Hotoffers has taken over

Hi, I have run all the tests that you do before posting anything. I also ran the online computer scans but could not do it in safemode with networking. Whenever I'm on the computer whether logged on to the internet or not, the IE window will open up and: http://www.hotoffers.info/cgi-bin/187/c.pl appears in the address line. I am running windows xp with an AMD Athalon XP 2100 and i have 767 mb RAM. On top of the hotoffers problem, I also get a window popup with error #317 my system may be infected with spyware. Any help would be appreciated Thanks!

 

Downloading, Installing, and Running HijackThis

 

Here is the HJT Log. Thanks

 

Your version of HijackThis is seriously out of date, please follow the directions in my previous post.

 

Sorry about that. Here is the new log with the updated HJT. Thanks again for the help

 

Please follow the instructions in this thread Running Ewido Security Suite. Post a fresh HijackThis log along with the Ewido log.

 

Hi here is the new HJT Log and the Ewido Log

 

Download
- Pocket Killbox

You will want to print these instructions so you can operate with all browsers closed.

Enable view hidden and system files on XP per this tutorial How to view hidden, system files & folders! and searching for hidden files per this tutorial Searching for Hidden Files on WinXP

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Network Security Service or NSS or 11Fßä#·ºÄÖ`I (It will be one or the three) then right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Click on the back button and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service or NSS or 11Fßä#·ºÄÖ`I (Whichever you found when you ran services.msc)

Now scan and have HJT Fix the following:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following:

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

REBOOT to Normal Mode.

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments and a fresh HJT log, you will need to do 2 posts to attach all 4 logs.

 

Sorry this took me so long to reply. I was out of town

 

Here are the other 2 logs

 

Using Add or Remove Programs in the Control Panel; uninstall the following:

Make sure you have done the following before proceeding:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Copy the contents of the quote box below, into notepad and save as regfix.reg to your desktop:

Double-click on regfix.reg and answer YES when asked you want to merge with the registry.

REBOOT to Normal Mode.

 

I went ahead and did that all. Everything seems to be going ok so far. Thanks for the help!

 

OK, run another PandaScan just to make sure we got the registry entry.

 

Here is the newest PandaScan long

 

Download
- ExplorerXP

Install ExplorerXP

Boot into Safe Mode, open Windows Explorer, Navigate to and delete the following:

Run the regfix.reg from earlier again.

Run RKFiles tool again.

Boot into normal mode and open ExplorerXP, Navigate to and delete the following:

Now post the RKFiles log and a fresh HijackThis log.

 

Here are the two logs

 

Your log is clean. How is your system running?

 

The best it has run in a long time. Thanks for all the work you helped me with. Now if we can see some sun here in NY I'll be happy