With friends like these...

Unknown

So I built my friend a computer after which he proceeded to download massive amounts of porn and get every spyware/malware/virus known to humankind. He now can't get on the internet and as the builder it's somehow up to me to fix it. I know it's not the NIC because when I disconnect from the cable modem it comes up in windows and tells me a connection is unplugged. Anywho, here's the HJT log, hopefully someone can help because I'm at a bit of an impasse.
Before I post the log I'd also like to mention that upon startup it gives an error that says "CCAPP.exe has generated erros and will be closed by Windows. An error log is being created." When I shutdown it says "Rundll32.exe is not responding"
Any help would be greatly appreciated because I'm sick of working on this thing pro bono.

Logfile of HijackThis v1.97.7
Scan saved at 9:38:06 PM, on 5/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Popup Blockade\PopupBlockade.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\ABOUTM~1\Safe Log.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iglide.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\PROGRA~1\TOOLBA~1\2020SE~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: vconce - {DEA8CF19-E9EB-9CED-4C33-0999A28B32C2} - C:\PROGRA~1\LinkMapi\Win cast.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Popup Blockade] C:\Program Files\Popup Blockade\PopupBlockade.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [saSyncMgr] rundll32.exe sasync.dll,SyncWait app=SearchAnt wait=10
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Play lies] C:\PROGRA~1\ABOUTM~1\Safe Log.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [Artr] C:\Documents and Settings\Administrator\Application Data\urur.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.8130671296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/L2M.cab

Kwitko

Wow, it's time to smacketh thy friend upside his head. Okay, there's a lot of crap that needs to be removed from his machine. Besides daily beatings, I suggest you install Ad-Aware, Spybot and SpywareBlaster on his machine. All can be found here. Now onto the fun part.

Before running HiJackThis, download LSP-Fix from our downloads area. You're going to need this later. Some spyware apps hijack the actual Winsock DLLs needed for internet access, so there's a possibility internet might not work afterwards.

Reboot the machine in safe mode, rerun HiJackThis, and delete the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iglide.net
This appears legit, but let's delete it for now anyway. He could always redo his start page.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\PROGRA~1\TOOLBA~1\2020SE~1.DLL
O3 - Toolbar: vconce - {DEA8CF19-E9EB-9CED-4C33-0999A28B32C2} - C:\PROGRA~1\LinkMapi\Win cast.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Popup Blockade] C:\Program Files\Popup Blockade\PopupBlockade.exe
O4 - HKLM\..\Run: [Play lies] C:\PROGRA~1\ABOUTM~1\Safe Log.exe
O4 - HKCU\..\Run: [Artr] C:\Documents and Settings\Administrator\Application Data\urur.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
A spyware adware blocker. Geez, what scumbags.

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/L2M.cab

Reboot and run the LSP-Fix. Reboot and run Ad-Aware and/or Spybot to see if you caught everything. Repost the latest HiJackThis log so we can check it again. Once everything is clean, administer another beating to your friend, then install SpywareBlaster to immunize his machine against further infections. I also recommends a hosts file that blocks access to known spyware sites. You can read about and download a hosts file here.

sideshow bob

Cool, thanks for the help. I'm going to go work on his machine again tommorow so hopefully I'll be able to get it alone again. He's jonesing for his Star Wars fix. I'll repost in the next couple days.

Leonardo

When your friend gets his computer back again, demonstrate to him how clean it is. Show him how to run Ad-Aware and Spybot. Then you should tell him that any new sludge on his computer is on him. Wouldn't recommend you let him fool with HijackThis.