Another HotOffers Hijack (HJT log incl)

Reply
1 2

Join Date: Mar 2005
Posts: 7
Reputation: firehouse is an unknown quantity at this point 
Solved Threads: 0
firehouse firehouse is offline Offline
Newbie Poster

Re: Another HotOffers Hijack (HJT log incl)

 
0
  #11
Mar 4th, 2005
Originally Posted by OurNation
I found yet another virus do this
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the values:

"Internat"="%System%\SYSTEMCONFIG33\systray.exe"
"SystemTray"="SysTray.Exe"
"SYSTEMZ Patch"="SYSZ.exe"


5. Do on of the following:
* If you have installed mIRC, continue to step f.
* If you do not have mIRC installed, exit the Registry Editor.

6. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC

7. In the right pane, change the value:

"UninstallString"=""%System%\SYSTEMCONFIG33\systray.exe" -uninstall"

back to:

"UninstallString"=""C:\mirc\mirc.exe" -uninstall"

8. Exit the Registry Editor.



* Once again I dod not find these probhlems. The only entry in the registry that I found among your list was "SystemTray"="SysTray.Exe".

Thanks, though.
Reply With Quote Quick reply to this message  
Join Date: Mar 2005
Posts: 7
Reputation: firehouse is an unknown quantity at this point 
Solved Threads: 0
firehouse firehouse is offline Offline
Newbie Poster

Re: Another HotOffers Hijack (HJT log incl)

 
0
  #12
Mar 4th, 2005
Originally Posted by OurNation
Sorry to put a rain on your parade but this is a badie too
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

To remove this you must reboot into safe mode then go to C:\WINDOWS\System then find spoolsrv32.exe and delete it after that empty your recyling bin and then rebot normally.


* I did find spoolsrv32.exe. Deleted as instructed.

I discovered that a file called systr.dll had been added to my c:\windows\system32 directory. Evidently this is the bad boy. I had to go into Safe Mode Command Prompt to get rid of it. It seems to have fixed the hijack problem. Unless of course there is more to it than that. Below is the latest HJT log. Please let me know if there is any more you think I should do.


Logfile of HijackThis v1.99.1
Scan saved at 11:36:39 AM, on 3/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HIJACKTHIS\HJT 1.99\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
Reply With Quote Quick reply to this message  
Join Date: Aug 2004
Posts: 780
Reputation: OurNation is an unknown quantity at this point 
Solved Threads: 9
OurNation's Avatar
OurNation OurNation is offline Offline
Master Poster

Re: Another HotOffers Hijack (HJT log incl)

 
0
  #13
Mar 4th, 2005
Looks good except for this

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

Its either good or bad its hard to tell the good one has the same name as the bad one (how convienent) so maybe so one else can make the call.
PETA People for the Eating of Tasty Animals.


FireFox
Hijack This
Ad-Aware
Hijack this tutorial
Microsoft AntiSpyware
CompUchat
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 2,964
Reputation: dlh6213 is on a distinguished road 
Solved Threads: 210
Team Colleague
dlh6213 dlh6213 is offline Offline
Posting Maven

Re: Another HotOffers Hijack (HJT log incl)

 
0
  #14
Mar 4th, 2005
Originally Posted by OurNation
Looks good except for this

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

Its either good or bad its hard to tell the good one has the same name as the bad one (how convienent) so maybe so one else can make the call.
This is the Registry Checker tool; more info here:
http://support.microsoft.com/kb/183887/EN-US/
Links to help you help yourself :

Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html

Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html

Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Reply With Quote Quick reply to this message  
Join Date: Aug 2004
Posts: 780
Reputation: OurNation is an unknown quantity at this point 
Solved Threads: 9
OurNation's Avatar
OurNation OurNation is offline Offline
Master Poster

Re: Another HotOffers Hijack (HJT log incl)

 
0
  #15
Mar 4th, 2005
I think his is legit.
PETA People for the Eating of Tasty Animals.


FireFox
Hijack This
Ad-Aware
Hijack this tutorial
Microsoft AntiSpyware
CompUchat
Reply With Quote Quick reply to this message  
Join Date: Mar 2005
Posts: 20
Reputation: ceomoses is an unknown quantity at this point 
Solved Threads: 1
ceomoses ceomoses is offline Offline
Newbie Poster

Re: Another HotOffers Hijack (HJT log incl)

 
0
  #16
Mar 10th, 2005
I just encountered this problem, and after a couple of hours of being frustrated and stumped and downloading new progs, I finally fixed it! *WARNING: Big smack on head ahead...* On the bottom of one of the start pages that came up (It looked like the main hotoffers.info home page with a some tabs like adult, etc), was a link labelled "uninstall". I clicked on the link and it lead me to a site with a bunch of instructions including adding registry values, etc. It said to download this file I attached, uninstall.exe. I ran that and my Windows went blank and I had to reboot. When I rebooted, it was gone without having to add any registry values or anything. I hope this works for others. I'm not too terribly interested in finding out if I can get rid of it again to see if it works every time... .
Attached Files
File Type: zip hotoffers info uninstall.zip (1.7 KB, 282 views)
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume warning windows worm
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC