Thread Solved

Join Date: Jun 2005
Posts: 3
Reputation: Kiwi Chris is an unknown quantity at this point 
Solved Threads: 0
Kiwi Chris Kiwi Chris is offline Offline
Newbie Poster

Hotoffers.info Trojan

 
0
  #1
Jun 2nd, 2005
I have a PC on a LAN which has become infected with the Hotoffer.info trojan as well as the "Your Windows is corrupted with spyware virus" Popup. I have read through the info on your site for thread 16204 and gather this is not uncommon - but that you recommend starting your own thread - so hence this post. A temporary proxy override has been set up on the PC to prevent the awful pornographic popups!

I have run HijackThis and got the following log file was saved:

Logfile of HijackThis v1.99.1
Scan saved at 13:09:58, on 3/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\PCCWIN97.EXE
C:\WINDOWS\TEMP\HI38.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGAZIP\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.10:80
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0B8C0040.hta
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe" -HideWindow
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\IomegaZip\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\IomegaZip\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\IomegaZip\imgicon.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .nz/wap/ReportServlet?p_access_no=335c119e7e83d2c94758ffb79d148e45: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.compaq.com/
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://192.168.2.8/officescan/client...RemoveCtrl.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://192.168.2.8/officescan/client...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://192.168.2.8/officescan/clientinstall/setup.cab

Have also run Silent Runners and the result is as follows:

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"cAg0u" = "C:\WINDOWS\SYSTEM\0B8C0040.hta" [file not found]
"mdac_runonce" = "C:\WINDOWS\SYSTEM\runonce.exe" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"OfficeScan95" = ""C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe" -HideWindow" ["Trend Micro Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "c:\windows\SYSTEM\mstask.exe" [MS]
"OfficeScan95" = ""C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe"" ["Trend Micro Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null data]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\Clouds.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\FLYING~2.SCR" (Flying Through Space.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Iomega Watch" -> shortcut to: "C:\Program Files\IomegaZip\IOWATCH.EXE" [null data]
"Iomega Startup Options" -> shortcut to: "C:\Program Files\IomegaZip\IMGSTART.EXE" [null data]
"Iomega Disk Icons" -> shortcut to: "C:\Program Files\IomegaZip\imgicon.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"FRU Task #Hewlett-Packard#hp psc 1200 series#1069357579" -> launches: "C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1069357579"" ["0"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


HOSTS file
----------

C:\WINDOWS\HOSTS

maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Can you help me rid this PC of the trojan?

Thanks in anticipation!
Chris
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 2,964
Reputation: dlh6213 is on a distinguished road 
Solved Threads: 210
Team Colleague
dlh6213 dlh6213 is offline Offline
Posting Maven

Re: Hotoffers.info Trojan

 
0
  #2
Jun 3rd, 2005
Hi Kiwi Chris, welcome to DaniWeb

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

scan with hijackthis, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0B8C0040.hta

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\SYSTEM and delete 0B8C0040.hta

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Check this site for additional worm removal steps:
http://www.pchell.com/internet/kakworm.shtml

Go to Windows Update and get the Critical Updates for your system.

Scan with hijackthis and post a new log please.
Links to help you help yourself :

Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html

Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html

Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Reply With Quote Quick reply to this message  
Join Date: Jun 2005
Posts: 3
Reputation: Kiwi Chris is an unknown quantity at this point 
Solved Threads: 0
Kiwi Chris Kiwi Chris is offline Offline
Newbie Poster

Re: Hotoffers.info Trojan

 
0
  #3
Jun 7th, 2005
Originally Posted by dlh6213
Hi Kiwi Chris, welcome to DaniWeb

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

scan with hijackthis, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0B8C0040.hta

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\SYSTEM and delete 0B8C0040.hta

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Check this site for additional worm removal steps:
http://www.pchell.com/internet/kakworm.shtml

Go to Windows Update and get the Critical Updates for your system.

Scan with hijackthis and post a new log please.
REPLY.....

Heartfelt thanks for your help - all seems to be clear now. Scan log below:

Logfile of HijackThis v1.99.1
Scan saved at 09:06:39, on 8/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\PCCWIN97.EXE
C:\WINDOWS\TEMP\OWDD9E.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\PATCH.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.10:80
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe" -HideWindow
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .nz/wap/ReportServlet?p_access_no=335c119e7e83d2c94758ffb79d148e45: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.compaq.com/
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://192.168.2.8/officescan/client...RemoveCtrl.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://192.168.2.8/officescan/client...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://192.168.2.8/officescan/clientinstall/setup.cab
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 2,964
Reputation: dlh6213 is on a distinguished road 
Solved Threads: 210
Team Colleague
dlh6213 dlh6213 is offline Offline
Posting Maven

Re: Hotoffers.info Trojan

 
0
  #4
Jun 7th, 2005
You still need to get the Critical Updates for Win98 and IE.

Have hijackthis fix this entry:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Other then that, I think you're good to go
Reply With Quote Quick reply to this message  
Join Date: Jun 2005
Posts: 3
Reputation: Kiwi Chris is an unknown quantity at this point 
Solved Threads: 0
Kiwi Chris Kiwi Chris is offline Offline
Newbie Poster

Re: Hotoffers.info Trojan

 
0
  #5
Jun 8th, 2005
I have run hijackthis fix on the file you specified and done the critical updates - it's great to have a "clean" machine. Thanks again.
Chris
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 2,964
Reputation: dlh6213 is on a distinguished road 
Solved Threads: 210
Team Colleague
dlh6213 dlh6213 is offline Offline
Posting Maven

Re: Hotoffers.info Trojan

 
0
  #6
Jun 9th, 2005
You're welcome
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg bar blackhat botnet botnets censorship commercial commercials conficker connect crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted usa virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC