|
| ||
| Another HotOffers Hijack (HJT log incl) I have a machine that has been invaded by the same "Hotoffers.com" hijack that has been a problem for a couple of other members. Their problems were resolved by Crunchie (thread 16204) and CaperJack (thread 18165). The only thing I can see in the HJT log that needs to be fixed is: "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/024/" I checked it and clicked the "Fix" button but it still remains in subsequent logs. And the problem still remains. Am I doing something wrong? Can someone help? Logfile of HijackThis v1.98.2 Scan saved at 10:35:45 PM, on 3/2/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/024/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe" O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html[/FONT] |
| ||
| Re: Another HotOffers Hijack (HJT log incl) Well first of all your HJT is very old get the newer version here. |
| ||
| Re: Another HotOffers Hijack (HJT log incl) I upgraded to version 1.99.1. The log from that is below. Still seeing "hotoffers" URL after fixing. Still being hijacked. A search of my registry shows "http://www.hotoffers.ionfo/024/" as the IE start page. I don't want to mess with the registry until I hear from one of you more experienced people. Logfile of HijackThis v1.99.1 Scan saved at 5:35:25 PM, on 3/3/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\IRMON.EXE C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/024/ O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe" O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html Quote:
|
| ||
| Re: Another HotOffers Hijack (HJT log incl) Well one more thing HJT needs its own file not in the temps. |
| ||
| Re: Another HotOffers Hijack (HJT log incl) OK, done. Here's the new log: Logfile of HijackThis v1.99.1 Scan saved at 6:55:25 PM, on 3/3/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\IRMON.EXE C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\HIJACKTHIS\HJT 1.99\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/024/ O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe" O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html |
| ||
| Re: Another HotOffers Hijack (HJT log incl) Follow these steps while in safe mode beacuse I found that there is a virus on your computer. EDIT: wrong dierections same virus though |
| ||
| Re: Another HotOffers Hijack (HJT log incl) 1. Copy Regedit.exe to Regedit.com: Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that. 1. Do one of the following, depending on which operating system you are running: * Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. * Windows ME users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. * Windows NT/2000 users: 1. Click Start, and click Run. 2. Type the following and then press Enter: command A DOS window opens. 3. Type the following and then press Enter: cd \winnt 4. Go on to the next step. * Windows XP users 1. Click Start, and click Run. 2. Type the following and then press Enter: command A DOS window opens. 3. Type the following and then press Enter after each one: cd \ cd windows 4. Go on to the next step. 2. Type the following and then press Enter: copy regedit.exe regedit.com 3. Type the following and then press Enter: start regedit.com 1. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps. NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window. 2. To edit the registry and remove keys and changes made by the worm: CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding. 1. Navigate to the following key: HKEY_CLASSES_ROOT\exefile\shell\open\command 2. In the right pane, double-click the value: (Default) The Edit string dialog box opens. 3. Modify the default entry, which was changed by the worm, so that the path and file name for the worm are removed. For example, you must change c:\windows\system\loadpe.com" "%1" %* to the following: "%1" %* (That is, delete the entire contents of the Value data box, and then type the following characters: quote-percent-one-quote-space-percent-asterisk.) Value data as changed by the worm: Value data as it should be: 4. Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices 5. In the right pane, delete the following value: ScanRegistry This value should point to the copy of the worm in the \Windows\System folder. NOTE: Make sure that you are in the key specified. Do not delete the value named ScanRegistry that is in the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 6. Exit the Registry Editor. |
| ||
| Re: Another HotOffers Hijack (HJT log incl) I found yet another virus do this 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit Then click OK. (The Registry Editor opens.) 3. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the values: "Internat"="%System%\SYSTEMCONFIG33\systray.exe" "SystemTray"="SysTray.Exe" "SYSTEMZ Patch"="SYSZ.exe" 5. Do on of the following: * If you have installed mIRC, continue to step f. * If you do not have mIRC installed, exit the Registry Editor. 6. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Uninstall\mIRC 7. In the right pane, change the value: "UninstallString"=""%System%\SYSTEMCONFIG33\systray.exe" -uninstall" back to: "UninstallString"=""C:\mirc\mirc.exe" -uninstall" 8. Exit the Registry Editor. |
| ||
| Re: Another HotOffers Hijack (HJT log incl) Sorry to put a rain on your parade but this is a badie too O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe To remove this you must reboot into safe mode then go to C:\WINDOWS\System then find spoolsrv32.exe and delete it after that empty your recyling bin and then rebot normally. |
| ||
| Re: Another HotOffers Hijack (HJT log incl) Quote:
*I following all of these instructions. However, none of this applied. The machine currently runs executables and none of those improper registry entries were there. I'll move on to the next one. Thanks |
| All times are GMT -4. The time now is 11:49 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC