I am 'Hotkiss hijacked' - Hijack This log - please help

Zarafein · May 30, 2004

I have run Adaware. Spyware Guard is preventing the Hotkiss hijacker from being able to change my homepage but I cannot seem to get rid of the virus. Can anyone help me please?
Thanks for all the downloads & protection that your site has given me in the past, I hope that you can help me with this too. Keep up the good work.
Here is my Hijack This log.

Logfile of HijackThis v1.97.7
Scan saved at 02:01:05, on 31/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\browse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\DOCUME~1\ALEXBR~1\LOCALS~1\Temp\nwiz.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex Briggs-Davies\Desktop\Protection\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [httpd] C:\WINDOWS\browse.exe /i
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Terminate Popup] C:\Program Files\Free-Popup-Killer\fpuk.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Run Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol013.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{009BDE0D-BEB3-43E4-9A2A-5204AE7E7BEE}: NameServer = 194.72.9.44 194.74.65.86
O17 - HKLM\System\CS2\Services\Tcpip\..\{009BDE0D-BEB3-43E4-9A2A-5204AE7E7BEE}: NameServer = 213.120.62.99 213.120.62.100
O17 - HKLM\System\CS6\Services\Tcpip\..\{009BDE0D-BEB3-43E4-9A2A-5204AE7E7BEE}: NameServer = 194.72.9.44 194.74.65.86

chaslang · May 31, 2004

In Windows NT/2000/XP/2003 you will need to edit the following registry entry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hot_Kiss= <Windows> Hot_Kiss.exe -n.

and delete it if it exists. Close the registry editor.

chaslang · May 31, 2004

By the way, the line with powerreg scheduler v3.exe is Part of 3COM modem software. It is a registration reminder. It is not requred and can be removed using HiJaak This.

O4 - Startup: PowerReg Scheduler V3.exe

Zarafein · Jun 1, 2004

Thanks for getting back to me so quickly

I did as you suggested, closed the registry editor and then restarted. The 'Hot_kiss' hijacker then attempted to hijack my browser again as it usually does on start-up.

What should I do next?

chaslang · Jun 1, 2004

Bring up TaskManager (CTRL-ALT-DEL), see if you can find any of the following running, if so shut them down:
browse.exe
fpuk.exe
hot_kiss.exe (or anything that looks like it is hot kiss)

Now shutdown ALL applications and run HiJaak This again and have it fix the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [httpd] C:\WINDOWS\browse.exe /i
O4 - HKCU\..\Run: [Terminate Popup] C:\Program Files\Free-Popup-Killer\fpuk.exe

Reboot in safe mode and delete (if they exist)
c:\windows\browse.exe
c:\Program Files\Free-Popup-Killer\fpuk.exe (in fact delete the whole Free-Popup-Killer directory)
c:\windows\hot_kiss.exe (if you do not find it here, use file search to see if you can locate it and delete it.)

Reboot in normal mode see how things look. If you still have a problem, repost another HiJaak This log.

Zarafein · Jun 3, 2004

Thank you so much ... it seems to have worked.

I deleted the hot_kiss.exe file in safe mode and it hasn't come back since.
Is there any way that I can close the hole that this virus exploits to stop it from coming back on to my system?

Once again, thanks for all your help

chaslang · Jun 3, 2004

Your welcome.

Try using SpywareBlaster 3.1 to block spyware from getting installed along with a firewall. WinXP has a built-in firewall that you can use, but you may be better off using on the ones I mention below. I also don't remember seeing a virusscan application. If you do not have one, you should. See recommendations below (they are free). By the download counts AntiVir would appear to be the most downloaded, but among the experts here Avast appears to be preferred. See this thread:
http://www.majorgeeks.com/vb/showthread.php?t=29263&highlight=virus+scan

One additional thing, run weekly scans with Ad-aware, SpyBot S&D, and SpyGuard (I think you indicated you already use SpyGuard). Also, make use of SpyBot S&D's immunize feature to block out certain websites. Keep all spyware checker and virusscan programs up to date and perform full system scans periodically to catch things that sneak in before the software is updated to check for them.

One last item, go to http://v4.windowsupdate.microsoft.com/en/default.asp and make sure your WinXP system is up to date with all security and other recommended patches.

Spyware Tools:

SpywareBlaster: http://www.majorgeeks.com/download2859.html
SpywareGuard: http://www.majorgeeks.com/download3045.html

Firewalls:
Sygate Personal Firewall Free 5.5.2525: http://www.majorgeeks.com/download3356.html
ZoneAlarm Free 5.0.590.015: http://www.majorgeeks.com/download388.html

Virusscan:
Avast! Home Edition 4.1.396 : http://www.majorgeeks.com/download1968.html
AVG Free Edition 6.0 Build 688 : http://www.majorgeeks.com/download886.html
AntiVir Personal Edition 6.25.00.03 (Updated): http://www.majorgeeks.com/download955.html

Log in or Sign up

I am 'Hotkiss hijacked' - Hijack This log - please help

Zarafein Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Zarafein Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Zarafein Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

I am 'Hotkiss hijacked' - Hijack This log - please help

Zarafein Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Zarafein Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Zarafein Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches