I also have hot offers, but i've tried all of your solutions you gave other people, but it doesnt work for me. im thinking its different for different people? anyway, can someone please help me get rid of hotoffer?!

Recommended Answers

All 9 Replies

hey dlh6213, yes, i've tried those same instructions before and i tried it again today, but it just didn't work. do you think you could help me individually? pleeeeeeeease?

Sure :)

Since you've already followed those instructions you should have HJT and Ewido, please post the most recent logs of each (with HJT in normal mode and Ewido in Safe Mode).

i appreciate you helping me, thanks. heres the hijackthis log done in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 2:26:10 PM, on 7/28/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

In order to view some of the files and folders mentioned here, be sure your system is set to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

If you don't already have it, get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/

Be sure to close any open windows, other then HijackThis, and hit the Fix checked button.

Empty your Recycle Bin and reboot normally.

Delete any unwanted icons from your desktop and empty your Recycle Bin.

HotOffers should now be gone. If it still remains, please follow these instructions:

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily, if necessary.

Navigate to, and delete, the following subkeys:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}

HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}

HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}

HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL

HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1

HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087

HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"

Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""

Exit the Registry Editor.

Now, close any open browser windows, scan with HijackThis, and post a new log please

holy...that worked...i am in shock dude. thanks so much. i cant believe how easy that was. thanks a lot dlh6213.

do you have any programs i can download to prevent this (or any other spyware/malware) from happening again?

do you have any programs i can download to prevent this (or any other spyware/malware) from happening again?

Glad to hear all is well again :)

See the 'Protection' link below to help prevent inferctions (SpywareBlaster in particular).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.