Hotoffers Hijacker

Guys,

I´m in deep trouble. I tryied all spyware software I know to eliminate the hotoffers from my machine. It´s impossible.

Please, help me! I already downloade Hijack This but, following the forum instructions, I´m not putting the log here yet.

I´m waiting for a good soul help.

Regards,

Márcio - Brazil.

 

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

 

Ok.

As asked, here goes the Hijack This log file.

Thanks for your help!

Márcio - Brazil

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/180/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br

R3 - URLSearchHook: (no name) - {04D52EAD-46DD-3D1F-A7D6-235C3621E544} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) -http://www.correios.com.br/CFIDE/classes/CFJava.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.oifotos.com/jsp/ImageUploader2.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot your computer!


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


NOW:
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Dear Friend,

unhappyly it didn´t work. I did everything you posted, but the hotoffers hijacker is still here.

It´s driving me crazy! It´s porno stuff and my wife offen uses the computer to find material for her post graduation course. Suddenly, it appears and makes me and she very mad.

I´m attaching the hijack this log file.

Thanks for your help !!! God bless you.

Márcio - Brazil

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/180/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Reboot, Scan with HijackThis and attach the new log.

 

This is the same thing I had..
Follow this link and dirrections, it's the only way I could get rid of it..



http://www.hotoffers.info/uninstall/index.html

Just an FYI, I tried a search on the forum before posting this..

-=wrequed=-

 

I appreciate your help but I think I got it under control. Usually we dont have users run uninstallers due to them not being trusted.

 

Unfortunatelly it didn´t work.

Just for the record, I didn´t test the executable file suggested by the other guy. Maybe I´ll do it in the future if we don´t have sucess here.

I noticed two interesting things:

1) When I try to reset my web settings I get a message that says it´s impossible to reset them.

2) There´s an executable file (39.exe) that AVG gets every scan it does saying it´s a virus and I always ask AVG to Heal or delete or to move it to virus vault an it never goes away. Is there any possibility of this file be related to hotoffers?

Here goes the hijackThis log file. What I noticed is that even asking hijackThis to fix that line after checking it, the hotoffers hijack doesn´t go away.

Thanks and I´m waiting for our next try.

See ya,

Márcio - Brazil.

 

...and my computer becomes locked sometimes. Some application is consuming processing too much.

 

Are you logged in with Administrator privileges? If not you need to do so as this will have an affect on our fixes.

Let me know before we procede.

 

Dear Friend,

I have administrator privilege. This never happened before this hijacker infested my computer.

Thanks.

 

Lets try this then:

• Download the Uninstaller
  
  
• Double click to run the uninstaller!
  
  
• Click Start > Run > type in regedit and click OK.
  
  
• Navigate to the following key:
  HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Explorer\UninstallHP
  
  
• Delete UninstallHP folder and exit Registry Editor.
  
  
• Click Start > Run > type in regsvr32 /u popup_bl.dll and hit OK.
  Note: Do a search for the file popup_bl.dll and delete if found!
  
  
• Reboot and post a current HJT log.

 

Seems to me I sugested this at the beginning..

-=wrequed=-

 

It seems that I finally got rid of that piece of s...

I´m attaching the Hijack This log file.

Anyway, thank you very much for your help.

Márcio - Brazil

 

wrequed,

We do things one at a time and our way. This was a last resort, uninstallers are not trusted and thats why I waited on this.

Everything looks ok in the log, are you still having any further problems?

 

Understood.. Didn't mean to step on any toes..
You guys do an outstanding job..

 

BJ,

it seems to be ok. I´m very happy.

Thank you very much.

I am telling everybody about MAJORGEEKS.

See ya,

Márcio - Brazil.

 

Good Deal!

You should see this article on How to Protect yourself from malware!

Browse Safely!

 

Thanks BJ,

I will certainly read the article!

God bless you all!!!

regards,

Márcio - Brazil.

 

Your Welcome!

Same to you!

 

Please, tell me how you´ve made. I´m with the same problem.

Thakns.

Pérsio

 

Please post in your own thread from now on to avoid confusion. I have posted in your thread, please start the READ ME.

 

BJ,

Unfortunatelly I was hijacked again...

But now it seems to be a variation of hotoffers:

http://www.newgenlook.info/ad/ad0278/

Please, help me because the uninstaller.exe file is no longer available in the homepage you indicated before and the one I downloaded was deleted from my computer, probably by this new hijacker.

Thanks for your help.

Márcio - Brazil.

 

Gentlemen,

I did a little research and found this article that solved my problem:
http://www.cs.nyu.edu/~vs667/articles/hotoffers_removal/

I hope it helps other users.

Regards,

Márcio - Brazil.

 

Glad you got it fixed up!