Browser hijack - please help

Question

Hi ! My name is sergio and a friend of mine unfamiliar with windows ( mac user ) had his daughter's PC kidnapped . Windows 98 SE . hotoffers.com/info/2048 is the website forced upon his system at 5 minutes intervals offline and online is out of reach altogether . The HJT scan is as follows : Logfile of HighjackThis v1.99.1 Internet Explorer v.5 Running processes : C:\WINDOWS|SYSTEM\KERNEL32.DLL C:\WINDOWS|SYSTEM\MSGSRV32.EXE C:\WINDOWS|SYSTEM\MPREXE.EXE C:\WINDOWS|SYSTEM\mmtask.tsk C:\WINDOWS|SYSTEM\MSTASK.EXE C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS|SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\ELDOS\TRAYDAYS\TRAYDAYS.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\SPYWAREGUARD\SGBHP.EXE C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE RO - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://WWW.hotoffers.info/ad0278/ 02 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SPYWAREGUARD\DLPROTECT.DLL 04 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun 04 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS	askmon.exe 04 - HKLM\..\Run: [SystemTray] SysTray.Exe 04 - HKLM\..\Run: [LoadPowerProfile] Rundll.32.exe powrprof.dll,LoadCurrentPwrScheme 04 - HKLM\..\Run: [SMCService C:\PROGRA~1\SYGATE\SPC\SMC.EXE -startgui 04 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme 04 - HKLM..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe 04 - HKLM..\Runservices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE 04 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o 04 - Startup: Shortcut to Traydays.exe.Ink = C:\Program Files\Eldos\Traydays\Traydays.exe 04 - Startup: SpywareGuard.Ink = C:\Program Files\SpywareGuard\sgmain.exe I would appreciate any help as I have tried all I could to no avail . Thank you very much for your attention . sergio

RKinner · Answer

Sergio,

One version of hotoffers can be killed as follows.

Get Pocket Killbox from:

http://www.bleepingcomputer.com/files/killbox.php

Unpack killbox.exe to your desktop and run it.

type or copy and paste:

c:\windows\system\systr.dll

into the killbox where it says Full Path of file to Delete. Check the button Delete on Reboot then press the Red button and let it reboot.

Then remove the

RO - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = etc

line using HijackThis (check its box and then Fix Checked)

Do you know what this is?

04 - Startup: Shortcut to Traydays.exe.Ink = C:\Program Files\Eldos\Traydays\Traydays.exe

I'd be inclined to get rid of it too since I can't find a reference to it on the internet.

Ron

sergio eduardo · Answer

Thanks for your prompt reply Ron , much appreciated . I will get the killbox to my friend's and try it . Eldo's Tray is a taskbar pop-up calendar that I have been using it myself for the last 3 years and it is safe . I put it there for the girls only yesterday.
I will be in touch as soon as possible with the results . I do have a question though... I believe that screen savers are good carriers and I found a rather suspect one through "Display Propeties" . It was called "Popular Screensavers" and it had no preview and nothing showed in its settings . I am just worried that if a format is the last option a possible carrier is not saved for the fresh start !! Careful saving , I guess...
Thank you again for your help .
sergio

RKinner · Answer

For your screensaver question look here:   http://www.pchell.com/support/popularscreensavers.shtml   Ron

Virus & Spyware

Was this post helpful?