I have a machine that has been invaded by the same "Hotoffers.com" hijack that has been a problem for a couple of other members. Their problems were resolved by Crunchie (thread 16204) and CaperJack (thread 18165).

The only thing I can see in the HJT log that needs to be fixed is:

"R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/024/"

I checked it and clicked the "Fix" button but it still remains in subsequent logs. And the problem still remains. Am I doing something wrong? Can someone help?

Logfile of HijackThis v1.98.2
Scan saved at 10:35:45 PM, on 3/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://home.peoplepc.com/search/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.google.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.hotoffers.info/024/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://www.google.com/keyword/%s[/url]
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [IrMon] IrMon.exe
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

Recommended Answers

All 15 Replies

Well first of all your HJT is very old get the newer version here.

I upgraded to version 1.99.1. The log from that is below. Still seeing "hotoffers" URL after fixing. Still being hijacked. A search of my registry shows "http://www.hotoffers.ionfo/024/" as the IE start page. I don't want to mess with the registry until I hear from one of you more experienced people.

Logfile of HijackThis v1.99.1
Scan saved at 5:35:25 PM, on 3/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/024/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html


Well first of all your HJT is very old get the newer version here.

Well one more thing HJT needs its own file not in the temps.

OK, done. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:25 PM, on 3/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HIJACKTHIS\HJT 1.99\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/024/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

Follow these steps while in safe mode beacuse I found that there is a virus on your computer.


EDIT: wrong dierections same virus though

1. Copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that.

1. Do one of the following, depending on which operating system you are running:
* Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
* Windows ME users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
* Windows NT/2000 users:
1. Click Start, and click Run.
2. Type the following and then press Enter:

command

A DOS window opens.
3. Type the following and then press Enter:

cd \winnt
4. Go on to the next step.
* Windows XP users
1. Click Start, and click Run.
2. Type the following and then press Enter:

command

A DOS window opens.
3. Type the following and then press Enter after each one:

cd \
cd windows
4. Go on to the next step.
2. Type the following and then press Enter:

copy regedit.exe regedit.com
3. Type the following and then press Enter:

start regedit.com

1. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

2. To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

1. Navigate to the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command
2. In the right pane, double-click the value:

(Default)

The Edit string dialog box opens.
3. Modify the default entry, which was changed by the worm, so that the path and file name for the worm are removed. For example, you must change

c:\windows\system\loadpe.com" "%1" %*

to the following:

"%1" %*

(That is, delete the entire contents of the Value data box, and then type the following characters: quote-percent-one-quote-space-percent-asterisk.)

Value data as changed by the worm:


Value data as it should be:

4. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
5. In the right pane, delete the following value:

ScanRegistry

This value should point to the copy of the worm in the \Windows\System folder.

NOTE: Make sure that you are in the key specified. Do not delete the value named ScanRegistry that is in the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
6. Exit the Registry Editor.

I found yet another virus do this
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the values:

"Internat"="%System%\SYSTEMCONFIG33\systray.exe"
"SystemTray"="SysTray.Exe"
"SYSTEMZ Patch"="SYSZ.exe"

5. Do on of the following:
* If you have installed mIRC, continue to step f.
* If you do not have mIRC installed, exit the Registry Editor.

6. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC

7. In the right pane, change the value:

"UninstallString"=""%System%\SYSTEMCONFIG33\systray.exe" -uninstall"

back to:

"UninstallString"=""C:\mirc\mirc.exe" -uninstall"

8. Exit the Registry Editor.

Sorry to put a rain on your parade but this is a badie too
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

To remove this you must reboot into safe mode then go to C:\WINDOWS\System then find spoolsrv32.exe and delete it after that empty your recyling bin and then rebot normally.

1. Copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that.

1. Do one of the following, depending on which operating system you are running:
* Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
* Windows ME users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
* Windows NT/2000 users:
1. Click Start, and click Run.
2. Type the following and then press Enter:

command

A DOS window opens.
3. Type the following and then press Enter:

cd \winnt
4. Go on to the next step.
* Windows XP users
1. Click Start, and click Run.
2. Type the following and then press Enter:

command

A DOS window opens.
3. Type the following and then press Enter after each one:

cd \
cd windows
4. Go on to the next step.
2. Type the following and then press Enter:

copy regedit.exe regedit.com
3. Type the following and then press Enter:

start regedit.com

1. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

2. To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

1. Navigate to the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command
2. In the right pane, double-click the value:

(Default)

The Edit string dialog box opens.
3. Modify the default entry, which was changed by the worm, so that the path and file name for the worm are removed. For example, you must change

c:\windows\system\loadpe.com" "%1" %*

to the following:

"%1" %*

(That is, delete the entire contents of the Value data box, and then type the following characters: quote-percent-one-quote-space-percent-asterisk.)

Value data as changed by the worm:


Value data as it should be:

4. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
5. In the right pane, delete the following value:

ScanRegistry

This value should point to the copy of the worm in the \Windows\System folder.

NOTE: Make sure that you are in the key specified. Do not delete the value named ScanRegistry that is in the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
6. Exit the Registry Editor.

*I following all of these instructions. However, none of this applied. The machine currently runs executables and none of those improper registry entries were there.

I'll move on to the next one.

Thanks

I found yet another virus do this
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the values:

"Internat"="%System%\SYSTEMCONFIG33\systray.exe"
"SystemTray"="SysTray.Exe"
"SYSTEMZ Patch"="SYSZ.exe"


5. Do on of the following:
* If you have installed mIRC, continue to step f.
* If you do not have mIRC installed, exit the Registry Editor.

6. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC

7. In the right pane, change the value:

"UninstallString"=""%System%\SYSTEMCONFIG33\systray.exe" -uninstall"

back to:

"UninstallString"=""C:\mirc\mirc.exe" -uninstall"

8. Exit the Registry Editor.

* Once again I dod not find these probhlems. The only entry in the registry that I found among your list was "SystemTray"="SysTray.Exe".

Thanks, though.

Sorry to put a rain on your parade but this is a badie too
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

To remove this you must reboot into safe mode then go to C:\WINDOWS\System then find spoolsrv32.exe and delete it after that empty your recyling bin and then rebot normally.

* I did find spoolsrv32.exe. Deleted as instructed.

I discovered that a file called systr.dll had been added to my c:\windows\system32 directory. Evidently this is the bad boy. I had to go into Safe Mode Command Prompt to get rid of it. It seems to have fixed the hijack problem. Unless of course there is more to it than that. Below is the latest HJT log. Please let me know if there is any more you think I should do.


Logfile of HijackThis v1.99.1
Scan saved at 11:36:39 AM, on 3/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE
C:\PROGRAM FILES\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HIJACKTHIS\HJT 1.99\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\IPREG32.DLL
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Get Connected Install] "C:\WINDOWS\Temporary Internet Files\Content.IE5\OXIBOPM7\ispsetup4[1].exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

Looks good except for this

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

Its either good or bad its hard to tell the good one has the same name as the bad one (how convienent) so maybe so one else can make the call.

Looks good except for this

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

Its either good or bad its hard to tell the good one has the same name as the bad one (how convienent) so maybe so one else can make the call.

This is the Registry Checker tool; more info here:
http://support.microsoft.com/kb/183887/EN-US/

I think his is legit.

I just encountered this problem, and after a couple of hours of being frustrated and stumped and downloading new progs, I finally fixed it! *WARNING: Big smack on head ahead...* On the bottom of one of the start pages that came up (It looked like the main hotoffers.info home page with a some tabs like adult, etc), was a link labelled "uninstall". I clicked on the link and it lead me to a site with a bunch of instructions including adding registry values, etc. It said to download this file I attached, uninstall.exe. I ran that and my Windows went blank and I had to reboot. When I rebooted, it was gone without having to add any registry values or anything. I hope this works for others. I'm not too terribly interested in finding out if I can get rid of it again to see if it works every time... ;).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.