Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/

Reboot and post another log.

Download shoot the messenger then double click on it when you have it. It will disable Windows messenger.

Thanks for your help, bro.

Unfortunately, the redirect to hotoffers.com persists, even after following your suggestion. I rebooted immediately after removing the entry using hijack this. heres the new log

Logfile of HijackThis v1.99.0
Scan saved at 10:52:38 AM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104263596270
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe




Any suggestions would be greatly appreciated.

It is very important that all instances of Internet Explorer and any Windows explorer windows are closed before fixing with hijackthis. That is the most common reason for these entries not being fixed.
I see nothing else there other than the R0 entry causing the redirection.

Yo, I feel you on that. I read MANY posts across daniweb, and took all of their advice before posting, i assure you.

Even after closing ALL explorer and internet explorer windows, then removing the entry, the registry entry (or whatever it is) continues to reappear, after a few minutes. I've been working on this for a week now....

It all started when my roommate opened an attachment in an email (price.scr). Such a knucklehead, that one.

Anyhow, I'm starting to think theres an application somewhere, or a process thats not apparent. Ive tried running hijack this in safe mode, with all windows closed.... ive even run hijack this with explorer.exe closed. upon opening explorer.exe again, it reappears.

Im about out of ideas, and ready to reinstall, i think....


thaks crunchie,.
j

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

thanks again for getting back to me, I really appreciate this.
Heres the log content:

"Silent Runners.vbs", revision 28, launched at: 21:20
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINDOWS\System32\systr.dll [null data]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Got the little sucker . Can you go to C:\WINDOWS\System32\systr.dll and zip the systr.dll file up and email it to me at number1dad2000atyahoo.com.au (substitute at for @)


Download the Pocket KillBox
Unzip the file to your desktop.
Open TheKillbox.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\systr.dll

When given the option to reboot select yes.

Once back in Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/

Let me know how you get on. Please post both logs from silentrunners and HJT.

AWESOME, Youre the man, crunchie. I knew I wasnt losing my mind, and the thought of admitting defeat and reinstalling my OS because of some spyware BS was really just unthinkable.

I believe its taken care of, heres the logs:

Silent Runners:
"Silent Runners.vbs", revision 28, launched at: 14:27
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
-> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINDOWS\System32\systr.dll [file not found]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

_____________________________________________________________
_____________________________________________________________


Hijack This Log:
Logfile of HijackThis v1.99.0
Scan saved at 2:22:12 PM, on 12/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

Have uploaded a regfile for you. Unzip it then double click the regfile to run it. When asked if you wish to merge, click yes.

Please post your whole hijackthis log and another silent runners log please.