Hijacked by Hotoffers

Yes! We have had success using it.

 

We have found that the people responsible for this junk have now removed the uninstaller. Probably because they found out that everyone in the world was using it.

If you have completed all the steps in the READ ME, follow the steps below and lets see what we can do with this thing manually.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

After we get your current problems fixed, you must go to Windows Update and get your updates. You are seriously out of date.

I assume all the below Proxy settings are required by your ISP (is that AT&T):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=12.242.19.9:8000;gopher=12.242.19.9:8000;http=12.242.19.9:8000;https=12.242.19.9:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 12.242.19.9

I'm not sure what this msvcrtd.exe file is for. Can you get Properties info on the file?
O4 - HKCU\..\Run: [MSVCRTD] C:\WINDOWS\SYSTEM\MSVCRTD.EXE

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip
Unzip the files to its own folder (like C:\killbox).

Double-click on "Killbox.exe" to run it.
Put a checkmark in "Replace on Reboot" and the "Use Dummy" box.
Copy/Paste the below two files (one at a time) into the top "Full Path of File to Delete" box.

Click the "Delete File" button which looks like a stop sign.
Also checkmark the "Replace on Reboot".
Click "NO" at the Pending Operations prompt to restart your computer.

C:\WINDOWS\System32\systr.dll
C:\WINDOWS\System32\param32.dll

After pasting in both of the files named above, look on the killbox top bar and press "Tools" > "Delete Temp Files"

Now exit Killbox!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O2 - BHO: SideStep Browser Helper - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
c:\counter.cab

double check for these too and delete if found:
C:\WINDOWS\System32\systr.dll
C:\WINDOWS\System32\param32.dll

Additional step to delete SBCIE026.DLL:
- Click Start, Run, and enter command in the box and click OK. This opens a command prompt window.
- Enter the following command lines each followed by the enter key
cd "C:\WINDOWS\Downloaded Program Files"
attrib -r -h -s SBCIE026.DLL
del SBCIE026.DLL
exit


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Windows update works for Win98 too! Perhaps you should do that right now because your really need the security fixes and updates to IE. Click the below link and do step # 1.

How to Protect yourself from malware!

 

Yes!

No!

We must get rid of param32.dll. We will use a boot to DOS mode later.

Yes!

Please disable C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

I'm not sure where the param32.dll files was on your PC. So if I have the wrong folder info below substitute the correct info.

Now we are going to reboot your PC to an MSDOS prompt.
Click Start and select Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

When it boots you will be at the command prompt (full screen) enter the below commands each followed by the enter key. Let me know if you have any problems or get any error messages during these steps (tell me the exact error message).

Now in command prompt window do the following:

cd c:\windows\system32
attrib -s -h -r param32.dll
del param32.dll
win

Now your PC will boot normal Windows

Come back and tell me the results. Fix the hotoffers line in your HJT log now if possible.

 

Boot into safe mode (or to the command prompt) and see if you can locate and delete any of the below files:
systr.dll <-- I know we deleted it earlier. I'm double checking
popup_bl.dll
INTLMAIN.DLL

 

Hmmm! So you are saying that both param32.dll and popup_bl.dll belong to Norton?

 

HijackThis is showing you some registry entries that are frequently used by malware.

Looking at the registry for things that are "out of place" will take you a couple of months. The registry is huge and there are thousands of places to look and you need to know what you are looking for too.

We need to find a file that is actually the cause of this problem. That's the difficult part.

I don't think either of those files had anything to do with Norton. Please search your PC for the below files and let me know if you find them anywhere. You have to configure search to look for hidden files first (see further down on how to do that):

param32.dll
guninst.exe
popup_bl.dll

How to use windows XP search mechanism to look for hidden files:

Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

 

How to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

After doing the above reboot and make sure that hotoffers no longer comes back.

 

Personally I consider McAfee and Norton to be too much of a resource hog. The free programs work very well.

I use Spybot but do not enable the Teatimer function. I have other active blocking from MS Antispyware (on some PCs) and SpySweeper on other PCs.