unable to connet to internet, start bar not popping up

Discussion in 'adware, spyware & hijack cleaning' started by darth_coolius, Jan 4, 2004.

Thread Status:
Not open for further replies.
  1. darth_coolius

    darth_coolius Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    12
    I think I d/led something that won't allow my computer to connect to the internet. My start bar won't pop up either when my computer starts up, and i have to cancel a process for it to do so. I tried deleting tempory internet files on IE, but it says it is restricted by the administrator. Here's my log, just tell me if you need anything else...

    Logfile of HijackThis v1.97.7
    Scan saved at 7:04:44 PM, on 1/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    C:\Program Files\aim\aim.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    C:\Documents and Settings\Robby G\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=0C3188D8-BCDE-4E69-B65E-AB1EB047801E&version_id=18
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    N2 - Netscape 6: user_pref("browser.startup.homepage", "wabu.com"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\mseclk.dll
    O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINDOWS\System32\mseffm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\mscdka.dll
    O2 - BHO: (no name) - {cdf179a1-eb33-4ff9-aeba-110bf1f4bc78} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
    O3 - Toolbar: libburtoato - {dcac1edd-24e4-4439-9ec2-e56b5b29c1e8} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.77/webplugin.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi darth,
    first lemme welcome u here on behalf of all at wilders....
    i suspect you have your computer attacked by spyware
    you can go forward http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip
    as your first step... and if that dun work... i suggest u to get spybot search and destroy from http://www.safer-networking.org/index.php?page=mirrors
    ofcourse keep urself posted
    just changed the link.. its cwshredder for u
     
  3. darth_coolius

    darth_coolius Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    12
    thanks, the first link didn't work. i do have sb:sd and it doesn't seem to fix it. it says its going to get rid of some programs after my comp restarts, but it never opens up when my comp comes back on.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi darth_coolius,

    Let's get you back on the internet first. Please download LSPfix from http://www.cexx.org/lspfix.htm
    Use it to remove inetadpt.dll and only that one from your winsock.

    Please post a new log after doing that and cleaning out the spyware following instructions here: http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  5. d_c

    d_c Guest

    okay, i deleted that file. here's my new log, sir:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:34:59 PM, on 1/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\slmss\slmss.exe
    C:\WINDOWS\mwsvm.exe
    C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Robby G\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    N2 - Netscape 6: user_pref("browser.startup.homepage", "wabu.com"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\mseclk.dll
    O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINDOWS\System32\mseffm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\mscdka.dll
    O2 - BHO: (no name) - {cdf179a1-eb33-4ff9-aeba-110bf1f4bc78} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msobfl.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
    O3 - Toolbar: libburtoato - {dcac1edd-24e4-4439-9ec2-e56b5b29c1e8} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.77/webplugin.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good job, let's clean out the rest.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    N2 - Netscape 6: user_pref("browser.startup.homepage", "wabu.com"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll

    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\mseclk.dll
    O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINDOWS\System32\mseffm.dll

    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\mscdka.dll
    O2 - BHO: (no name) - {cdf179a1-eb33-4ff9-aeba-110bf1f4bc78} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msobfl.dll

    O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
    O3 - Toolbar: libburtoato - {dcac1edd-24e4-4439-9ec2-e56b5b29c1e8} - C:\DOCUME~1\ROBBYG~1\APPLIC~1\trllgprwoaly.dll

    O4 - HKLM\..\Run: [winactive] \winactive.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe

    O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe

    O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.77/webplugin.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab


    Reboot after doing so, into safe mode and delete:

    C:\Program Files\INCREDIFIND <= entire folder
    C:\Program Files\COMMONNAME <= entire folder
    C:\Program Files\AproposClient <= entire folder
    C:\Program Files\Window Active <= entire folder
    C:\WINDOWS\Belt.exe
    C:\Program Files\Common Files\slmss <= entire folder
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\System32\stcloader.exe
    C:\WINDOWS\System32\version.exe
    C:\Program Files\AUTOUPDATE <= entire folder
    C:\Program Files\RSNet <= entire folder
    C:\WINDOWS\System32\msccof.exe
    C:\Program Files\Common Files\updater\wupdater.exe

    Please read http://boards.cexx.org/viewtopic.php?t=957 on how to minimize the chances of getting infected again.

    Regards,

    Pieter
     
  7. d_c

    d_c Guest

    i couldn't find version.exe, but i found version.dll. it wouldnt delete tho. everything else i got rid of. my start bar is fixed, but my comp still won't connect to the net. what should I do now? :(
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi d_c,

    Could you please run the latest version of CWShredder (1.42.0)
    Then reboot and post a new log.
    Leave version.dll alone, please.

    Keep us posted,

    Pieter
     
  9. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    please repost ur log d_c
    thx
     
  10. d_c

    d_c Guest

    okay, here it is:

    CWShredder v1.41.2 scan only report

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Robby G\Application Data
    Username: Robby G

    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (850 bytes, R)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    Found Win.ini file: C:\WINDOWS\win.ini (608 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

    - END OF REPORT -
     
  11. dc

    dc Guest

    sorry, here's the updated version's log...

    CWShredder v1.42.0 scan only report

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Robby G\Application Data
    Username: Robby G

    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (850 bytes, R)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    Found Win.ini file: C:\WINDOWS\win.ini (608 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

    - END OF REPORT -
     
  12. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    d_c
    run the fix in the cwshredder... make sure u have no browser window opened and then post ur updated HIJACKTHIS log
     
  13. dc

    dc Guest

    CWShredder v1.42.0 scan only report

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Robby G\Application Data
    Username: Robby G

    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (850 bytes, R)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    Found Win.ini file: C:\WINDOWS\win.ini (608 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

    - END OF REPORT -
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi dc,

    Sorry for being unclear. Use the Fix button in CWShredder. Then restart your computer, run HijackThis again and then post the new HijackThis log.

    Regards,

    Pieter
     
  15. dc

    dc Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 2:59:16 PM, on 1/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Robby G\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Robby G\Application Data\Mozilla\Profiles\default\4vz8l6o6.slt\prefs.js)
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi dc,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll (file missing)

    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

    Then reboot and copy&paste the bold into an Internet Explorer Address Bar.
    javascript:navigator.userAgent

    Post the result that appears in the IE screen please.

    Regards,

    Pieter
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    dc,

    Ignore the advise of subratam in this case.

    Subratam, sorry mate, but please let me handle this one. OK?

    Regards,

    Pieter
     
  18. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    pieter,
    its all ok mate... go forward.. i step aside.. :) no probz.. good luck
    (I have deleted my msg to keep away any confusion :) )
     
  19. dc

    dc Guest

    okay, here it is:

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {59B496F4-1FA4-446A-8FBC-930354C102B0})
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I was afraid of that. Something hijacked your explorer.

    First we will need to figure out what it is and where it is.

    In order to do so please do this:

    Click Start > Run > type regedit > click OK
    That will open the registry-editor.
    Do a search for {59B496F4-1FA4-446A-8FBC-930354C102B0}
    Everytime it is found rightclick the open "folder" in the left hand pane and choose export. Save the files as .txt files and post the content of those files please.

    Also do a Find/Files for {59B496F4-1FA4-446A-8FBC-930354C102B0}
    If my suspicion is right you will find a file called msg{59B496F4-1FA4-446A-8FBC-930354C102B0}0115.dll
    But I would be interested in any other file name with that string in it.

    Let me know if and where you find it. Also rightclick it and choose properties. I'd like to know the company name mentioned on the version tab.

    If possible also rightclick your taskbar and choose Toolbars. Anything not listed below is suspect:
    Links
    Address
    Desktop
    Quick Launch
    Language
    =======
    New toolbar

    The following order may be different and I may have guessed wrong on some translations, but you will get my drift if you notice something unusual.

    Regards,

    Pieter
     
  21. Mosaic1

    Mosaic1 Guest

    Hi Pieter,
    This is how I remove L2M or one of its clones in XP.

    Copy the contents of the Quote box to Notepad. Name as L2m.vbs Save as All files Save in C:\
    You want to remember the path to this file as C:\L2m.vbs
    Once you have it saved, open Task Manager and click the processes tab. Click Explorer.exe and then click the end Process button. this will close Explorer.exe No desktop icons and no taskbar. Click the Applications tab. Click the New Task Button. A box will appear. Type in the path to the script you created.

    C:\L2m.vbs and then click ok.

    Next, Click shutdown on the task manager toolbar. Scroll down and either Restart or log off. (and then you can log back on again)
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Mosaic1, :)

    Are you positive it's another L2M clone?
    I have not seen that CLSID before, but if you say so dc does not have to go through the ordeal I posted and can use your script straight away.

    Regards,

    Pieter
     
  23. darth_coolius

    darth_coolius Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    12
    okay, i did that l2m thing and nothing happened. i'm trying peiter's way now, but i don't know how to do the first part. there is no search option in the registry log thing. my comp is currently searching for that string, so I'll update you once it's done.
     
  24. Mosaic1

    Mosaic1 Guest

    That method has had 100% success. Did you use Task Manager to end the explorer process before running the script? And then restart or logoff and back on after?
     
  25. darth_coolius

    darth_coolius Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    12
    yeah did everything u said, maybe i don't have what u said. so what should i do now guys? o_O
     
Thread Status:
Not open for further replies.