[KatW]

Hi Everyone,

I can not get on the Internet at home so I came to work so I can download the W2fix. So can you tell me what I need to do when I get at home? Can I just copy it to a floppy and then take it home and run it on my home computer? I have Windows 98 at home and Windows XP here at work.

I had a Trojan Horse Virus and cleaned that up and a lot of the popups or so I thought. I was still getting some popups so I came to your site and was doing all the steps in the Malware Removel. I had used Ad-Ware and it found 186 pieces of Malware and I put them in quarintine but I somehow deleted all of them. So when I restarted my computer I could longer get on the Internet.

This grandma needs your help. I use my home computer all the time at home to do website so any help will be appreciated.

Thanks,

KatW.

[Advertisements]

Welcome to GTG.

I suggest giving us a HijackThis log afterwards also. There might be other things lurking in there.

Download WinsockFix and put it on a floppy. Take it home and copy that file to your computer. Now double click on it and unzip the exe file that's in there. Next double click on WinsockFix.exe to run it.

[greyknight17]

Welcome to GTG.

I suggest giving us a HijackThis log afterwards also. There might be other things lurking in there.

Download WinsockFix and put it on a floppy. Take it home and copy that file to your computer. Now double click on it and unzip the exe file that's in there. Next double click on WinsockFix.exe to run it.

[KatW]

Hello,

Wow, I can not believe you have replied so fast. Thank you, Thank you, Thank you!!!!! I will go home now and try this. I will send you a log as soon as I can.

Thanks again,

KatW.

[KatW]

Hello,

Well, I copied the W2fx to a floppy (I hope I did this correct) but when I went home and put the floppy in and tried to open it I kept getting this message.

"This program has preformed an illegal operation and will shut down. Quit all programs, and then restart your computer. If the problem persists, contact the program vendor."

Then once I click off that another message came up.

"Restrictions"

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

I am not very good at copying things so maybe if you can tell me how to do this maybe I did something wrong.

Thank you so much,

KatW.

[greyknight17]

Hi KatW, let me take a look at your HijackThis log.

Can you try unzipping that WinsockFix zip file at work and then burn the winsockfix.exe on a CD? Try that at home.

But give me a HijackThis log anyway. I want to see if anything else might be lurking in there.

[KatW]

Hello,

Well, I did get it to work after I clicked on the link you gave me in the email instead of the one on the site. I will send in the report tonight or tomorrow when I get home.

Now, I am not able to get online yet there might be some issues (they were having line problems and put me on a temperary line. Long story.) with my ISP so I am going to talk to him today. Would this affect my ISP login in anyway?

I appreciate you being so patient with me.

I can not thank you enough.

KatW.

[greyknight17]

So it did work? If you run that on your home computer, you should be able to go online.

Now I'm thinking that it might not be a problem with your computer but your ISP since you said they were having some line problems.

It shouldn't affect your login. Once everything is back up, you should be able to login as usual.

[KatW]

Hello again,

I called my ISP and he did changed my log on info so I will be able to get back on line as soon as he resends me the info.

I was getting an error message when I tried to get on a few days ago so I think it must of been when I accidently deleted the things that were in the Quaratined part of Ad-Ware because I think the ISP had me on a temporary account some how while he was getting the lines fixed.

Do you still want me to send you the log information?

Thanks,

KatW.

[greyknight17]

Yes, post the log here. I'll take a quick look.

[KatW]

Ok, Thanks.

[KatW]

Hello,

Well, the weekend is over and I have just finished using all the things you told me to do and have also used HiJackthis and saved a copy of the log. Hope you can open the attachment.

Thanks again,

KatW.

Attached Files

•  hijackthis.log.doc   21KB   15 downloads
•  hijackthis.log.doc   21KB   10 downloads

[KatW]

Hello,

I just wanted you to know what my ISP and I have been dealing with today just in case it might be related to my malware problem. It has to do with my email. I use Outlook Express and it was working fine (could be just an ISP problem) now I can not send out email. I can receive it but not send it. So when you are looking at my log maybe it will tell us if there is a problem there that would cause this problem.

Just thought you should know about this.

Thanks,

KatW

[greyknight17]

OK, we definitely have something here.

Before I forget to ask again, did you read the read me topic yet? If not, see the first link below in my signature (at the very bottom) and follow the steps there. No need to run another HijackThis scan since you gave me one here already. But run Ad-aware and Spybot and the virus scans. Then do the below and give me a new HijackThis log:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [OyjuF] C:\VCSYOOX.EXE
O4 - HKLM\..\Run: [AutoLoadert2sN1ITTNNNI] "C:\WINDOWS\SYSTEM\VFWDLG32.EXE"
O4 - HKLM\..\Run: [t93j36O] VFWDLG32.EXE
O4 - HKCU\..\Run: [cystRWi7W] VDOOOL32.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...lls/install.cab
O16 - DPF: {5CA42785-ABC3-11D2-9F81-00104B2225C5} (Immersion Web ActiveX Control) - http://www.immersion...gins/ImmWeb.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\VDOOOL32.EXE
C:\VCSYOOX.EXE
C:\WINDOWS\SYSTEM\VFWDLG32.EXE
VFWDLG32.EXE

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[KatW]

Thanks so much.

I have run Ad Ware, Spybot and my virus protection but I didn't do it the way you just told me so I will do that tonight or tomorrow.

I can not thank you enough for all your help.

KatW.

[KatW]

Hello,

Well, I did everything you said and I did read and do the read me topic. Some of the things you told me to check and fix in the log I sent you were not there but I checked and fixed the ones that were there.

Thanks,

KatW.

Attached Files

•  hijackthisnormalmode.log.txt   7.82KB   152 downloads