ok, so i have never posted before...but i'm by no means a newbie, just always had enough techies around me to get help first hand. I got about 9 years hard core computer use to draw from. Anyway.
So about an hour ago i got hit with HOTOFFERS.INFO the malware. tried everything everyone said, (but im not using hijackthis, though i got it) and had alot of experience with CWS...so i know about browsers needing to be closed and such. fought with it for a while. Some things i noticed...does this program learn on the fly? their malware that is. It seems like if i found a way to almost subvert it it would come back more tenacious, and was like many fearing a total re install. here's what i did.

tried using Alt-Tab to select the HTML page as active so i could Alt F4 it out. it worked. Then it came right back and i was unable to bring that page to the front the same way again. Then i deleted it from the running processes. the page went...and came right back but was now not listed in the running processes as if it was hiding! (mine was acting like a background image with my desktop icons appearing over it). i though, thats wierd. then i tried to view source on the window and delete the code and save the file, then went a step further and tried to delete the file itself. restarted and the page came up white, but it was still in control and i was still getting the error window (about the open port bit). Tried my anti virus (PC Cillan) and even tried their online scan, which found it and and said it couldnt remove it, im guessing becuse the browser window. tried ad-aware, spy subtract, CWS and good old fashion regedit. no luck. i may add here that all my proggies are updated daily and i scan every 6 hours or so (crazy i know, but it seems like i have somehow ended up in the digital equivalent of the old west, and I'm fightin like Doc Holiday). eventually plugged my net back in and ventured infected online looking for a cure. hit alot of sites with no resolution. then i hit here and saw the thread between crunchie and johnny mitchell. used 'killbox' (available here on the site, there is a link in Johnny Mitchels thread to get the file from crunchie i think) but did things a little different with same result.
i used killbox the way you said crunchie (did you write that proggie?) and after restart was able to remove the problem files (2 IE hijacks) with plain old ad-aware. just wanted to drop in my info to add to any knowledge data base existing. if anyone has any questions post em, but i got the average rig right now for the most part, runnin XP Home. Thanks again to Crunchie and Johnny Mitchell (more thanks naturally to Crunchie).

12 Years
Discussion Span
Last Post by ElextacyTheBnd

i used killbox the way you said crunchie (did you write that proggie?)

I wish :D. I am but a humble heavy duty fitter who works on crushing equipment for a mining company :D. Pretty far removed from program writing, but thanks anyway's.


well, in case you ain't noticed, in my book you are the man on the scene right now :!: Any word from anyone else on this bugs ability to circumvent efforts to be removed? It felt like this thing was fighting with me. Perhaps this explains the need for the KillBox, which i'm guessing must be some sort of quarentine process. By the way, what we do to get paid almost never reflects what we are cbale of doing, although mechanics is nothing to be shy about, especially big commercial grade equipment running in the thousands if not hundreds of thousands of dollars to replace. I myself am a sheetrock contractor and find that alot of people underestimate me due to my profession being more hands labor than anything else. Anyway, your suggestion is the only one that worked. and I must admit that log deciphering bit you do is a neat trick for a guy who claims not to program at all. You ability to read the registry for these entires shows at least a good amount of experience. I'm rambling though. I'll continue to drop in and see how the fight goes, as well as adding any additional information I discover about the enemy. Thanks again for all your help from all of us who have been hit by this new malware! This site seems to have the only non-proprietary removal of this troj.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.