0

I have a PC on a LAN which has become infected with the Hotoffer.info trojan as well as the "Your Windows is corrupted with spyware virus" Popup. I have read through the info on your site for thread 16204 and gather this is not uncommon - but that you recommend starting your own thread - so hence this post. A temporary proxy override has been set up on the PC to prevent the awful pornographic popups!

I have run HijackThis and got the following log file was saved:

Logfile of HijackThis v1.99.1
Scan saved at 13:09:58, on 3/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\PCCWIN97.EXE
C:\WINDOWS\TEMP\HI38.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGAZIP\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.10:80
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0B8C0040.hta
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe" -HideWindow
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\IomegaZip\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\IomegaZip\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\IomegaZip\imgicon.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .nz/wap/ReportServlet?p_access_no=335c119e7e83d2c94758ffb79d148e45: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.compaq.com/
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://192.168.2.8/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://192.168.2.8/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://192.168.2.8/officescan/clientinstall/setup.cab

Have also run Silent Runners and the result is as follows:

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"cAg0u" = "C:\WINDOWS\SYSTEM\0B8C0040.hta" [file not found]
"mdac_runonce" = "C:\WINDOWS\SYSTEM\runonce.exe" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"OfficeScan95" = ""C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe" -HideWindow" ["Trend Micro Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "c:\windows\SYSTEM\mstask.exe" [MS]
"OfficeScan95" = ""C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe"" ["Trend Micro Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null data]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\Clouds.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\FLYING~2.SCR" (Flying Through Space.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Iomega Watch" -> shortcut to: "C:\Program Files\IomegaZip\IOWATCH.EXE" [null data]
"Iomega Startup Options" -> shortcut to: "C:\Program Files\IomegaZip\IMGSTART.EXE" [null data]
"Iomega Disk Icons" -> shortcut to: "C:\Program Files\IomegaZip\imgicon.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"FRU Task #Hewlett-Packard#hp psc 1200 series#1069357579" -> launches: "C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1069357579"" ["0"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


HOSTS file
----------

C:\WINDOWS\HOSTS

maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Can you help me rid this PC of the trojan?

Thanks in anticipation!
Chris

2
Contributors
5
Replies
6
Views
12 Years
Discussion Span
Last Post by dlh6213
0

Hi Kiwi Chris, welcome to DaniWeb :D

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

scan with hijackthis, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0B8C0040.hta

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\SYSTEM and delete 0B8C0040.hta

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Check this site for additional worm removal steps:
http://www.pchell.com/internet/kakworm.shtml

Go to Windows Update and get the Critical Updates for your system.

Scan with hijackthis and post a new log please.

0

Hi Kiwi Chris, welcome to DaniWeb :D

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

scan with hijackthis, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0B8C0040.hta

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\SYSTEM and delete 0B8C0040.hta

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Check this site for additional worm removal steps:
http://www.pchell.com/internet/kakworm.shtml

Go to Windows Update and get the Critical Updates for your system.

Scan with hijackthis and post a new log please.

REPLY.....

Heartfelt thanks for your help - all seems to be clear now. Scan log below:

Logfile of HijackThis v1.99.1
Scan saved at 09:06:39, on 8/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\PCCWIN97.EXE
C:\WINDOWS\TEMP\OWDD9E.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\PATCH.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.10:80
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe" -HideWindow
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .nz/wap/ReportServlet?p_access_no=335c119e7e83d2c94758ffb79d148e45: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.compaq.com/
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://192.168.2.8/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://192.168.2.8/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://192.168.2.8/officescan/clientinstall/setup.cab

0

You still need to get the Critical Updates for Win98 and IE.

Have hijackthis fix this entry:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Other then that, I think you're good to go :)

0

I have run hijackthis fix on the file you specified and done the critical updates - it's great to have a "clean" machine. Thanks again.
Chris

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.