help! no internet connection due to reckless deletion

Hi,
As a newbie, it's folly of me to delete all the items detected by hijackthis and lspfix without saving/backup. Now I lost the internet connection, due to the reckless deletion. Please help me to address the problem.

More information, the OS is win2000. Pinging any website got no response. The network card seems not be able to catch the IP (it's showing IP 169... instead of 192...).

Thanks for your help.

Max

 

The read-me .txt for lspfix states:

I too made that mistake,
would that be a possibility in your case?

 

Hi,
Thank all you guys for the help. I followed the fix winsock2 corruption guide at this link http://support.microsoft.com/default.aspx?scid=KB;[LN];811259
Now the internet is BACK!

However, there is another problem: while openning a word file, it keeps asking me to install Microsoft Office. However I can neither uninstall Office (from the add/remove program) nor install Office from the CD-ROM.
Please help me out, thanks!

Max

 

Help! Can't open Microsoft Word files after killing spyware.

Hi,
After running spybot, ad-aware, hijackthis, and lspfix, I can't open word files. It keeps asking me to install Microsoft Office, even though it's already installed. But I can neither uninstall Office (from add/remove software) and install Office from CD Rom. Please help me out.
Thanks,
Max

 

Hi Chaslang,

Following your guidance, I have restalled all the backups from Hijackthis. Still, I can't open MS Word files. Please help!

The folllowing is the latest Hajackthis log. Please point out the suspicious entries. Thanks a lot!

Max

Logfile of HijackThis v1.98.2
Scan saved at 4:53:09 PM, on 11/10/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\oracle\ora81\bin\dbsnmp.exe
C:\oracle\ora81\bin\vppdc.exe
C:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CSBB\CSV7P070.exe
C:\documents and settings\administrator\local settings\temp\i2OjG.exe
C:\documents and settings\administrator\local settings\temp\jiK4P.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Documents and Settings\Administrator\Application Data\stso.exe
C:\WINNT\System32\?hkdsk.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\documents and settings\administrator\local settings\temp\0aaJQeR.exe
C:\WINNT\System32\cmd.exe
C:\spyware removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\hsvlt.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: {A4A58A2C-B039-432B-8BC1-DCA7AC0757DC} - (no file)
O2 - BHO: (no name) - {45FD672D-B73F-0BBF-D50B-62550CF57D49} - C:\WINNT\System32\fbvlu.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local Settings\Temp\hy9Xx.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINNT\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [i2OjG.exe] C:\documents and settings\administrator\local settings\temp\i2OjG.exe
O4 - HKLM\..\Run: [jiK4P.exe] C:\documents and settings\administrator\local settings\temp\jiK4P.exe
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [0aaJQeR.exe] c:\documents and settings\administrator\local settings\temp\0aaJQeR.exe
O4 - HKCU\..\Run: [Caaa] C:\Documents and Settings\Administrator\Application Data\bsie.exe
O4 - HKCU\..\Run: [Yrmahd] C:\WINNT\System32\??oolsv.exe
O4 - HKCU\..\Run: [awr6RijsQ] br5almon.exe
O4 - HKCU\..\Run: [Naca] C:\Documents and Settings\Administrator\Application Data\stso.exe
O4 - HKCU\..\Run: [Cnzdmh] C:\WINNT\System32\?hkdsk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149024 (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.sinago.com/download/OroCheck.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab

 

for next time you need to attach your log as a .txt file
and when running HJT close all browser(including this one) and all tray and unneeded background programs


now, have you ran through the READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal here:
http://forums.majorgeeks.com/showthread.php?t=35407

if not please do so
I apologize for not brining that up earlier

run through that then run HJT again



end process tree using ctrl>alt>del remove them manually and check them

check these
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\hsvlt.dll/sp.html#29126

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: {A4A58A2C-B039-432B-8BC1-DCA7AC0757DC} - (no file)

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run

O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149024 (file missing)


also check these possible trojans:

C:\documents and settings\administrator\local settings\temp\i2OjG.exe
C:\documents and settings\administrator\local settings\temp\jiK4P.exe
C:\Documents and Settings\Administrator\Application Data\stso.exe
c:\documents and settings\administrator\local settings\temp\0aaJQeR.exe
O4 - HKLM\..\Run: [i2OjG.exe] C:\documents and settings\administrator\local settings\temp\i2OjG.exe
O4 - HKLM\..\Run: [0aaJQeR.exe] c:\documents and settings\administrator\local settings\temp\0aaJQeR.exe
O4 - HKCU\..\Run: [Caaa] C:\Documents and Settings\Administrator\Application Data\bsie.exe
O4 - HKCU\..\Run: [Naca] C:\Documents and Settings\Administrator\Application Data\stso.exe

now close everything(including internet explorer) and click fix
if there are things here that are not in your new HJT scan, thats ok just fix what is above,
Run HJT again and post a new log

 

Hi,

Thanks for your help! I apologize for posting Hijackthis log to the mail directly the last time.

After following the steps in the READ ME FIRST at http://forums.majorgeeks.com/showthread.php?t=35407, I fixed the entries as you have suggested in the Hajackthis scan. Running Hijackthis again, I got the new Hijackthis log file which is attached to the mail.

Here are three questions,

1. Some of entries which were fixed by running Hijackthis the first time is coming back again. Is there a way to permenantly remove them?

2. You asked me to manually remove the NaviSearch, CashBack and BullsEye using ctrl>alt>del. But the process tree does not show these background progams. When I tried to remove their related subfolder under Program Files folder, it would not allow me to do so, because the processes are running. How to show the background processes in the process tree?

3. The Microsoft Word is still not working. It sounds like that it has nothing to do with Hajackthis. Could it be the result of running LSPfix? I can neither re-install or uninstall MS Office 2000. Sould I try installing a later version of MS Office? Does it work?

Your help is appreciated!

Max

 

so you have ran:

Ad-Aware SE
CCleaner
Spybot
SpywareBlaster
McAfee AVERT Stinger
CWShredder
Kill2me
about:Buster
HSRemove

and all the online scans?
disabled system restore?

when you where here http://forums.majorgeeks.com/showthread.php?t=35407
did you follow it to the HJT link here
http://forums.majorgeeks.com/showthread.php?t=38752

sorry, I am still pretty new at this( I was thinking you were running XP)
check add/remove programs and see below

open the task manager and find
hkdsk.exe
nls.exe
cashback.exe
bargains.exe



if they are not here, I don't know what to tell you. .right now

that I cannot quite answer


and where did this come from I wonder. . . ?
C:\Program Files\CSBB\CSV7P070.exe

let me get back to you. . . .its late. . .