Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

sergio eduardo

2 Posts

385

May 3rd, 2005 02:00

Browser hijack - please help

Hi ! My name is sergio and a friend of mine unfamiliar with windows ( mac user ) had his daughter's PC kidnapped . Windows 98 SE . hotoffers.com/info/2048 is the website forced upon his system at 5 minutes intervals offline and online is out of reach altogether . The HJT scan is as follows :


Logfile of HighjackThis v1.99.1
Internet Explorer v.5

Running processes :
C:\WINDOWS|SYSTEM\KERNEL32.DLL
C:\WINDOWS|SYSTEM\MSGSRV32.EXE
C:\WINDOWS|SYSTEM\MPREXE.EXE
C:\WINDOWS|SYSTEM\mmtask.tsk
C:\WINDOWS|SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS|SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ELDOS\TRAYDAYS\TRAYDAYS.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

RO - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://WWW.hotoffers.info/ad0278/
02 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SPYWAREGUARD\DLPROTECT.DLL
04 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
04 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
04 - HKLM\..\Run: [SystemTray] SysTray.Exe
04 - HKLM\..\Run: [LoadPowerProfile] Rundll.32.exe powrprof.dll,LoadCurrentPwrScheme
04 - HKLM\..\Run: [SMCService C:\PROGRA~1\SYGATE\SPC\SMC.EXE -startgui
04 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
04 - HKLM..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
04 - HKLM..\Runservices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
04 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
04 - Startup: Shortcut to Traydays.exe.Ink = C:\Program Files\Eldos\Traydays\Traydays.exe
04 - Startup: SpywareGuard.Ink = C:\Program Files\SpywareGuard\sgmain.exe

I would appreciate any help as I have tried all I could to no avail . Thank you very much for your attention .
sergio

RKinner

2 Intern

 • 

5.9K Posts

May 3rd, 2005 20:00

Sergio,
 
One version of hotoffers can be killed as follows. 
 
Get Pocket Killbox from:
 
 
Unpack killbox.exe to your desktop and run it.
 
type or copy and paste:
 
c:\windows\system\systr.dll
 
into the killbox where it says Full Path of file to Delete.  Check the button   Delete on Reboot then press the Red button and let it reboot. 
 
Then remove the
 
RO - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = etc
 
line using HijackThis (check its box and then Fix Checked)
 
Do you know what this is?
 
04 - Startup: Shortcut to Traydays.exe.Ink = C:\Program Files\Eldos\Traydays\Traydays.exe
 
I'd be inclined to get rid of it too since I can't find a reference to it on the internet.
 
Ron

sergio eduardo

2 Posts

May 3rd, 2005 21:00

Thanks for your prompt reply Ron , much appreciated . I will get the killbox to my friend's and try it . Eldo's Tray is a taskbar pop-up calendar that I have been using it myself for the last 3 years and it is safe . I put it there for the girls only yesterday.
I will be in touch as soon as possible with the results . I do have a question though... I believe that screen savers are good carriers and I found a rather suspect one through "Display Propeties" . It was called "Popular Screensavers" and it had no preview and nothing showed in its settings . I am just worried that if a format is the last option a possible carrier is not saved for the fresh start !! Careful saving , I guess...
Thank you again for your help .
sergio

RKinner

2 Intern

 • 

5.9K Posts

May 3rd, 2005 22:00

For your screensaver question look here:
 
 
Ron

Was this post helpful?

View All

No Events found!

Top