 |  |  |  |  |  |  |  |
Help me get rid of hot offers
Thread Solved |
I also have hot offers, but i've tried all of your solutions you gave other people, but it doesnt work for me. im thinking its different for different people? anyway, can someone please help me get rid of hotoffer?!
Hi Albie, welcome to DaniWeb 
I've split your post into it's own thread per forum rules (http://www.daniweb.com/techtalkforum..._faq#faq_rules)
Please follow the recommendations and instructions in the three links from my signature below.
In the third one, follow the instructions in posts #1 and then #4.
I've split your post into it's own thread per forum rules (http://www.daniweb.com/techtalkforum..._faq#faq_rules)
Please follow the recommendations and instructions in the three links from my signature below.
In the third one, follow the instructions in posts #1 and then #4.
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
hey dlh6213, yes, i've tried those same instructions before and i tried it again today, but it just didn't work. do you think you could help me individually? pleeeeeeeease?
Sure 
Since you've already followed those instructions you should have HJT and Ewido, please post the most recent logs of each (with HJT in normal mode and Ewido in Safe Mode).
Since you've already followed those instructions you should have HJT and Ewido, please post the most recent logs of each (with HJT in normal mode and Ewido in Safe Mode).
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
i appreciate you helping me, thanks. heres the hijackthis log done in normal mode:
Logfile of HijackThis v1.99.1
Scan saved at 2:26:10 PM, on 7/28/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
Logfile of HijackThis v1.99.1
Scan saved at 2:26:10 PM, on 7/28/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
In order to view some of the files and folders mentioned here, be sure your system is set to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.
If you don't already have it, get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip
Unzip the file to your desktop.
Go offline until this is completed (you may wish to print these instructions).
Reboot into Safe Mode.
Do a search for these files and delete any instances found:
param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe
If any could not be deleted, run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)
Scan with hijackthis, and have it fix:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
Be sure to close any open windows, other then HijackThis, and hit the Fix checked button.
Empty your Recycle Bin and reboot normally.
Delete any unwanted icons from your desktop and empty your Recycle Bin.
HotOffers should now be gone. If it still remains, please follow these instructions:
Go to Start, Run, type regedit in the box, and hit Enter.
At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily, if necessary.
Navigate to, and delete, the following subkeys:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087
HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System
Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"
Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""
Exit the Registry Editor.
Now, close any open browser windows, scan with HijackThis, and post a new log please
If you don't already have it, get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip
Unzip the file to your desktop.
Go offline until this is completed (you may wish to print these instructions).
Reboot into Safe Mode.
Do a search for these files and delete any instances found:
param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe
If any could not be deleted, run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)
Scan with hijackthis, and have it fix:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
Be sure to close any open windows, other then HijackThis, and hit the Fix checked button.
Empty your Recycle Bin and reboot normally.
Delete any unwanted icons from your desktop and empty your Recycle Bin.
HotOffers should now be gone. If it still remains, please follow these instructions:
Go to Start, Run, type regedit in the box, and hit Enter.
At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily, if necessary.
Navigate to, and delete, the following subkeys:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087
HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System
Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"
Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""
Exit the Registry Editor.
Now, close any open browser windows, scan with HijackThis, and post a new log please
holy...that worked...i am in shock dude. thanks so much. i cant believe how easy that was. thanks a lot dlh6213.
do you have any programs i can download to prevent this (or any other spyware/malware) from happening again?
•
•
•
•
Originally Posted by albie_da_great
do you have any programs i can download to prevent this (or any other spyware/malware) from happening again?
See the 'Protection' link below to help prevent inferctions (SpywareBlaster in particular).
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
 |
Similar Threads
- Hot Offers Hijack and Others (Viruses, Spyware and other Nasties)
- Help me get rid of hot offers (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Can't get rid of random pop ups
- Next Thread: problems with IE
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos domains education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
