I just spent two days off and on trying to get rid of this spyware.....

http://www.hotoffers.info/ad0179/adult/index.html

I was so pissed it just couldn't be deleted. I tried everything four different programs

Went through this>>>>>

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.

***

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:
* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, do not log off.

***

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot. For each of the files in the box, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.



CODEC:\WINDOWS\netdde.exe
C:\WINDOWS\SYSTEM\tezw.exe
C:\WINDOWS\SYSTEM\ptoo.exe
Let the system reboot.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Reboot the system again. Post back in this topic with a fresh log using HijackThis.

22222221


Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

***

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:
the full path to the fill found bij eScan. I expect it to be:
C:\WINDOWS\System32\systr.dll. Be sure to paste the one it finds.

It will prompt you to reboot, press the YES button.

***

Open HijackThis.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/

Click on Fix Checked when finished and exit HijackThis.
Press 'allow' if Spybot prompts you on a change.

***

Reboot again. Post back here with a fresh log using HijackThis.
Let me know the full path of the file found by eScan.
http://www.hotoffers.info/ad0179/




Finely got it all by using REGISTRY CRAWLER!!

I can't believe that these companies believe that anybody would buy their products after in invading my computer like that.

I wish I was a good hacker I would take my hacking skills out on these pardon the expression PRICKS!!!!



I hope you don't ever get this spy ware on your computer because you're in for a very aggravating ride!! :mad: :mad: :mad: :mad:

Watch the language, please.

- Moderator -

Sorry, I'm just so pissed off at these idiots that make crap like that, and expect us to buy their product. Come on let's face it WHO WOULD??

I would like to laugh but, I spent 5 hours removing this for a customer. In case you did not remove it or it comes back go to Http://www.hotoffers.info/uninstall/index.html for removal instructions. We finally found this after about 4 hours and 45 minutes. It works. Some additional instructions are necessary tho. First when you run uninstall.exe, your desktop will disappear. Just reboot when this happens. Finally it tells you to run regsvr32 /u popup_bl.dll. This will tell you that this is not found. If you have followed the instructions correctly it will no longer be there.

Edit: The website no longer seems to work so I'll type what it says here.

HOW TO UNINSTALL?

1. you need to save file Uninstall.exe from our server. (I have this file. I will email it to infected persons only, not to ones who only want to have it to keep. Ask for it at carlpp1@hotmail.com)

2. you need to launch this file.

3. Then open regedit.exe in your windows directory. Find HKEY_CURRENT USER\SOFTWARE\MICROSOFT WINDOWS\CURRENTVERSION\EXPLORER\UNINSTALLHP.

4. NOW PLEASE DELETE UNINSTALLHP FOLDER

5. Now please write in command field (run): regsvr32 /u popup_bl.dll

6 Press ok. You're free of this trojan!

This is a verbatim listing (my comments are in ().)

Well the link is not working anymore. I'm hopping someone hacked them and gave them a virus from hell!! :)

This is what I went though to get rid of it and a lot more!!! :confused:


Download CleanUp!.
Don't run the program, we'll do that later.

***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

***
Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):
C:\WINDOWS\netdde.exe
C:\WINDOWS\SYSTEM\PTOO.EXE
press ‘back’

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: (no name) - {DE52096E-C6D5-C722-FE79-C8C9DEC06E95} - C:\WINDOWS\SYSTEM\UVIS.DLL

O4 - HKCU\..\Run: [Clock] C:\WINDOWS\netdde.exe

O4 - HKCU\..\Run: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe

O4 - HKCU\..\Run: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe

O4 - HKCU\..\RunServices: [Clock] C:\WINDOWS\netdde.exe

O4 - HKCU\..\RunServices: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe

O4 - HKCU\..\RunServices: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19ef0f080db452...ip/RdxIE601.cab

O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab

Click on Fix Checked when finished and exit HijackThis.

***

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.

***

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:
* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, do not log off.

***

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot. For each of the files in the box, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

CODEC:\WINDOWS\netdde.exe
C:\WINDOWS\SYSTEM\tezw.exe
C:\WINDOWS\SYSTEM\ptoo.exe
Let the system reboot.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Reboot the system again. Post back in this topic with a fresh log using HijackThis.



IF THAT DOES NOT WORK DO THIS!!!

Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

***

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:
the full path to the fill found bij eScan. I expect it to be:
C:\WINDOWS\System32\systr.dll. Be sure to paste the one it finds.

It will prompt you to reboot, press the YES button.

***

Open HijackThis.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/

Click on Fix Checked when finished and exit HijackThis.
Press 'allow' if Spybot prompts you on a change.

***

Reboot again. Post back here with a fresh log using HijackThis.

It has been my experience that hijack this will not get rid of this. After you have followed my instructions you must manually delete the shortcuts it has placed on your desktop and manually change your startpage back to your choice.

Sorry, I'm just so pissed off at these idiots that make crap like that, and expect us to buy their product. Come on let's face it WHO WOULD??
It has been stated that 99.9% get irate and won't buy from these creeps. BUT the point 1% is enough for it to be profitable for them. You will never be rid of this stuff as long as it pays the bills. When it doesn't you will. The internet must shoot for 100%, but I don't know how to get there.

Perhaps an email campaign to and a boycott of their advertisers.

Perhaps an email campaign to and a boycott of their advertisers.

That's a good idea and I will help if you want to start it.I'm sure that there would be a lot of signatures!!

Perhaps an email campaign to and a boycott of their advertisers.

That's a good idea and I will help if you want to start it.I'm sure that there would be a lot of signatures!!

The problem with this is that it requires an active participation on the part of everyone involved. If is only required signatures the problem would have been solved long ago. It also is insidiously deep and it involves legit advertisers. I noticed Google ads on some of the websites. They only went to Hotoffers.com to up their hit rates. Maybe a click campaign with a few million computers clicking advertisements and then not buying anything would do the job. Maybe! I'm just coming up with ideas here. This type of thing (click campaign) would hurt everyone that depends on ad revenue to pay the bills. I could see this type of thing hurting everyone on the internet. Do you see how deep it goes?

Well It's always about making a buck. That is the problem everyone wants to make a buck and that's OK with me but man to invade our spaces the way they do is a bloody shame. If only we could all get together and do something about it. It makes me sick every time I get an intrusion on my space like like that without my permission. It's like a dude walking in my front door and saying " Buy this Right now do you hear me?? RIGHT NOW!!!! Not to mention the trouble it takes to get rid of them.


I'm quite willing to help in any way, to get some results however small. I'm just totally fed up with crap like that.

My customer says she got infected when IE went to a website (Hallmark). IE came back (probably only displaying what the website told it to) and told her that her computer WAS infected and offered to download and run an unifector. She clicked yes and Icons started to litter her desktop. Nonbenign to say the least, but they did have her permission, although she did not know what she was doing.

As an aside I read the other day that people did not know they were infected until their computer slowed down. I want to tell everybody that this was not the case with hotoffers. It caused no slowdowns that I could see. The older lady just could not delete porn icons from her desktop. So, I guess it is possible to write malware that doesn't slow down that computer. She would have never known she was infected if she could have gotten rid of those icons and not had them come back. If we had not found the uninstall file she probably would still be infected and the kicker is she would not have known it.

I guess the point of this post is to tell everybody to watch what they are clicking on and to be careful when they answer questions of that nature. Malware does NOT have to hurt your computer.

I agree Carl. IMO the most insidious malware is the kind that goes easy on the resources, doing anything from logging keystores or serving cmd.exe to netcat, to low key browser hijacks.

Listen to Carl future readers of the thread. This is the reason we hammer home the point of firewalls, scanning and updating yourself, even if you think you app does it for you, and above all learning just a little bit. No one says you have to become the next Eric Howes, but you wouldn't put your car in "P" on the highway right? That's because you bothered to learn that doing so would cost you money. Most people end up paying cold hard cash to someone like me, because they never took the time to learn to drive their computer.

To future readers of this: If you can't be bothered, that is OK. I'll see you soon. Have the checkbook out, and consider it preventive maintenance. I don't know how to change a belt or flush a radiator, but I don't drive the car till it's broken...I go to the mechanic. :)

Other option: Enjoy your quarterly formatting experience.