IE non connect problem

Bob · Nov 30, 2004

I have a connection problem with IE. The computer has windows2000 OS and was
full of Viruses. I got rid of all but one which appears to be a hijacker.
When I click on IE my dial up connection comes up, with IE in the background
containing the correct home page. As soon as the dial up makes a connection
the home page changes to http://a-search.biz/?wind=1010. ( If any one
recognizes the HiHacker by this signature please let me know.) I get a "the
page cannot be displayed" at the top and a "cannot find server or DNS error
Internet Explorer". If I manually change the address to my home page I get
the same errors. If I click on "Detect Network Settings" I get an additional
message in the lower task bar (rather than just Done)
"javascript:doNotDetect()"?

The unit had AOL on it so I uninstalled it in case that was causing a
conflict. I have downloaded all the virus programs (Sysclean, Adaware,
Hijack this, cwshredder, AVG, Sypbot, spyblaster) and have not been able to
identify the hijack culprit. I have examined the registry and the host files
as well. I need to connect to the Internet to do some updates of the various
programs and do some scans from external sources.

If any one recognizes the HiHacker by the above signature please let me
know.

Thanks for any suggestions

Bob

Jan Il · Nov 30, 2004

HI Bob

You may have a hijacker, malware, spyware or parasites on your system
causing this problem. Thus, in addition to running your updated anti-virus
program, you should do the following to be sure none of these are present on
your system. Although you may have already run one or more of the programs,
please do so again according to the instructions below. Some variants of
malware can replicate themselves over and over if not removed properly.
Please follow all instructions carefully to be sure your system is
thoroughly cleaned:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm
Be sure to run CWShredder, Ad-aware and Spybot.
If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.
(or Spybot - Search and Destroy DSO Exploit Fix 1.3.1 TX)
http://www.majorgeeks.com/download4392.html
Also be sure to use the HijackThis. Please do not post your log to this
newsgroup, but to the HiJackThis Support Forum
http://www.hijackthis.de/forum/forumdisplay.php?f=10&guestlanguageid=4
or the Aumha HiJackThis forums
http://forum.aumha.org/viewforum.php?f=30
to allow the experts there to evaluate your log and advise you of the
necessary steps to clean your system.

Also this program searches for hidden .dlls that recreate the malware.
About Buster:
http://www.majorgeeks.com/download4289.html

CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

Also, get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
Also, with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also
From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
also ....
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)

or ........

Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip

Also.........

Courtesy of Jim Byrd -

Download Sysclean.com, from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here:
http://www.trendmicro.com/download/pattern.asp
Be sure to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
You might also want to get Art's updater, SYS-UP.Zip, here for future
updating of these: http://home.epix.net/~artnpeg/.
(If you download and use the updater from the beginning, it will
automatically handle downloading the other files. Place them in a dedicated
folder after appropriate unzipping, and then run. This scan may take a long
time, as Sysclean is VERY extensive and thorough

and......

NOTE: If you can not download these programs from the Internet, if your PC
has CD read capabilities, go to another computer with CD-ROM burning
capabilities. Create a folder on the hard drive of the other computer called
HOLD, download the programs to that folder, then burn that folder to a CD.
Copy the HOLD folder to your HD and then install the programs from there
and run them. After you have IE access again, update all programs where
possible to get the latest definitions and run them again in Safe Mode to be
sure there are no lingering items on the system.

also...........

Additional information on how to protect your PC:
The Parasite Fight http://www.aumha.org/a/quickfix.htm
More security tips at http://www.aumha.org/a/parasite.htm
Bugs, Glitches & Stuffups: http://www.mvps.org/inetexplorer/Darnit.htm

If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.

Hope this helps

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

FM · Dec 1, 2004

Jan,
No luck.Worked each and every one. Mainly I was encourged by the winsock
fix. It didn't work either. The dial up connection works to the IP, but
nothing seems to be connecting thereafter. Outlet express, that usually
conects, does not. The AVG virus program does not. Spybot does not. I don't
think any of these would be effected by the highjacker. IE comes up, along
with the connection screen, with the correct start page. Once you click
"connect" the start page changes to the highjacker web address. Normally the
highjacker would activate IE and take you to that webb address. Note that
even the Highjacker does not connect! (I tried the Highjacker on my other
computer and it loads (opens) the web page.)

I tried to download IE 6 but all I could retrieve was the "setup files". Is
there a way to get IE 6 operating files downloaded. I can burn them to a
disc and copy them to the troubled computer. But the question remains, will
that help.

Could there be a "service" disabled (admin tools) that could be causing the
problem?

I'm at home on my house computer....the reason for the FM rather than Bob

Thanks,

Bob

Jan Il · Dec 1, 2004

Hi Bob

Jan,
No luck.Worked each and every one. Mainly I was encourged by the winsock
fix. It didn't work either. The dial up connection works to the IP, but
nothing seems to be connecting thereafter. Outlet express, that usually
conects, does not. The AVG virus program does not. Spybot does not. I don't
think any of these would be effected by the highjacker. IE comes up, along
with the connection screen, with the correct start page. Once you click
"connect" the start page changes to the highjacker web address. Normally the
highjacker would activate IE and take you to that webb address. Note that
even the Highjacker does not connect! (I tried the Highjacker on my other
computer and it loads (opens) the web page.)

I tried to download IE 6 but all I could retrieve was the "setup files". Is
there a way to get IE 6 operating files downloaded. I can burn them to a
disc and copy them to the troubled computer. But the question remains, will
that help.

Could there be a "service" disabled (admin tools) that could be causing the
problem?

I'm at home on my house computer....the reason for the FM rather than Bob

Yes, you can burn all the files to the hard drive of another PC and then
burn them to a CD, load them to your computer and then install them from
there. However, I'm not sure I understand the questions regarding IE. You
should be able to repair your IE from the computer, the files should be on
the hard drive, or on the Original Windows install CD. Give me a bit more
information on what you want to do in this regard and I'll try to be more
specific for you. Also, be aware that with XP the IE is a core part of the
XP system, and can not be uninstalled, but it can be repaired. However,
this will not help until the hijacker is totally removed.

In that regard, the hijacker is obviously a nastier variant, thus, I am
providing a more aggressive cleaner for you to run, which should help remove
the hijacker from your system. Once that is done, we can do the necessary
to get up hooked back up. But, we need to get rid of the scumware first.
Some variants can replicate themselves repeatedly, and some even morph, if
not fully removed properly.

Follow the instructions below very carefully:

Courtesy of Jim Byrd -

Like any disinfection procedure, it's a bit risky - it deletes an important
registry key and subsequently restores a revised version. If something goes
wrong, your PC may no longer work normally.

YOU USE THIS PROCEDURE AT YOUR OWN RISK!

Download Registrar Lite 2.0, install it and run it.
http://www.majorgeeks.com/download469.html
http://www.softpedia.com/public/cat/12/5/12-5-21.shtml

Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(note...should be all on one line)
and look at the AppInit_Dlls value.

Write down the name of the DLL file that's displayed!

(If you see several values separated by commas or spaces, which is unlikely,
use Windows Explorer to search for each one in the Windows\System32 or
Winnt\System32 directory. The one you can't find is the one to remember!)

Exit Registrar Lite.

Download and run this script. It will delete the CWS AppInit_Dlls value and
reboot Windows. After the reboot, the shield-DLL file is still on the hard
disk, but it's no longer a threat to your PC.
http://www.silentrunners.org/CWS Shield Dropper.vbs

Download Silent Runners here:
http://www.silentrunners.org/Silent Runners.vbs
Run it and look at the list of Browser Helper Objects. One of them will have
a strange name. Write down the the file name (including the full path)!

(If you're not sure which BHO was installed by CWS, reboot into Safe Mode
and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
also available to identify and delete BHO pests.)

Download and run this script to delete the CWS shield-DLL and the BHO files.
No reboot will be required.
http://www.silentrunners.org/CWS File Cleaner.vbs

Reset your Internet Explorer home page. Your PC should now run normally.

If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.

Hope this helps

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

Bob · Dec 1, 2004

Jan,

To fully illustrate the problem, I have four programs besides ie, that
normally connect to the internet and appear to use their own screen. As far
as I can ascertain they do not use IE. Outlet express checks the mail, AVG
updates itself, mailwasherpro advance checks the mail, spybot checks for
updates. None of these will now connect to the internet.
I looked up the registry file its winde.dll. I will proceed with your
instructions carefully and get back to you.
Thanks
Bob

Bob · Dec 1, 2004

Jan,
Cannot find steps 8-10 when booting into safemode? I have windows2000 on the
computer.
I don't know which one is the bad guy. Here's a copy of the text file
created.
By the way, the original install cd is in storage in Tahoe (we think) and is
currently not available.
Thanks for your continuing help

Bob

Silent Runners.vbs", revision 27, launched at: 11:57

Operating System: Windows 2000

Startup items buried in registry:

---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

"Host" = "" [(file not found)]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT,
s.r.o."]

"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]

"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\

"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows
Media Player 7"

\StubPath = "rundll32.exe
advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"

-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\NETSHELL.dll" [MS]

"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\System32\webcheck.dll" [MS]

"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"

-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "C:\WINNT\System32\winde.dll" [file not
found]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe"
["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe"
["GRISOFT, s.r.o."]

DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]

Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]

Indexing Service, cisvc, "C:\WINNT\System32\cisvc.exe" [MS]

Internet Connection Sharing, SharedAccess, "C:\WINNT\System32\svchost.exe -k
netsvcs" {"C:\WINNT\System32\ipnathlp.dll" [MS]}

Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs"
{"C:\WINNT\System32\netman.dll" [MS]}

NT LM Security Support Provider, NtLmSsp, "C:\WINNT\System32\lsass.exe" [MS]

Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]

Plug and Play svc service, pnpsvc, "C:\WINNT\system32\svchost.exe -k
netsvcs" {"c:\winnt\system32\bsirdrel.dll" [null data]}

Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]

Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]

Remote Access Auto Connection Manager, RasAuto,
"C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasauto.dll"
[MS]}

Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k
netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}

Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss"
{"C:\WINNT\system32\rpcss.dll" [MS]}

Remote Procedure Call (RPC) Locator, RpcLocator,
"C:\WINNT\System32\locator.exe" [MS]

Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs"
{"C:\WINNT\System32\NtmsSvc.dll" [MS]}

RunAs Service, seclogon, "C:\WINNT\system32\services.exe" [MS]

Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]

Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]

Still Image Service, StiSvc, "C:\WINNT\system32\stisvc.exe" [MS]

TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINNT\System32\services.exe"
[MS]

Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs"
{"C:\WINNT\System32\tapisrv.dll" [MS]}

Telnet, TlntSvr, "C:\WINNT\system32\tlntsvr.exe" [MS]

Windows Management Instrumentation, WinMgmt,
"C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]

Windows Management Instrumentation Driver Extensions, Wmi,
"C:\WINNT\system32\Services.exe" [MS]

WMDM PMSP Service, WMDM PMSP Service, "C:\WINNT\System32\mspmspsv.exe" [MS]

Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]

Jan Il · Dec 1, 2004

Hi Bob

I am afraid that I'm not that familiar with Registry files to make a
qualified decision on the validity of the results. Here is what I would
like for you to do.

Got to the AumHa forum and open thread there. You will have to register,
but, it's ok, no one will send you a bazillion pounds of spam. Just give a
brief rundown of your problem, that you've posted here, and been referred to
the HiJackThis forum to have your log read.
http://forum.aumha.org/viewforum.php?f=30
Allow the experts there to evaluate your log and advise you of the necessary
steps to clean your system, if necessary. Also, post the findings you have
posted here, and let them know that you have run these programs, that way
they will know how you came to get the files.

Here is where you can get the HiJackThis program. It is simple and easy to
run. Scroll down to the section on HiJackThis and follow the instructions:
Then post the log to the AumHa forum.
Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm

Please post back here and let me know when you have posted the log and I'll
check with AumHa as well, as I am very curious to see what they will find
and suggest.

Thank you for your patience. :-)

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

Bob said:
Jan,
Cannot find steps 8-10 when booting into safemode? I have windows2000 on the
computer.
I don't know which one is the bad guy. Here's a copy of the text file
created.
By the way, the original install cd is in storage in Tahoe (we think) and is
currently not available.
Thanks for your continuing help

Bob

Silent Runners.vbs", revision 27, launched at: 11:57

Operating System: Windows 2000

Startup items buried in registry:

---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

"Host" = "" [(file not found)]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT,
s.r.o."]

"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]

"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\

"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows
Media Player 7"

\StubPath = "rundll32.exe
advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"

-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\NETSHELL.dll" [MS]

"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\System32\webcheck.dll" [MS]

"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"

-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "C:\WINNT\System32\winde.dll" [file not
found]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe"
["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe"
["GRISOFT, s.r.o."]

DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]

Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]

Indexing Service, cisvc, "C:\WINNT\System32\cisvc.exe" [MS]

Internet Connection Sharing, SharedAccess,

"C:\WINNT\System32\svchost.exe -k

netsvcs" {"C:\WINNT\System32\ipnathlp.dll" [MS]}

Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs"
{"C:\WINNT\System32\netman.dll" [MS]}

NT LM Security Support Provider, NtLmSsp, "C:\WINNT\System32\lsass.exe" [MS]

Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]

Plug and Play svc service, pnpsvc, "C:\WINNT\system32\svchost.exe -k
netsvcs" {"c:\winnt\system32\bsirdrel.dll" [null data]}

Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]

Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]

Remote Access Auto Connection Manager, RasAuto,
"C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasauto.dll"
[MS]}

Remote Access Connection Manager, RasMan,

"C:\WINNT\System32\svchost.exe -k

netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}

Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss"
{"C:\WINNT\system32\rpcss.dll" [MS]}

Remote Procedure Call (RPC) Locator, RpcLocator,
"C:\WINNT\System32\locator.exe" [MS]

Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs"
{"C:\WINNT\System32\NtmsSvc.dll" [MS]}

RunAs Service, seclogon, "C:\WINNT\system32\services.exe" [MS]

Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]

Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]

Still Image Service, StiSvc, "C:\WINNT\system32\stisvc.exe" [MS]

TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINNT\System32\services.exe"
[MS]

Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs"
{"C:\WINNT\System32\tapisrv.dll" [MS]}

Telnet, TlntSvr, "C:\WINNT\system32\tlntsvr.exe" [MS]

Windows Management Instrumentation, WinMgmt,
"C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]

Windows Management Instrumentation Driver Extensions, Wmi,
"C:\WINNT\system32\Services.exe" [MS]

WMDM PMSP Service, WMDM PMSP Service, "C:\WINNT\System32\mspmspsv.exe" [MS]

Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]

FM · Dec 2, 2004

Jan,
Followed your advice and did a long disertation detailing the problem and
got rebuked. It seems that the only "relevant" item is the HighJackThis log.
I ran the program and after a bit of a hassle I posted it. The moderator
didn't bother reading any of the facts.Said the program was out of date and
the report was too abbreviated. (the report was a complete copy of what was
logged, it is was it is) It might be prudent to limit their help to items
directly related to the HighJackThis program. The log didn't show any
problems.

With all the other programs not connecting I think that my situation is not
with the highjacker but elsewhere. Can you suggest any windows2000 gliches
that might be causing the problem or direct me to other sources?

I want to expressly thank you for your gracious efforts. It is apprecated.

Sincerely,

Bob

Frank Saunders, MS-MVP IE/OE · Dec 2, 2004

Bob said:
I have a connection problem with IE. The computer has windows2000 OS
and was full of Viruses. I got rid of all but one which appears to be
a hijacker. When I click on IE my dial up connection comes up, with
IE in the background containing the correct home page. As soon as the
dial up makes a connection the home page changes to
http://a-search.biz/?wind=1010. ( If any one recognizes the HiHacker
by this signature please let me know.) I get a "the page cannot be
displayed" at the top and a "cannot find server or DNS error Internet
Explorer". If I manually change the address to my home page I get the
same errors. If I click on "Detect Network Settings" I get an
additional message in the lower task bar (rather than just Done)
"javascript:doNotDetect()"?

The unit had AOL on it so I uninstalled it in case that was causing a
conflict. I have downloaded all the virus programs (Sysclean, Adaware,
Hijack this, cwshredder, AVG, Sypbot, spyblaster) and have not been
able to identify the hijack culprit. I have examined the registry and
the host files as well. I need to connect to the Internet to do some
updates of the various programs and do some scans from external
sources.

If any one recognizes the HiHacker by the above signature please let
me know.

Thanks for any suggestions

Bob

Try LSP-Fix - a free program to repair damaged Winsock 2 stacks
http://www.cexx.org/lspfix.htm

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

Jan Il · Dec 2, 2004

Hi Bob

Jan,
Followed your advice and did a long disertation detailing the problem and
got rebuked. It seems that the only "relevant" item is the HighJackThis log.
I ran the program and after a bit of a hassle I posted it. The moderator
didn't bother reading any of the facts.Said the program was out of date and
the report was too abbreviated. (the report was a complete copy of what was
logged, it is was it is) It might be prudent to limit their help to items
directly related to the HighJackThis program. The log didn't show any
problems.

With all the other programs not connecting I think that my situation is not
with the highjacker but elsewhere. Can you suggest any windows2000 gliches
that might be causing the problem or direct me to other sources?

Hmm....did you try the LSPFIX or the Winsock Fix? Often, during the removal
of some types of spy or malware, the connection can be damage or lost.
These two programs are to help repair the connections.

However, according to what I have found thus far on Google, and what it
appears to be is a start page hijacker, and a very nasty variant of the
Coolwebsearch, which can may be replicating itself as it is not being fully
cleaned. Here are so more aggressive programs to run, and run them both in
Safe Mode for best results, with Hidden Files enabled, as this will ensure
that all files are accessible for detection and cleaning, and nothing can
interrupt the process, and you will not be in Windows, so they can't hide
from detection, and not in files that are "in use" and can't be cleaned.
Now that we know what it is, we can look for the right removal tool.
Hopefully, what I have provided will help. In the mean time, I will see
what else I can find out on this for you. Continue with the following. I
am sorry this has taken so long, but, these things are not always easy to
determine. Thank you for your patience. :-)

HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Download this program here, AdAware with the VX2 add-on
http://www.majorgeeks.com/download4283.html

also.....

About:Buster 4.0
http://www.majorgeeks.com/download4289.html

If the above does not work, then do the following:

Courtesy of Jim Byrd -

Like any disinfection procedure, it's a bit risky - it deletes an important
registry key and subsequently restores a revised version. If something goes
wrong, your PC may no longer work normally.

YOU USE THIS PROCEDURE AT YOUR OWN RISK!

Download Registrar Lite 2.0, install it and run it.
http://www.majorgeeks.com/download469.html
http://www.softpedia.com/public/cat/12/5/12-5-21.shtml

Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(note...should be all on one line)
and look at the AppInit_Dlls value.

Write down the name of the DLL file that's displayed!

(If you see several values separated by commas or spaces, which is unlikely,
use Windows Explorer to search for each one in the Windows\System32 or
Winnt\System32 directory. The one you can't find is the one to remember!)

Exit Registrar Lite.

Download and run this script. It will delete the CWS AppInit_Dlls value and
reboot Windows. After the reboot, the shield-DLL file is still on the hard
disk, but it's no longer a threat to your PC.
http://www.silentrunners.org/CWS Shield Dropper.vbs

Download Silent Runners here:
http://www.silentrunners.org/Silent Runners.vbs
Run it and look at the list of Browser Helper Objects. One of them will have
a strange name. Write down the the file name (including the full path)!

(If you're not sure which BHO was installed by CWS, reboot into Safe Mode
and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
also available to identify and delete BHO pests.)

Download and run this script to delete the CWS shield-DLL and the BHO files.
No reboot will be required.
http://www.silentrunners.org/CWS File Cleaner.vbs

Reset your Internet Explorer home page. Your PC should now run normally.

If these steps do not resolve your problem, please post back to this
thread
with the details and any error messages.

Hope this helps

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

Bob · Dec 3, 2004

Jan,

Thanks ever so much but still no solution. Have decided to get some software
that will repartition the drive. Hopefully I can isolate the windows 2000 to
a small section, install another OS on the other partation and then transfer
the needed files so that I can run on the other system. If it works I'll get
back to this group.

Again, I can't thank you enough for your generous efforts. Have a nice
holiday....

Sincerely,

Bob

Jan Il · Dec 3, 2004

Hi Bob

Jan,

Thanks ever so much but still no solution. Have decided to get some software
that will repartition the drive. Hopefully I can isolate the windows 2000 to
a small section, install another OS on the other partation and then transfer
the needed files so that I can run on the other system. If it works I'll get
back to this group.

Again, I can't thank you enough for your generous efforts. Have a nice
holiday....

You're very welcome! Hope that your strategy will work. Please post back
with a PING for me if it does, I would be very interested to find out what
the results are. Also, reference this post so that I, or others, can retrace
the original problem and steps we've taken thus far.

Thank you for your patience! :-)

Jan

Smiles are meant to be shared,
that's why they're so contagious.

IE non connect problem

Bob

Jan Il

FM

Jan Il

Bob

Bob

Jan Il

FM

Frank Saunders, MS-MVP IE/OE

Jan Il

Bob

Jan Il