Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hotoffers.info/ad0287 [CLOSED]


  • This topic is locked This topic is locked

#1
dtremain

dtremain

    New Member

  • Member
  • Pip
  • 3 posts
The described behavior is the same in both Safe Mode and normal mode.

I'm running XP Pro (no SPs - I know, bad boy, plan on installing SP2 as soon as PC is clean).

Desktop has 20 new icons - all of which point to www.hotoffers.info/ad0287/go.php If you delete the desktop shortcuts, they are reinstalled. Some names are Oral Sex, Party Poker, Pharmacy, Pornstars, Remove Spyware, Viagra.

About every 7 to 10 minutes, Internet Explorer starts, and tries to access the hotoffers.info site. I immediately diconnected my dial-up connection, so I don't know what it does if it can connect to the internet.

About every 12 minutes a pop-up dialog will appear in the center of the screen with various messages about you needing to patch your system. These have the red circle with white X and are crafted to look like XP Op-Sys messages.

About every 10 minutes, a pop-up from the task bar (there is a red circle with white X icon near the time at the bottom right) appears with various messages that the network is under attack - download anti-virus software, home page has been authorized - download etc., etc....

My wife was connected to the internet when the virus infected the computer. I don't know what she did (she's not a computer geek), but she was only connected about 5 minutes. Based on the time frame she was connected, I did a hard drive scan for all files created that day, and created a ZIP file (990K) of the files that were modified during the time she was logged on (18-Apr-2005 22:49:45 - 22:56:09)

Files in the ZIP that I suspect are directly related to the problem include: (from C:\Windows\System32) popup_bl.dll, *.ico, param32.dll, vsconfig.xml, guninst.exe; (C:\Windows\Prefetch) SPIDER.EXE-@D998CA6.pf, RUNDLL32.EXE-30F355B7.pl, REGSVR32.EXE-25EEFE2F.pf, RASAUTOU.EXE-18B88A68.pf, NAVW32.EXE-24F56911.plf, DROPPER.EXE-02F2B7E3.pf, AUPDATE.EXE-2253CB60.pf

I can send the ZIP file if it would be helpful (it would not let me attach it to this post).

The system was running both Norton Anti-Virus 2005 (full scan detects no problems), and Zone Alarm (I don't think wife clicked OK to anything) at the time.

When I run Ad-Aware, it detects one problem, which I fix but it is back if I rescan.

The desktop shortcuts / home page / the Hosts IP overrides are quickly restored by something if you attempt to remove them.

Scans/Fixes with the following tools did not remove the problem:
Ad-AwareSE
SpyBot
ScanSpyware
Stinger
Mwav
SysClear
TDS-3
CCleaner
Norton AntiVirus 2005

HiJack This log (in SAFE mode) with IExplore active follows: (only difference if IExplore is not running is the absence of its entry in the Running processes: list.

Logfile of HijackThis v1.99.1
Scan saved at 6:59:21 AM, on 4/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\My Documents\Downloads\AntiVirus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0287/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 yahoo.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySql - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Your assistance would be greatly appreciated.

David Tremain
  • 0

Advertisements


#2
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread
  • 0

#3
dtremain

dtremain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I will run silentrunner.vbs tonight & post results back.

SUMMARY: My system appears to be back to normal functioning, but I am concerned that there are left-overs hanging around to haunt me later.

WARNING TO ANYONE ELSE ATTEMPTING TO USE THIS PROCESS TO REMOVE THE MALWARE: I make no guarantees that this will work for you. I make no claim that I have actually fixed the problem (I made have made my situation worse). I plan to post an update next week on its longer-term success.

From what I've read about other hotdeals.info infections, each one seems to be different. Mine was hotdeals.info/ad0287 Please read first post - I was able to identify all files modified during the time frame of the actual infection.

DETAILS:
What I've done in the meantime (it *seems* to be gone, but I'd like to be sure):

All the following was in SAFE MODE:

1) Followed the instructions for running AdAware (making sure I had the latest update). It found/fixed the browser hijack, but mostly just the cookies from my son's login.

2) Renamed c:\windows\system32\dllcache\iexplore.exe to aaa_iexplore.exe (the new name is not significant - it is enough that it is different)

3) Renamed c:\windows\system32 related offensive .ico files to .icox (not necessary - just gets them out of your face)

4) Renamed c:\windows\system32 popup_bl.dll, param32.dll, guninst.exe, and vsconfig.xml to aaa_*.* (again, just a different name, but so you can find them).

5) Restarted system in SAFE mode.

6) The popups stopped, IE did not attempt to start, the ie home page did not revert.

7) After it looked like the malware activity had stopped, I deleted the files I'd renamed (as well as the other .ico files it had dropped on the system) EXCEPT the aaa_iexplore.exe in dllcache (I left it alone). Note that was delete, not move to recycle bin.

8) Go to c:\Documents and Settings\david\Desktop and delete the internet shortcuts created by the malware.

9) I used CCleaner to check registry, and found one entry related to the malware - it complained that an uninstall program wasn't found - GUNINST.EXE. Deleted that key.

After restarting the system again in SAFE mode, it appeared that the malware was no longer active. After waiting about 1/2 hour with no signs of desktop shortcuts reappearing, etc., I restarted the system normally. It seems to be running fine.

Follow-up securing:
Zone Alarm had a couple of new programs added to it, which I set to DISABLE access to internet / server activity:
RunDLL32.exe
Dropper.exe
AUpdate.exe

I am still concerned about how this mal-ware appeared to go right through Zone Alarm and around Norton AntiVirus without leaving a trace. The Zone Alarm log showed all access attempts blocked during the time in question.

I am also still concerned that this has left "hooks" in the system that should be removed.

David Tremain
  • 0

#4
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Are you going to post or are you happy that you are clean now?
  • 0

#5
dtremain

dtremain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Sorry - I've been ill for a few days and out of it. I tried running silentrunner.vb script: E:\Downloads\Antivirus\silentrunners.vbs
Line: 789
Char: 1
Error: Syntax error
Code: 800A03EA
Source: Microsoft VBScript compilation error

[OK]

Even though my system is behaving OK, what I did was not likely to remove the hooks that were put in place. If I restore the files to their locations, my guess is that the malware behavior would immediately resume. I don't consider that a "clean" system. Something has to reference the .dll's at startup or from within a legit program.

I will try to include my copy of silentrunner.vbs as an attachment (if it will let me...)

Again, thanks for your patience and help.

Attached Files


  • 0

#6
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK do this. Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\param32.dll

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

C:\WINDOWS\System32\systr.dll

When it prompts you to reboot this time, press the YES button.

After restarting, post a new HJT log.
  • 0

#7
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Due to inactivity this topic will be closed.

If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP