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\PROGRA~1\CLIMAT~1\execs\Model.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Andrew\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
    O4 - HKLM\..\Run: [1on1] C:\WINDOWS\1on1.exe -n
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\bla.MHT!http://216.115.95.98//7ble.chm::/wincfgid.exe
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.5031365741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Now, please tell me what I have to do to get all this stuff right .......... The less technical the better, as I'm worried about either deleting the wrong thing or missing something important. My instinct would be to click fix on these entries ...>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
    O4 - HKLM\..\Run: [1on1] C:\WINDOWS\1on1.exe -n

    If it involves things like editing registries, then I'd be greatful if I could have the step by step instructions! Thanks very much.

    Andrew
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Not a bad instinct Andrew(y)

    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windowsincluding this one and "fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
    O4 - HKLM\..\Run: [1on1] C:\WINDOWS\1on1.exe -n
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\bla.MHT!http://216.115.95.98//7ble.chm::/wincfgid.exe

    Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete:
    C:\WINDOWS\csrss.exe [MAKE SURE ITS THE ONE IN THAT EXACT LOCATION]
    C:\WINDOWS\1on1.exe
    C:\bla.MHT


    let us know if its ok after.
    ;)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/219356

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice