Urgent help please with HT log - Rootsearch
Hi,
This help is for my brother's computer - he cannot get onto the internet at all other than to rootsearch at the moment. Below is his hijack this log, which he copied to disc and sent to me. He knows nothing about computers so I am going to his place tomorrow (3 hours away) to help. I can recognise a lot of baddies in here - and I know the general procedure is to remove, reboot into Safe mode and delete all the temp files, etc - but would appreciate a considered approach from someone with more experience as I know this is a particularly nasty trojan to get rid of - I have seen that others have not been able to remove it with spybot or adaware. He has not updated his AV in 5 years - bad boy! Quick response appreciated as I won't have internet connection available from his place. Thanks guys.
Logfile of HijackThis v1.99.1
Scan saved at 18:48:53, on 31/05/05
Platform: Windows 95 b (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\FPJ.EXE
C:\WINDOWS\SYSTEM\TIBS3.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OFFICE2K\OFFICE\FINDFAST.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rootsearch.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rootsearch.biz/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0;<local>
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\SYSTEM\MSPXS32.DLL
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\SASETUP.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: SmartCapture.lnk = C:\WINDOWS\SII\SLPCAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\PLUGINS\npsmlvdo.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.sexmaids.com/dialer/blue-software.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://adults.topy2k.com/Online_Gallery.cab
O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/1235.cab
This help is for my brother's computer - he cannot get onto the internet at all other than to rootsearch at the moment. Below is his hijack this log, which he copied to disc and sent to me. He knows nothing about computers so I am going to his place tomorrow (3 hours away) to help. I can recognise a lot of baddies in here - and I know the general procedure is to remove, reboot into Safe mode and delete all the temp files, etc - but would appreciate a considered approach from someone with more experience as I know this is a particularly nasty trojan to get rid of - I have seen that others have not been able to remove it with spybot or adaware. He has not updated his AV in 5 years - bad boy! Quick response appreciated as I won't have internet connection available from his place. Thanks guys.
Logfile of HijackThis v1.99.1
Scan saved at 18:48:53, on 31/05/05
Platform: Windows 95 b (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\FPJ.EXE
C:\WINDOWS\SYSTEM\TIBS3.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OFFICE2K\OFFICE\FINDFAST.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rootsearch.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rootsearch.biz/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0;<local>
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\SYSTEM\MSPXS32.DLL
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\SASETUP.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: SmartCapture.lnk = C:\WINDOWS\SII\SLPCAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\PLUGINS\npsmlvdo.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.sexmaids.com/dialer/blue-software.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://adults.topy2k.com/Online_Gallery.cab
O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/1235.cab
0
This discussion has been closed.
Comments
Step 1
Download CWShredder but don't run it yet.
Step 2
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Step 3
Make sure that you can VIEW ALL HIDDEN FILES.
Step 4
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rootsearch.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rootsearch.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rootsearch.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rootsearch.biz/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rootsearch.biz/index.html
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\SYSTEM\MSPXS32.DLL
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\SASETUP.DLL
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\SYSTEM\Fpj.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.sexmaids.com/dialer/blue-software.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://adults.topy2k.com/Online_Gallery.cab
O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/1235.cab
Step 5
Reboot your computer into SAFE MODE
Step 6
Now run CWShredder, making sure to click "Fix".
Step 7
Then delete these files or directories (Do not be concerned if they do not exist).
C:\WINDOWS\QUESTMOD.DLL
C:\WINDOWS\SYSTEM\MSPXS32.DLL
C:\WINDOWS\SASETUP.DLL
C:\WINDOWS\SYSTEM\explorer32.exe
C:\WINDOWS\SYSTEM\Fpj.exe
C:\WINDOWS\SYSTEM\tibs3.exe
Step 8
Run a full scan with Adaware.
Reboot your computer to go back to normal mode and post a new hijackthis log.
OK – I have a confession to make. In order to have the best chance of getting a response to my problem I posted on a couple of different forums. Needless to say, I’ve been offered differing advice so that now I’m a little bit confused. Some are saying to do the hijack this fix in normal mode, followed by deleting temp files in safe mode & running CWShredder in safe mode at the end. Alternatively, to run CWShredder first in normal mode before doing the hijack this in safe mode. Does it make a difference what order it is done in…and what HAS to be done in safe mode?
PLEASE NOTE THAT THIS IS A WIN 95 SYSTEM!!
My current plan is:
Boot into Safe Mode
Run Hijack this & fix “bad” entries
Delete other bad running processes identified in posts either with killbox or manually
Unhide all hidden files
Delete all temp internet and temp files
Run Trend Micro Sysclean Front End
Run CWShredder
Boot into Normal mode & see if internet works.
If it does install & update AV, adaware, spybot, etc
If not try to fix with lsp fix
Anyone see any problems with any of that?
However you need to decide which advice from which forum you are going to take and stick with that one.
Thanks for that. Sorry to sound like I'm playing the field - it's not that at all, it's just that I have to leave in a couple of hours & once at my brother's place I won't be able to access internet for help, so I wanted to ensure I got a reply from somewhere - sometimes it can take a day or more to get a reply. Your help is very much appreciated, thanks again. I'll let you know how I get on.
Honestly, it's been a very long time since I've had to deal with a Win95 machine(some programs may not run on it), but just keep me in the loop and I'll help you out if I can.
The purpose of my trip was twofold:
1) to help my parents (both 80) set up a new laptop computer with internet & email connection, and get them started with the basics.
2) to try and fix my brother's computer which was completely overrun with the rootsearch virus.
First, I went through the Windows setup on the new computer, then did the internet/email connection. I needed to go online then to complete that and to download the windows updates (which took 2 hours on dialup).
Then found that the computer always did a restart on shutdown. Fortunately I had not installed any other software or hardware at this stage. To cut a long story short, after 2 hours on the phone to HP which included reformatting & reinstalling the OS before convincing them that I had done nothing wrong, we were given a reference number to take the machine back to the shop & exchange for a new one.
Another 2 hours later at the shop to convince them the computer was a lemon & to insist on checking the replacement before we took it home.
Back to square one - 24 hours lost by now, not to mention having to spend another 2 hours doing windows updates which cost my parents going over their internet hours limit.
In the evening we went out to dinner and my mother tripped and fell badly hitting her head, shoulders, legs, ankles and cutting her hand, and momentarily knocking herself out. The restaurant had very dangerous and stupidly placed steps.
This resulted in my mum feeling rather ill the next day so that she was unable to really take any computer lessons, but I had to spend this day setting up the new computer anyway, as well as care for her.
This meant that I had to give her the basic instructions on the following day, when I had planned to visit my brother. I still had time to see him in the afternoon, but he decided in the meantime that the best resolution might be to save his work and reformat and install Win 98 - which I also think is the best solution in the long run, until he can afford a new computer of his own.
No doubt he will still want help with this as he doesn't know too much about computers, so when I next see him I might still have a go at clearing the virus, if only to get internet connection so we can upload anything he wants to keep to his webspace, as I don't think all his files would fit on a floppy (and there's no burner).
I'd like to thank everyone for their generous help - sorry I haven't been able to try it out so far, but your answers on this forum may still prove useful to someone else who needs help - I know I have often found the help I needed in other's posts. So thanks again.