Options
With friends like these...
So I built my friend a computer after which he proceeded to download massive amounts of porn and get every spyware/malware/virus known to humankind. He now can't get on the internet and as the builder it's somehow up to me to fix it. I know it's not the NIC because when I disconnect from the cable modem it comes up in windows and tells me a connection is unplugged. Anywho, here's the HJT log, hopefully someone can help because I'm at a bit of an impasse.
Before I post the log I'd also like to mention that upon startup it gives an error that says "CCAPP.exe has generated erros and will be closed by Windows. An error log is being created." When I shutdown it says "Rundll32.exe is not responding"
Any help would be greatly appreciated because I'm sick of working on this thing pro bono.
Logfile of HijackThis v1.97.7
Scan saved at 9:38:06 PM, on 5/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Popup Blockade\PopupBlockade.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\ABOUTM~1\Safe Log.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iglide.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\PROGRA~1\TOOLBA~1\2020SE~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: vconce - {DEA8CF19-E9EB-9CED-4C33-0999A28B32C2} - C:\PROGRA~1\LinkMapi\Win cast.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Popup Blockade] C:\Program Files\Popup Blockade\PopupBlockade.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [saSyncMgr] rundll32.exe sasync.dll,SyncWait app=SearchAnt wait=10
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Play lies] C:\PROGRA~1\ABOUTM~1\Safe Log.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [Artr] C:\Documents and Settings\Administrator\Application Data\urur.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.8130671296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/L2M.cab
Before I post the log I'd also like to mention that upon startup it gives an error that says "CCAPP.exe has generated erros and will be closed by Windows. An error log is being created." When I shutdown it says "Rundll32.exe is not responding"
Any help would be greatly appreciated because I'm sick of working on this thing pro bono.
Logfile of HijackThis v1.97.7
Scan saved at 9:38:06 PM, on 5/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Popup Blockade\PopupBlockade.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\ABOUTM~1\Safe Log.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iglide.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\PROGRA~1\TOOLBA~1\2020SE~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: vconce - {DEA8CF19-E9EB-9CED-4C33-0999A28B32C2} - C:\PROGRA~1\LinkMapi\Win cast.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Popup Blockade] C:\Program Files\Popup Blockade\PopupBlockade.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [saSyncMgr] rundll32.exe sasync.dll,SyncWait app=SearchAnt wait=10
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Play lies] C:\PROGRA~1\ABOUTM~1\Safe Log.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [Artr] C:\Documents and Settings\Administrator\Application Data\urur.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.8130671296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/L2M.cab
0
Comments
Before running HiJackThis, download LSP-Fix from our downloads area. You're going to need this later. Some spyware apps hijack the actual Winsock DLLs needed for internet access, so there's a possibility internet might not work afterwards.
Reboot the machine in safe mode, rerun HiJackThis, and delete the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iglide.net
This appears legit, but let's delete it for now anyway. He could always redo his start page.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\PROGRA~1\TOOLBA~1\2020SE~1.DLL
O3 - Toolbar: vconce - {DEA8CF19-E9EB-9CED-4C33-0999A28B32C2} - C:\PROGRA~1\LinkMapi\Win cast.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Popup Blockade] C:\Program Files\Popup Blockade\PopupBlockade.exe
O4 - HKLM\..\Run: [Play lies] C:\PROGRA~1\ABOUTM~1\Safe Log.exe
O4 - HKCU\..\Run: [Artr] C:\Documents and Settings\Administrator\Application Data\urur.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
A spyware adware blocker. Geez, what scumbags.
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/L2M.cab
Reboot and run the LSP-Fix. Reboot and run Ad-Aware and/or Spybot to see if you caught everything. Repost the latest HiJackThis log so we can check it again. Once everything is clean, administer another beating to your friend, then install SpywareBlaster to immunize his machine against further infections. I also recommends a hosts file that blocks access to known spyware sites. You can read about and download a hosts file here.