Urgent help please with hijack this log - rootsearch



ozegirl
07-09-2005, 10:48 PM
Hi,

This help is for my brother's computer - he cannot get onto the internet at
all other than to rootsearch at the moment. Below is his hijack this log,
which he copied to disc and sent to me. He knows nothing about computers so I
am going to his place tomorrow (3 hours away) to help. I can recognise a lot
of baddies in here - and I know the general procedure is to remove, reboot
into Safe mode and delete all the temp files, etc - but would appreciate a
considered approach from someone with more experience as I know this is a
particularly nasty trojan to get rid of - I have seen that others have not
been able to remove it with spybot or adaware. He has not updated his AV in 5
years - bad boy! Quick response appreciated as I won't have internet
connection available from his place. Thanks guys.

Logfile of HijackThis v1.99.1
Scan saved at 18:48:53, on 31/05/05
Platform: Windows 95 b (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\FPJ.EXE
C:\WINDOWS\SYSTEM\TIBS3.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OFFICE2K\OFFICE\FINDFAST.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.rootsearch.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.rootsearch.biz/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 0;<local>
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} -
C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} -
C:\WINDOWS\SYSTEM\MSPXS32.DLL
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -
C:\WINDOWS\SASETUP.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft
Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM
FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - Startup: Microsoft Office.lnk = C:\Program
Files\Office2K\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program
Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft
Home Publishing\MHPRMIND.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: SmartCapture.lnk = C:\WINDOWS\SII\SLPCAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\PLUGINS\npsmlvdo.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be
Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be
Internet Zone (HKLM)
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} -
[url]http://www.sexmaids.com/dialer/blue-software.cab[/url]
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} -
[url]http://adults.topy2k.com/Online_Gallery.cab[/url]
O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} -
[url]http://download.rocketpipe.com/bundles/1235.cab[/url]

David H. Lipman
07-09-2005, 10:48 PM
From: "ozegirl" <ozegirl@discussions.microsoft.com>

| Hi,
|
| This help is for my brother's computer - he cannot get onto the internet at
| all other than to rootsearch at the moment. Below is his hijack this log,
| which he copied to disc and sent to me. He knows nothing about computers so I
| am going to his place tomorrow (3 hours away) to help. I can recognise a lot
| of baddies in here - and I know the general procedure is to remove, reboot
| into Safe mode and delete all the temp files, etc - but would appreciate a
| considered approach from someone with more experience as I know this is a
| particularly nasty trojan to get rid of - I have seen that others have not
| been able to remove it with spybot or adaware. He has not updated his AV in 5
| years - bad boy! Quick response appreciated as I won't have internet
| connection available from his place. Thanks guys.
|
| Logfile of HijackThis v1.99.1
| Scan saved at 18:48:53, on 31/05/05
| Platform: Windows 95 b (Win9x 4.00.1111)
| MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
|

This is NOT the best place to post a HJT log.

However, a quick glance revealed several suspects....

O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

I think that you have many forms of malware.

I suggest you use the following software...

Download and have handy LSP Fix -- [url]http://www.cexx.org/lspfix.htm[/url]
This is in case of one the adware/spyware applications you have break your ability to access
the Internet.
Have the software on the PC prior to scanning and removing malware with Ad-aware SE and
SpyBot S&D.

SpyBot Search and Destroy: [url]http://security.kolla.de/[/url]
BHOdemon: [url]http://www.definitivesolutions.com/bhodemon.htm[/url]


And I suggest you perform the following...


Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
[url]http://www.ik-cs.com/got-a-virus.htm[/url]
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
[url]http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe[/url]


2) Download and install Ad-aware SE
(free personal version v1.06)
[url]http://www.lavasoftusa.com/[/url]
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

4) If you are using WinME or WinXP, disable System Restore
[url]http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm[/url]

5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

7) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.


8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),

9) Reboot your PC.

10) If you are using WinME or WinXP, create a new Restore point

In conclusion I think you should upgrade IE to IE SP1 and all MS Critical Updates as well.


* * * Please report back your results * * *

--
Dave
[url]http://www.claymania.com/removal-trojan-adware.html[/url]
[url]http://www.ik-cs.com/got-a-virus.htm[/url]

ozegirl
07-09-2005, 10:48 PM
Hi, I followed the link for the LSP fix and read the info on that. One thing
referenced was Winsock 2, and it said the entry may have to be deleted from
the registry & reinstalled - in the event that the LSP fix doesn't work.
Where in the registry is the Winsock 2 key? Thanks

"David H. Lipman" wrote:

> From: "ozegirl" <ozegirl@discussions.microsoft.com>
>
> | Hi,
> |
> | This help is for my brother's computer - he cannot get onto the internet at
> | all other than to rootsearch at the moment. Below is his hijack this log,
> | which he copied to disc and sent to me. He knows nothing about computers so I
> | am going to his place tomorrow (3 hours away) to help. I can recognise a lot
> | of baddies in here - and I know the general procedure is to remove, reboot
> | into Safe mode and delete all the temp files, etc - but would appreciate a
> | considered approach from someone with more experience as I know this is a
> | particularly nasty trojan to get rid of - I have seen that others have not
> | been able to remove it with spybot or adaware. He has not updated his AV in 5
> | years - bad boy! Quick response appreciated as I won't have internet
> | connection available from his place. Thanks guys.
> |
> | Logfile of HijackThis v1.99.1
> | Scan saved at 18:48:53, on 31/05/05
> | Platform: Windows 95 b (Win9x 4.00.1111)
> | MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
> |
>
> This is NOT the best place to post a HJT log.
>
> However, a quick glance revealed several suspects....
>
> O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
> O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
> O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
> O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
> O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
> O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
>
> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> C:\WINDOWS\web\related.htm
> O9 - Extra 'Tools' menuitem: Show &Related Links -
> {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
>
> I think that you have many forms of malware.
>
> I suggest you use the following software...
>
> Download and have handy LSP Fix -- [url]http://www.cexx.org/lspfix.htm[/url]
> This is in case of one the adware/spyware applications you have break your ability to access
> the Internet.
> Have the software on the PC prior to scanning and removing malware with Ad-aware SE and
> SpyBot S&D.
>
> SpyBot Search and Destroy: [url]http://security.kolla.de/[/url]
> BHOdemon: [url]http://www.definitivesolutions.com/bhodemon.htm[/url]
>
>
> And I suggest you perform the following...
>
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> 1) Download the TrendMicro Sysclean Front End
>
> Download the utility SYSCLEAN_FE at the following URL --
> [url]http://www.ik-cs.com/got-a-virus.htm[/url]
> SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
> Direct URL --
> [url]http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe[/url]
>
>
> 2) Download and install Ad-aware SE
> (free personal version v1.06)
> [url]http://www.lavasoftusa.com/[/url]
> Update Ad-aware with the latest definitions and then exit the software.
>
> 3) Execute; SYSCLEAN_FE.EXE
> Choose; Unzip
> Choose; Close
>
>
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> when you get to the menu dhoose [1] so you can boot into Safe Mode.
>
> 4) If you are using WinME or WinXP, disable System Restore
> [url]http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm[/url]
>
> 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
>
> 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a full scan of your PC and delete
> all objects found.
>
> 7) Restart your PC and perform a "final" Full Scan of your platform
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a final scan of your PC and delete
> all objects found.
>
>
> 8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
> System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
>
> 9) Reboot your PC.
>
> 10) If you are using WinME or WinXP, create a new Restore point
>
> In conclusion I think you should upgrade IE to IE SP1 and all MS Critical Updates as well.
>
>
> * * * Please report back your results * * *
>
> --
> Dave
> [url]http://www.claymania.com/removal-trojan-adware.html[/url]
> [url]http://www.ik-cs.com/got-a-virus.htm[/url]
>
>
>

Malke
07-09-2005, 10:48 PM
ozegirl wrote:

> Hi, I followed the link for the LSP fix and read the info on that. One
> thing referenced was Winsock 2, and it said the entry may have to be
> deleted from the registry & reinstalled - in the event that the LSP
> fix doesn't work. Where in the registry is the Winsock 2 key? Thanks
>

At this point, don't worry so much about the LSPFix. The reason that
Dave Lipman (and I) suggest getting either LSPFix (if you don't have
XP) or the XP-related Winsock2 fixes is because malware can damage this
part of Windows, which will prevent you from getting online, even after
the malware is gone. The idea is to download the fixes ahead of time
Just In Case.

What you should focus on right now is cleaning up the malware. Follow
Dave's suggestions. As he said (and you know), you will need to have
all your tools/updates ready on a cd-r since you won't have Internet
access at your brother's house.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

David H. Lipman
07-09-2005, 10:48 PM
From: "ozegirl" <ozegirl@discussions.microsoft.com>

| Hi, I followed the link for the LSP fix and read the info on that. One thing
| referenced was Winsock 2, and it said the entry may have to be deleted from
| the registry & reinstalled - in the event that the LSP fix doesn't work.
| Where in the registry is the Winsock 2 key? Thanks
|

You'd have to ask that in an OS specific News Group. Are you using WinME ?

If yes, then; microsoft.public.windowsme.general

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

MAP
07-09-2005, 10:48 PM
ozegirl wrote:
> Hi, I followed the link for the LSP fix and read the info on that.
> One thing referenced was Winsock 2, and it said the entry may have to
> be deleted from the registry & reinstalled - in the event that the
> LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> Thanks

"This information was provided within the WinsockxpFix.exe application" It
seems that the download link is dead now
http://members.shaw.ca/techcd/WinsockXPFix.exe



Repairing Winsock in Win9x - Me manually do this:
open Network settings

1.) Remove all protocols or everything EXCEPT leave the NIC Adapter

2.) Click Apply & Close the Properties box, but on reboot notice, hit
Cancel...
do not reboot!

3.) Open Regedit and delete these keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcpoptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Winsock2

also ..scroll down delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2

close regedit

4.) Open Network Properties again, and Click ADD - PROTOCOL -
MicroSoft/TCPIP
**should Add Client for MS Networks Automatically**

Have your Windows CD ready or the CAB files,
Reboot and Should be good.
--
Mike Pawlak

ozegirl
07-09-2005, 10:48 PM
Thanks everyone - including Malke - but the whole point of getting the info
now on what to do with lspfix if I can't get on the internet, is that if I
can't get on the internet, I can't ask then!

:-) Ozeannie

"MAP" wrote:

> ozegirl wrote:
> > Hi, I followed the link for the LSP fix and read the info on that.
> > One thing referenced was Winsock 2, and it said the entry may have to
> > be deleted from the registry & reinstalled - in the event that the
> > LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> > Thanks
>
> "This information was provided within the WinsockxpFix.exe application" It
> seems that the download link is dead now
> http://members.shaw.ca/techcd/WinsockXPFix.exe
>
>
>
> Repairing Winsock in Win9x - Me manually do this:
> open Network settings
>
> 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter
>
> 2.) Click Apply & Close the Properties box, but on reboot notice, hit
> Cancel...
> do not reboot!
>
> 3.) Open Regedit and delete these keys:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcp
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcpoptions
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Winsock2
>
> also ..scroll down delete
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2
>
> close regedit
>
> 4.) Open Network Properties again, and Click ADD - PROTOCOL -
> MicroSoft/TCPIP
> **should Add Client for MS Networks Automatically**
>
> Have your Windows CD ready or the CAB files,
> Reboot and Should be good.
> --
> Mike Pawlak
>
>
>

ozegirl
07-09-2005, 10:48 PM
To David Lipman:

Is the SYSCLEAN_FE fix OK to use with Win 95? I wonder if you realised it
was a Win 95 system as you kept mentioning what to do for ME or XP.

"ozegirl" wrote:

> Thanks everyone - including Malke - but the whole point of getting the info
> now on what to do with lspfix if I can't get on the internet, is that if I
> can't get on the internet, I can't ask then!
>
> :-) Ozeannie
>
> "MAP" wrote:
>
> > ozegirl wrote:
> > > Hi, I followed the link for the LSP fix and read the info on that.
> > > One thing referenced was Winsock 2, and it said the entry may have to
> > > be deleted from the registry & reinstalled - in the event that the
> > > LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> > > Thanks
> >
> > "This information was provided within the WinsockxpFix.exe application" It
> > seems that the download link is dead now
> > http://members.shaw.ca/techcd/WinsockXPFix.exe
> >
> >
> >
> > Repairing Winsock in Win9x - Me manually do this:
> > open Network settings
> >
> > 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter
> >
> > 2.) Click Apply & Close the Properties box, but on reboot notice, hit
> > Cancel...
> > do not reboot!
> >
> > 3.) Open Regedit and delete these keys:
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcp
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcpoptions
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Winsock2
> >
> > also ..scroll down delete
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2
> >
> > close regedit
> >
> > 4.) Open Network Properties again, and Click ADD - PROTOCOL -
> > MicroSoft/TCPIP
> > **should Add Client for MS Networks Automatically**
> >
> > Have your Windows CD ready or the CAB files,
> > Reboot and Should be good.
> > --
> > Mike Pawlak
> >
> >
> >

ozegirl
07-09-2005, 10:48 PM
OK – I have a confession to make. In order to have the best chance of getting
a response to my problem I posted on a couple of different forums. Needless
to say, I’ve been offered differing advice so that now I’m a little bit
confused. Some are saying to do the hijack this fix in normal mode, followed
by deleting temp files in safe mode & running CWShredder in safe mode at the
end. Alternatively, to run CWShredder first in normal mode before doing the
hijack this in safe mode. Does it make a difference what order it is done
in…and what HAS to be done in safe mode?

PLEASE NOTE THAT THIS IS A WIN 95 SYSTEM!!

My current plan is:

Boot into Safe Mode
Run Hijack this & fix “bad” entries
Delete other bad running processes identified in posts either with killbox
or manually
Unhide all hidden files
Delete all temp internet and temp files

Run Trend Micro Sysclean Front End
Run CWShredder

Boot into Normal mode & see if internet works.
If it does install & update AV, adaware, spybot, etc

If not try to fix with lsp fix

Anyone see any problems with any of that?



"ozegirl" wrote:

> To David Lipman:
>
> Is the SYSCLEAN_FE fix OK to use with Win 95? I wonder if you realised it
> was a Win 95 system as you kept mentioning what to do for ME or XP.
>
> "ozegirl" wrote:
>
> > Thanks everyone - including Malke - but the whole point of getting the info
> > now on what to do with lspfix if I can't get on the internet, is that if I
> > can't get on the internet, I can't ask then!
> >
> > :-) Ozeannie
> >
> > "MAP" wrote:
> >
> > > ozegirl wrote:
> > > > Hi, I followed the link for the LSP fix and read the info on that.
> > > > One thing referenced was Winsock 2, and it said the entry may have to
> > > > be deleted from the registry & reinstalled - in the event that the
> > > > LSP fix doesn't work. Where in the registry is the Winsock 2 key?
> > > > Thanks
> > >
> > > "This information was provided within the WinsockxpFix.exe application" It
> > > seems that the download link is dead now
> > > http://members.shaw.ca/techcd/WinsockXPFix.exe
> > >
> > >
> > >
> > > Repairing Winsock in Win9x - Me manually do this:
> > > open Network settings
> > >
> > > 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter
> > >
> > > 2.) Click Apply & Close the Properties box, but on reboot notice, hit
> > > Cancel...
> > > do not reboot!
> > >
> > > 3.) Open Regedit and delete these keys:
> > >
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcp
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcpoptions
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Winsock2
> > >
> > > also ..scroll down delete
> > >
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2
> > >
> > > close regedit
> > >
> > > 4.) Open Network Properties again, and Click ADD - PROTOCOL -
> > > MicroSoft/TCPIP
> > > **should Add Client for MS Networks Automatically**
> > >
> > > Have your Windows CD ready or the CAB files,
> > > Reboot and Should be good.
> > > --
> > > Mike Pawlak
> > >
> > >
> > >

David H. Lipman
07-09-2005, 10:48 PM
From: "ozegirl" <ozegirl@discussions.microsoft.com>

| To David Lipman:
|
| Is the SYSCLEAN_FE fix OK to use with Win 95? I wonder if you realised it
| was a Win 95 system as you kept mentioning what to do for ME or XP.
|

Yes. For Win9x/ME, NT4, Win2K, WinXP and Win2003 Server.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman
07-09-2005, 10:48 PM
From: "ozegirl" <ozegirl@discussions.microsoft.com>

| OK I have a confession to make. In order to have the best chance of getting
| a response to my problem I posted on a couple of different forums. Needless
| to say, Ive been offered differing advice so that now Im a little bit
| confused. Some are saying to do the hijack this fix in normal mode, followed
| by deleting temp files in safe mode & running CWShredder in safe mode at the
| end. Alternatively, to run CWShredder first in normal mode before doing the
| hijack this in safe mode. Does it make a difference what order it is done
| inand what HAS to be done in safe mode?
|
| PLEASE NOTE THAT THIS IS A WIN 95 SYSTEM!!
|
| My current plan is:
|
| Boot into Safe Mode
| Run Hijack this & fix bad entries
| Delete other bad running processes identified in posts either with killbox
| or manually
| Unhide all hidden files
| Delete all temp internet and temp files
|
| Run Trend Micro Sysclean Front End
| Run CWShredder
|
| Boot into Normal mode & see if internet works.
| If it does install & update AV, adaware, spybot, etc
|
| If not try to fix with lsp fix
|
| Anyone see any problems with any of that?
|

OK -- That's a good start. Please report back your progress ;-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

ozegirl
07-09-2005, 10:49 PM
Thanks - I'll let you know what happens. One more thing: In the event that
the only thing left to do is to reinstall Windows, are the automatic windows
updates still available to download for Win 95 on the Microsoft site? If not,
can I save any update files already downloaded and reinstall them, and how do
I identify them?

"David H. Lipman" wrote:

> From: "ozegirl" <ozegirl@discussions.microsoft.com>
>
> | To David Lipman:
> |
> | Is the SYSCLEAN_FE fix OK to use with Win 95? I wonder if you realised it
> | was a Win 95 system as you kept mentioning what to do for ME or XP.
> |
>
> Yes. For Win9x/ME, NT4, Win2K, WinXP and Win2003 Server.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 10:49 PM
From: "ozegirl" <ozegirl@discussions.microsoft.com>

| Thanks - I'll let you know what happens. One more thing: In the event that
| the only thing left to do is to reinstall Windows, are the automatic windows
| updates still available to download for Win 95 on the Microsoft site? If not,
| can I save any update files already downloaded and reinstall them, and how do
I identify them?

I do not thnk so. Win95 lost it support a couple of yeras ago. and there are *many*
updates for Win95. The only updates are Security Updates for IE6.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

ozegirl
07-09-2005, 10:49 PM
Thanks again - I feared as much. I also knew about Microsoft withdrawing
"support" for Win 95 but wasn't sure if it extended to the windows updates,
though I guess that's one of the main support functions. Let's hope I remove
the bugs & it all just *works*

"David H. Lipman" wrote:

> From: "ozegirl" <ozegirl@discussions.microsoft.com>
>
> | Thanks - I'll let you know what happens. One more thing: In the event that
> | the only thing left to do is to reinstall Windows, are the automatic windows
> | updates still available to download for Win 95 on the Microsoft site? If not,
> | can I save any update files already downloaded and reinstall them, and how do
> I identify them?
>
> I do not thnk so. Win95 lost it support a couple of yeras ago. and there are *many*
> updates for Win95. The only updates are Security Updates for IE6.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

What's in a Name?
07-09-2005, 10:49 PM
ozegirl wrote:
> Thanks again - I feared as much. I also knew about Microsoft withdrawing
> "support" for Win 95 but wasn't sure if it extended to the windows updates,
> though I guess that's one of the main support functions. Let's hope I remove
> the bugs & it all just *works*
>
> "David H. Lipman" wrote:
>
>
>>From: "ozegirl" <ozegirl@discussions.microsoft.com>
>>
>>| Thanks - I'll let you know what happens. One more thing: In the event that
>>| the only thing left to do is to reinstall Windows, are the automatic windows
>>| updates still available to download for Win 95 on the Microsoft site? If not,
>>| can I save any update files already downloaded and reinstall them, and how do
>>I identify them?
>>
>>I do not thnk so. Win95 lost it support a couple of yeras ago. and there are *many*
>>updates for Win95. The only updates are Security Updates for IE6.
>>
>>--
>>Dave
>>http://www.claymania.com/removal-trojan-adware.html
>>http://www.ik-cs.com/got-a-virus.htm
>>
>>
>>
You should take a copy of win98se with you-just in case
-max

--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.
This message is virus free as far as I can tell.

Code-Curious Mom
07-09-2005, 10:49 PM
*automatic updates* via Windows Update are no longer available and there are
no new updates, but you can still get old patches at
http://www.microsoft.com/windows95/downloads/
Last time I had to redo a Win95 machine I had to get an updated IE at
http://browsers.evolt.org/?/ie/32bit

C-C Mom

"What's in a Name?" <spamthis@nomail.afraid.org> wrote in message
news:429e3326$0$19273$892e7fe2@authen.white.readfreenews.net...
> ozegirl wrote:
>> Thanks again - I feared as much. I also knew about Microsoft withdrawing
>> "support" for Win 95 but wasn't sure if it extended to the windows
>> updates, though I guess that's one of the main support functions. Let's
>> hope I remove the bugs & it all just *works*
>>
>> "David H. Lipman" wrote:
>>
>>
>>>From: "ozegirl" <ozegirl@discussions.microsoft.com>
>>>
>>>| Thanks - I'll let you know what happens. One more thing: In the event
>>>that
>>>| the only thing left to do is to reinstall Windows, are the automatic
>>>windows
>>>| updates still available to download for Win 95 on the Microsoft site?
>>>If not,
>>>| can I save any update files already downloaded and reinstall them, and
>>>how do
>>>I identify them?
>>>
>>>I do not thnk so. Win95 lost it support a couple of yeras ago. and
>>>there are *many*
>>>updates for Win95. The only updates are Security Updates for IE6.
>>>
>>>--
>>>Dave
>>>http://www.claymania.com/removal-trojan-adware.html
>>>http://www.ik-cs.com/got-a-virus.htm
>>>
>>>
>>>
> You should take a copy of win98se with you-just in case
> -max
>
> --
> Virus Removal Instructions: http://home.neo.rr.com/manna4u/
> You can find my e-mail address on my pages.
> This message is virus free as far as I can tell.

ozegirl
07-09-2005, 10:49 PM
Well I've just returned back home from a 3 day trip to my childhood home that
was pretty disastrous.
The purpose of my trip was twofold:
1) to help my parents (both 80) set up a new laptop computer with internet &
email connection, and get them started with the basics.
2) to try and fix my brother's computer which was completely overrun with
the rootsearch virus.

First, I went through the Windows setup on the new computer, then did the
internet/email connection. I needed to go online then to complete that and to
download the windows updates (which took 2 hours on dialup).
Then found that the computer always did a restart on shutdown. Fortunately I
had not installed any other software or hardware at this stage. To cut a long
story short, after 2 hours on the phone to HP which included reformatting &
reinstalling the OS before convincing them that I had done nothing wrong, we
were given a reference number to take the machine back to the shop & exchange
for a new one.
Another 2 hours later at the shop to convince them the computer was a lemon
& to insist on checking the replacement before we took it home.
Back to square one - 24 hours lost by now, not to mention having to spend
another 2 hours doing windows updates which cost my parents going over their
internet hours limit.
In the evening we went out to dinner and my mother tripped and fell badly
hitting her head, shoulders, legs, ankles and cutting her hand, and
momentarily knocking herself out. The restaurant had very dangerous and
stupidly placed steps.

This resulted in my mum feeling rather ill the next day so that she was
unable to really take any computer lessons, but I had to spend this day
setting up the new computer anyway, as well as care for her.

This meant that I had to give her the basic instructions on the following
day, when I had planned to visit my brother. I still had time to see him in
the afternoon, but he decided in the meantime that the best resolution might
be to save his work and reformat and install Win 98 - which I also think is
the best solution in the long run, until he can afford a new computer of his
own.

No doubt he will still want help with this as he doesn't know too much about
computers, so when I next see him I might still have a go at clearing the
virus, if only to get internet connection so we can upload anything he wants
to keep to his webspace, as I don't think all his files would fit on a floppy
(and there's no burner).

I'd like to thank everyone for their generous help - sorry I haven't been
able to try it out so far, but your answers on this forum may still prove
useful to someone else who needs help - I know I have often found the help I
needed in other's posts. So thanks again.


"What's in a Name?" wrote:

> ozegirl wrote:
> > Thanks again - I feared as much. I also knew about Microsoft withdrawing
> > "support" for Win 95 but wasn't sure if it extended to the windows updates,
> > though I guess that's one of the main support functions. Let's hope I remove
> > the bugs & it all just *works*
> >
> > "David H. Lipman" wrote:
> >
> >
> >>From: "ozegirl" <ozegirl@discussions.microsoft.com>
> >>
> >>| Thanks - I'll let you know what happens. One more thing: In the event that
> >>| the only thing left to do is to reinstall Windows, are the automatic windows
> >>| updates still available to download for Win 95 on the Microsoft site? If not,
> >>| can I save any update files already downloaded and reinstall them, and how do
> >>I identify them?
> >>
> >>I do not thnk so. Win95 lost it support a couple of yeras ago. and there are *many*
> >>updates for Win95. The only updates are Security Updates for IE6.
> >>
> >>--
> >>Dave
> >>http://www.claymania.com/removal-trojan-adware.html
> >>http://www.ik-cs.com/got-a-virus.htm
> >>
> >>
> >>
> You should take a copy of win98se with you-just in case
> -max
>
> --
> Virus Removal Instructions: http://home.neo.rr.com/manna4u/
> You can find my e-mail address on my pages.
> This message is virus free as far as I can tell.
>

What's in a Name?
07-09-2005, 10:49 PM
ozegirl wrote:

> In the evening we went out to dinner and my mother tripped and fell badly
> hitting her head, shoulders, legs, ankles and cutting her hand, and
> momentarily knocking herself out. The restaurant had very dangerous and
> stupidly placed steps.
>

You may want to contact an attorney about those steps. It would be
helpful in your mother's later years to have a nice nest egg paid for
by the restaurant.
-max

--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.
This message is virus free as far as I can tell.

ozegirl
07-09-2005, 10:49 PM
That was my initial thought too, however there was actually a sign warning
about the steps - but the sign itself was a bit difficult to see, especially
for my mother as she was carrying a floral arrangement into the restaurant as
her friend's birthday present. She said it was her fault that she slipped,
and it probably was, but the steps didn't make it any easier. I think the
restaurant would be in the clear as they did have a sign.

"What's in a Name?" wrote:

> ozegirl wrote:
>
> > In the evening we went out to dinner and my mother tripped and fell badly
> > hitting her head, shoulders, legs, ankles and cutting her hand, and
> > momentarily knocking herself out. The restaurant had very dangerous and
> > stupidly placed steps.
> >
>
> You may want to contact an attorney about those steps. It would be
> helpful in your mother's later years to have a nice nest egg paid for
> by the restaurant.
> -max
>
> --
> Virus Removal Instructions: http://home.neo.rr.com/manna4u/
> You can find my e-mail address on my pages.
> This message is virus free as far as I can tell.
>

What's in a Name?
07-09-2005, 10:49 PM
ozegirl wrote:
> That was my initial thought too, however there was actually a sign warning
> about the steps - but the sign itself was a bit difficult to see, especially
> for my mother as she was carrying a floral arrangement into the restaurant as
> her friend's birthday present. She said it was her fault that she slipped,
> and it probably was, but the steps didn't make it any easier. I think the
> restaurant would be in the clear as they did have a sign.
>

*********Middle Posted for Maximum Confusion*************

I think that the sign issue would be up to a jury to decide.
-max

>>ozegirl wrote:
>>
>>
>>>In the evening we went out to dinner and my mother tripped and fell badly
>>>hitting her head, shoulders, legs, ankles and cutting her hand, and
>>>momentarily knocking herself out. The restaurant had very dangerous and
>>>stupidly placed steps.
>>>
>>
>>You may want to contact an attorney about those steps. It would be
>>helpful in your mother's later years to have a nice nest egg paid for
>>by the restaurant.
>>-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.


Urgent help please with hijack this log - rootsearch