unable to connet to internet, start bar not popping up

I think I d/led something that won't allow my computer to connect to the internet. My start bar won't pop up either when my computer starts up, and i have to cancel a process for it to do so. I tried deleting tempory internet files on IE, but it says it is restricted by the administrator. Here's my log, just tell me if you need anything else...

Logfile of HijackThis v1.97.7
Scan saved at 7:04:44 PM, on 1/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\aim\aim.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\Documents and Settings\Robby G\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=0C3188D8-BCDE-4E69-B65E-AB1EB047801E&version_id=18
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
N2 - Netscape 6: user_pref("browser.startup.homepage", "wabu.com"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\mseclk.dll
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINDOWS\System32\mseffm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\mscdka.dll
O2 - BHO: (no name) - {cdf179a1-eb33-4ff9-aeba-110bf1f4bc78} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: libburtoato - {dcac1edd-24e4-4439-9ec2-e56b5b29c1e8} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.77/webplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab

 

hi darth,
first lemme welcome u here on behalf of all at wilders....
i suspect you have your computer attacked by spyware
you can go forward http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip
as your first step... and if that dun work... i suggest u to get spybot search and destroy from http://www.safer-networking.org/index.php?page=mirrors
ofcourse keep urself posted
just changed the link.. its cwshredder for u

 

thanks, the first link didn't work. i do have sb:sd and it doesn't seem to fix it. it says its going to get rid of some programs after my comp restarts, but it never opens up when my comp comes back on.

 

Hi darth_coolius,

Let's get you back on the internet first. Please download LSPfix from http://www.cexx.org/lspfix.htm
Use it to remove inetadpt.dll and only that one from your winsock.

Please post a new log after doing that and cleaning out the spyware following instructions here: http://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

okay, i deleted that file. here's my new log, sir:

Logfile of HijackThis v1.97.7
Scan saved at 1:34:59 PM, on 1/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Robby G\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
N2 - Netscape 6: user_pref("browser.startup.homepage", "wabu.com"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\mseclk.dll
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINDOWS\System32\mseffm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\mscdka.dll
O2 - BHO: (no name) - {cdf179a1-eb33-4ff9-aeba-110bf1f4bc78} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msobfl.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: libburtoato - {dcac1edd-24e4-4439-9ec2-e56b5b29c1e8} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.77/webplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab

 

Good job, let's clean out the rest.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
N2 - Netscape 6: user_pref("browser.startup.homepage", "wabu.com"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\mseclk.dll
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINDOWS\System32\mseffm.dll

O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\mscdka.dll
O2 - BHO: (no name) - {cdf179a1-eb33-4ff9-aeba-110bf1f4bc78} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msobfl.dll

O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: libburtoato - {dcac1edd-24e4-4439-9ec2-e56b5b29c1e8} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll

O4 - HKLM\..\Run: [winactive] \winactive.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe

O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe

O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.77/webplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab


Reboot after doing so, into safe mode and delete:

C:\Program Files\INCREDIFIND <= entire folder
C:\Program Files\COMMONNAME <= entire folder
C:\Program Files\AproposClient <= entire folder
C:\Program Files\Window Active <= entire folder
C:\WINDOWS\Belt.exe
C:\Program Files\Common Files\slmss <= entire folder
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\version.exe
C:\Program Files\AUTOUPDATE <= entire folder
C:\Program Files\RSNet <= entire folder
C:\WINDOWS\System32\msccof.exe
C:\Program Files\Common Files\updater\wupdater.exe

Please read http://boards.cexx.org/viewtopic.php?t=957 on how to minimize the chances of getting infected again.

Regards,

Pieter

 

i couldn't find version.exe, but i found version.dll. it wouldnt delete tho. everything else i got rid of. my start bar is fixed, but my comp still won't connect to the net. what should I do now?

 

Hi d_c,

Could you please run the latest version of CWShredder (1.42.0)
Then reboot and post a new log.
Leave version.dll alone, please.

Keep us posted,

Pieter

 

please repost ur log d_c
thx

 

okay, here it is:

CWShredder v1.41.2 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Robby G\Application Data
Username: Robby G

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (850 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (608 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

- END OF REPORT -

 

sorry, here's the updated version's log...

CWShredder v1.42.0 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Robby G\Application Data
Username: Robby G

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (850 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (608 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

- END OF REPORT -

 

d_c
run the fix in the cwshredder... make sure u have no browser window opened and then post ur updated HIJACKTHIS log

 

CWShredder v1.42.0 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Robby G\Application Data
Username: Robby G

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (850 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (608 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

- END OF REPORT -

 

Hi dc,

Sorry for being unclear. Use the Fix button in CWShredder. Then restart your computer, run HijackThis again and then post the new HijackThis log.

Regards,

Pieter

 

Logfile of HijackThis v1.97.7
Scan saved at 2:59:16 PM, on 1/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Robby G\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi dc,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll (file missing)

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

Then reboot and copy&paste the bold into an Internet Explorer Address Bar.
javascript:navigator.userAgent

Post the result that appears in the IE screen please.

Regards,

Pieter

 

dc,

Ignore the advise of subratam in this case.

Subratam, sorry mate, but please let me handle this one. OK?

Regards,

Pieter

 

pieter,
its all ok mate... go forward.. i step aside.. no probz.. good luck
(I have deleted my msg to keep away any confusion )

 

okay, here it is:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {59B496F4-1FA4-446A-8FBC-930354C102B0})

 

I was afraid of that. Something hijacked your explorer.

First we will need to figure out what it is and where it is.

In order to do so please do this:

Click Start > Run > type regedit > click OK
That will open the registry-editor.
Do a search for {59B496F4-1FA4-446A-8FBC-930354C102B0}
Everytime it is found rightclick the open "folder" in the left hand pane and choose export. Save the files as .txt files and post the content of those files please.

Also do a Find/Files for {59B496F4-1FA4-446A-8FBC-930354C102B0}
If my suspicion is right you will find a file called msg{59B496F4-1FA4-446A-8FBC-930354C102B0}0115.dll
But I would be interested in any other file name with that string in it.

Let me know if and where you find it. Also rightclick it and choose properties. I'd like to know the company name mentioned on the version tab.

If possible also rightclick your taskbar and choose Toolbars. Anything not listed below is suspect:
Links
Address
Desktop
Quick Launch
Language
=======
New toolbar

The following order may be different and I may have guessed wrong on some translations, but you will get my drift if you notice something unusual.

Regards,

Pieter

 

Hi Pieter,
This is how I remove L2M or one of its clones in XP.

Copy the contents of the Quote box to Notepad. Name as L2m.vbs Save as All files Save in C:\
You want to remember the path to this file as C:\L2m.vbs

Once you have it saved, open Task Manager and click the processes tab. Click Explorer.exe and then click the end Process button. this will close Explorer.exe No desktop icons and no taskbar. Click the Applications tab. Click the New Task Button. A box will appear. Type in the path to the script you created.

C:\L2m.vbs and then click ok.

Next, Click shutdown on the task manager toolbar. Scroll down and either Restart or log off. (and then you can log back on again)

 

Hi Mosaic1,

Are you positive it's another L2M clone?
I have not seen that CLSID before, but if you say so dc does not have to go through the ordeal I posted and can use your script straight away.

Regards,

Pieter

 

okay, i did that l2m thing and nothing happened. i'm trying peiter's way now, but i don't know how to do the first part. there is no search option in the registry log thing. my comp is currently searching for that string, so I'll update you once it's done.

 

That method has had 100% success. Did you use Task Manager to end the explorer process before running the script? And then restart or logoff and back on after?

 

yeah did everything u said, maybe i don't have what u said. so what should i do now guys?