Anti-Spyware Forums


Reply
Thread Tools Display Modes

Urgent help please with hijack this log - rootsearch

 
 
=?Utf-8?B?b3plZ2lybA==?=
Guest
Posts: n/a

 
      01-06-2005, 12:20 AM
Hi,

This help is for my brother's computer - he cannot get onto the internet at
all other than to rootsearch at the moment. Below is his hijack this log,
which he copied to disc and sent to me. He knows nothing about computers so I
am going to his place tomorrow (3 hours away) to help. I can recognise a lot
of baddies in here - and I know the general procedure is to remove, reboot
into Safe mode and delete all the temp files, etc - but would appreciate a
considered approach from someone with more experience as I know this is a
particularly nasty trojan to get rid of - I have seen that others have not
been able to remove it with spybot or adaware. He has not updated his AV in 5
years - bad boy! Quick response appreciated as I won't have internet
connection available from his place. Thanks guys.

Logfile of HijackThis v1.99.1
Scan saved at 18:48:53, on 31/05/05
Platform: Windows 95 b (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\FPJ.EXE
C:\WINDOWS\SYSTEM\TIBS3.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OFFICE2K\OFFICE\FINDFAST.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.rootsearch.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.rootsearch.biz/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = 0;<local>
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} -
C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} -
C:\WINDOWS\SYSTEM\MSPXS32.DLL
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -
C:\WINDOWS\SASETUP.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft
Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM
FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - Startup: Microsoft Office.lnk = C:\Program
Files\Office2K\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program
Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft
Home Publishing\MHPRMIND.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: SmartCapture.lnk = C:\WINDOWS\SII\SLPCAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\PLUGINS\npsmlvdo.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be
Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be
Internet Zone (HKLM)
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} -
http://www.sexmaids.com/dialer/blue-software.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} -
http://adults.topy2k.com/Online_Gallery.cab
O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} -
http://download.rocketpipe.com/bundles/1235.cab



 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a

 
      01-06-2005, 01:42 AM
From: "ozegirl" <(E-Mail Removed)>

| Hi,
|
| This help is for my brother's computer - he cannot get onto the internet at
| all other than to rootsearch at the moment. Below is his hijack this log,
| which he copied to disc and sent to me. He knows nothing about computers so I
| am going to his place tomorrow (3 hours away) to help. I can recognise a lot
| of baddies in here - and I know the general procedure is to remove, reboot
| into Safe mode and delete all the temp files, etc - but would appreciate a
| considered approach from someone with more experience as I know this is a
| particularly nasty trojan to get rid of - I have seen that others have not
| been able to remove it with spybot or adaware. He has not updated his AV in 5
| years - bad boy! Quick response appreciated as I won't have internet
| connection available from his place. Thanks guys.
|
| Logfile of HijackThis v1.99.1
| Scan saved at 18:48:53, on 31/05/05
| Platform: Windows 95 b (Win9x 4.00.1111)
| MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
|

This is NOT the best place to post a HJT log.

However, a quick glance revealed several suspects....

O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

I think that you have many forms of malware.

I suggest you use the following software...

Download and have handy LSP Fix -- http://www.cexx.org/lspfix.htm
This is in case of one the adware/spyware applications you have break your ability to access
the Internet.
Have the software on the PC prior to scanning and removing malware with Ad-aware SE and
SpyBot S&D.

SpyBot Search and Destroy: http://security.kolla.de/
BHOdemon: http://www.definitivesolutions.com/bhodemon.htm


And I suggest you perform the following...


Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


2) Download and install Ad-aware SE
(free personal version v1.06)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

4) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm

5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

7) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.


8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),

9) Reboot your PC.

10) If you are using WinME or WinXP, create a new Restore point

In conclusion I think you should upgrade IE to IE SP1 and all MS Critical Updates as well.


* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
 
 
 
=?Utf-8?B?b3plZ2lybA==?=
Guest
Posts: n/a

 
      01-06-2005, 02:44 AM
Hi, I followed the link for the LSP fix and read the info on that. One thing
referenced was Winsock 2, and it said the entry may have to be deleted from
the registry & reinstalled - in the event that the LSP fix doesn't work.
Where in the registry is the Winsock 2 key? Thanks

"David H. Lipman" wrote:

> From: "ozegirl" <(E-Mail Removed)>
>
> | Hi,
> |
> | This help is for my brother's computer - he cannot get onto the internet at
> | all other than to rootsearch at the moment. Below is his hijack this log,
> | which he copied to disc and sent to me. He knows nothing about computers so I
> | am going to his place tomorrow (3 hours away) to help. I can recognise a lot
> | of baddies in here - and I know the general procedure is to remove, reboot
> | into Safe mode and delete all the temp files, etc - but would appreciate a
> | considered approach from someone with more experience as I know this is a
> | particularly nasty trojan to get rid of - I have seen that others have not
> | been able to remove it with spybot or adaware. He has not updated his AV in 5
> | years - bad boy! Quick response appreciated as I won't have internet
> | connection available from his place. Thanks guys.
> |
> | Logfile of HijackThis v1.99.1
> | Scan saved at 18:48:53, on 31/05/05
> | Platform: Windows 95 b (Win9x 4.00.1111)
> | MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
> |
>
> This is NOT the best place to post a HJT log.
>
> However, a quick glance revealed several suspects....
>
> O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
> O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
> O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
> O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
> O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
> O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
>
> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> C:\WINDOWS\web\related.htm
> O9 - Extra 'Tools' menuitem: Show &Related Links -
> {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
>
> I think that you have many forms of malware.
>
> I suggest you use the following software...
>
> Download and have handy LSP Fix -- http://www.cexx.org/lspfix.htm
> This is in case of one the adware/spyware applications you have break your ability to access
> the Internet.
> Have the software on the PC prior to scanning and removing malware with Ad-aware SE and
> SpyBot S&D.
>
> SpyBot Search and Destroy: http://security.kolla.de/
> BHOdemon: http://www.definitivesolutions.com/bhodemon.htm
>
>
> And I suggest you perform the following...
>
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> 1) Download the TrendMicro Sysclean Front End
>
> Download the utility SYSCLEAN_FE at the following URL --
> http://www.ik-cs.com/got-a-virus.htm
> SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
> Direct URL --
> http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>
>
> 2) Download and install Ad-aware SE
> (free personal version v1.06)
> http://www.lavasoftusa.com/
> Update Ad-aware with the latest definitions and then exit the software.
>
> 3) Execute; SYSCLEAN_FE.EXE
> Choose; Unzip
> Choose; Close
>
>
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> when you get to the menu dhoose [1] so you can boot into Safe Mode.
>
> 4) If you are using WinME or WinXP, disable System Restore
> http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
>
> 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
>
> 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a full scan of your PC and delete
> all objects found.
>
> 7) Restart your PC and perform a "final" Full Scan of your platform
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a final scan of your PC and delete
> all objects found.
>
>
> 8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
> System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
>
> 9) Reboot your PC.
>
> 10) If you are using WinME or WinXP, create a new Restore point
>
> In conclusion I think you should upgrade IE to IE SP1 and all MS Critical Updates as well.
>
>
> * * * Please report back your results * * *
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

 
Reply With Quote
 
Malke
Guest
Posts: n/a

 
      01-06-2005, 03:02 AM
ozegirl wrote:

> Hi, I followed the link for the LSP fix and read the info on that. One
> thing referenced was Winsock 2, and it said the entry may have to be
> deleted from the registry & reinstalled - in the event that the LSP
> fix doesn't work. Where in the registry is the Winsock 2 key? Thanks
>


At this point, don't worry so much about the LSPFix. The reason that
Dave Lipman (and I) suggest getting either LSPFix (if you don't have
XP) or the XP-related Winsock2 fixes is because malware can damage this
part of Windows, which will prevent you from getting online, even after
the malware is gone. The idea is to download the fixes ahead of time
Just In Case.

What you should focus on right now is cleaning up the malware. Follow
Dave's suggestions. As he said (and you know), you will need to have
all your tools/updates ready on a cd-r since you won't have Internet
access at your brother's house.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a

 
      01-06-2005, 03:03 AM
From: "ozegirl" <(E-Mail Removed)>

| Hi, I followed the link for the LSP fix and read the info on that. One thing
| referenced was Winsock 2, and it said the entry may have to be deleted from
| the registry & reinstalled - in the event that the LSP fix doesn't work.
| Where in the registry is the Winsock 2 key? Thanks
|

You'd have to ask that in an OS specific News Group. Are you using WinME ?

If yes, then; microsoft.public.windowsme.general

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
MAP
Guest
Posts: n/a

 
      01-06-2005, 04:30 AM
ozegirl wrote:
> Hi, I followed the link for the LSP fix and read the info on that.
> One thing referenced was Winsock 2, and it said the entry may have to
> be deleted from the registry & reinstalled - in the event that the
> LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> Thanks


"This information was provided within the WinsockxpFix.exe application" It
seems that the download link is dead now
http://members.shaw.ca/techcd/WinsockXPFix.exe



Repairing Winsock in Win9x - Me manually do this:
open Network settings

1.) Remove all protocols or everything EXCEPT leave the NIC Adapter

2.) Click Apply & Close the Properties box, but on reboot notice, hit
Cancel...
do not reboot!

3.) Open Regedit and delete these keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcpoptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\MSTCP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Winsock2

also ..scroll down delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Winsock2

close regedit

4.) Open Network Properties again, and Click ADD - PROTOCOL -
MicroSoft/TCPIP
**should Add Client for MS Networks Automatically**

Have your Windows CD ready or the CAB files,
Reboot and Should be good.
--
Mike Pawlak


 
Reply With Quote
 
=?Utf-8?B?b3plZ2lybA==?=
Guest
Posts: n/a

 
      01-06-2005, 06:12 AM
Thanks everyone - including Malke - but the whole point of getting the info
now on what to do with lspfix if I can't get on the internet, is that if I
can't get on the internet, I can't ask then!

:-) Ozeannie

"MAP" wrote:

> ozegirl wrote:
> > Hi, I followed the link for the LSP fix and read the info on that.
> > One thing referenced was Winsock 2, and it said the entry may have to
> > be deleted from the registry & reinstalled - in the event that the
> > LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> > Thanks

>
> "This information was provided within the WinsockxpFix.exe application" It
> seems that the download link is dead now
> http://members.shaw.ca/techcd/WinsockXPFix.exe
>
>
>
> Repairing Winsock in Win9x - Me manually do this:
> open Network settings
>
> 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter
>
> 2.) Click Apply & Close the Properties box, but on reboot notice, hit
> Cancel...
> do not reboot!
>
> 3.) Open Regedit and delete these keys:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcp
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcpoptions
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\MSTCP
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Winsock2
>
> also ..scroll down delete
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Winsock2
>
> close regedit
>
> 4.) Open Network Properties again, and Click ADD - PROTOCOL -
> MicroSoft/TCPIP
> **should Add Client for MS Networks Automatically**
>
> Have your Windows CD ready or the CAB files,
> Reboot and Should be good.
> --
> Mike Pawlak
>
>
>

 
Reply With Quote
 
=?Utf-8?B?b3plZ2lybA==?=
Guest
Posts: n/a

 
      01-06-2005, 06:28 AM
To David Lipman:

Is the SYSCLEAN_FE fix OK to use with Win 95? I wonder if you realised it
was a Win 95 system as you kept mentioning what to do for ME or XP.

"ozegirl" wrote:

> Thanks everyone - including Malke - but the whole point of getting the info
> now on what to do with lspfix if I can't get on the internet, is that if I
> can't get on the internet, I can't ask then!
>
> :-) Ozeannie
>
> "MAP" wrote:
>
> > ozegirl wrote:
> > > Hi, I followed the link for the LSP fix and read the info on that.
> > > One thing referenced was Winsock 2, and it said the entry may have to
> > > be deleted from the registry & reinstalled - in the event that the
> > > LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> > > Thanks

> >
> > "This information was provided within the WinsockxpFix.exe application" It
> > seems that the download link is dead now
> > http://members.shaw.ca/techcd/WinsockXPFix.exe
> >
> >
> >
> > Repairing Winsock in Win9x - Me manually do this:
> > open Network settings
> >
> > 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter
> >
> > 2.) Click Apply & Close the Properties box, but on reboot notice, hit
> > Cancel...
> > do not reboot!
> >
> > 3.) Open Regedit and delete these keys:
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcp
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcpoptions
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\MSTCP
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Winsock2
> >
> > also ..scroll down delete
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Winsock2
> >
> > close regedit
> >
> > 4.) Open Network Properties again, and Click ADD - PROTOCOL -
> > MicroSoft/TCPIP
> > **should Add Client for MS Networks Automatically**
> >
> > Have your Windows CD ready or the CAB files,
> > Reboot and Should be good.
> > --
> > Mike Pawlak
> >
> >
> >

 
Reply With Quote
 
=?Utf-8?B?b3plZ2lybA==?=
Guest
Posts: n/a

 
      01-06-2005, 07:10 AM
OK – I have a confession to make. In order to have the best chance of getting
a response to my problem I posted on a couple of different forums. Needless
to say, I’ve been offered differing advice so that now I’m a little bit
confused. Some are saying to do the hijack this fix in normal mode, followed
by deleting temp files in safe mode & running CWShredder in safe mode at the
end. Alternatively, to run CWShredder first in normal mode before doing the
hijack this in safe mode. Does it make a difference what order it is done
in…and what HAS to be done in safe mode?

PLEASE NOTE THAT THIS IS A WIN 95 SYSTEM!!

My current plan is:

Boot into Safe Mode
Run Hijack this & fix “bad? entries
Delete other bad running processes identified in posts either with killbox
or manually
Unhide all hidden files
Delete all temp internet and temp files

Run Trend Micro Sysclean Front End
Run CWShredder

Boot into Normal mode & see if internet works.
If it does install & update AV, adaware, spybot, etc

If not try to fix with lsp fix

Anyone see any problems with any of that?



"ozegirl" wrote:

> To David Lipman:
>
> Is the SYSCLEAN_FE fix OK to use with Win 95? I wonder if you realised it
> was a Win 95 system as you kept mentioning what to do for ME or XP.
>
> "ozegirl" wrote:
>
> > Thanks everyone - including Malke - but the whole point of getting the info
> > now on what to do with lspfix if I can't get on the internet, is that if I
> > can't get on the internet, I can't ask then!
> >
> > :-) Ozeannie
> >
> > "MAP" wrote:
> >
> > > ozegirl wrote:
> > > > Hi, I followed the link for the LSP fix and read the info on that.
> > > > One thing referenced was Winsock 2, and it said the entry may have to
> > > > be deleted from the registry & reinstalled - in the event that the
> > > > LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> > > > Thanks
> > >
> > > "This information was provided within the WinsockxpFix.exe application" It
> > > seems that the download link is dead now
> > > http://members.shaw.ca/techcd/WinsockXPFix.exe
> > >
> > >
> > >
> > > Repairing Winsock in Win9x - Me manually do this:
> > > open Network settings
> > >
> > > 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter
> > >
> > > 2.) Click Apply & Close the Properties box, but on reboot notice, hit
> > > Cancel...
> > > do not reboot!
> > >
> > > 3.) Open Regedit and delete these keys:
> > >
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcp
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Dhcpoptions
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\MSTCP
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD\Winsock2
> > >
> > > also ..scroll down delete
> > >
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Winsock2
> > >
> > > close regedit
> > >
> > > 4.) Open Network Properties again, and Click ADD - PROTOCOL -
> > > MicroSoft/TCPIP
> > > **should Add Client for MS Networks Automatically**
> > >
> > > Have your Windows CD ready or the CAB files,
> > > Reboot and Should be good.
> > > --
> > > Mike Pawlak
> > >
> > >
> > >

 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a

 
      01-06-2005, 01:32 PM
From: "ozegirl" <(E-Mail Removed)>

| To David Lipman:
|
| Is the SYSCLEAN_FE fix OK to use with Win 95? I wonder if you realised it
| was a Win 95 system as you kept mentioning what to do for ME or XP.
|

Yes. For Win9x/ME, NT4, Win2K, WinXP and Win2003 Server.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hotmail login fails. hijack this log inclosed, please help. thanks help me please Virus Information 2 31-05-2005 02:14 PM
Browser Hijack (with "Hijack This" log) Alex Anti-Virus 9 25-04-2005 07:28 PM
please please urgent, msn logging in without asking 4 password phil Security Software 2 09-09-2004 11:41 PM
Please Help!! Hijack This Log! Steve B Spyware 0 09-07-2004 10:32 PM
Hijack this-log file help please. Xanth Spyware 3 02-12-2003 11:36 PM


All times are GMT. The time now is 02:56 AM.