Please God, somebody help me.

Logfile of HijackThis v1.97.7
Scan saved at 16:38:13, on 16/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\pro91d\bin\AdmSrvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\pro91d\bin\ProSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\RealPopup\RealPopup.exe
C:\WINDOWS\System32\NDrv.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Matt Jackson\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C42 Series (Copy 1)" /O5 "LPT3:" /M "Stylus C42"
O4 - HKLM\..\Run: [EPSON C42] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P9 "EPSON C42" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [Stylus] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P6 "Stylus" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [System Backup] ms32.exe
O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.3512615741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

I'm pretty new to the whole security thing, although having said that this is my works PC and whilst I haven't been surfing stuff I shouldn't have, I'd like to get it fixed myself.

I have the free AVG, Trojan Remover, Spybot, CWShredder and StartPage guard on here. I keep getting told I have Startpage.6.AQ and to run AVG which I do, and it cleans it but usually within another ten minutes, the bugger is there again.

I've tried cleaning when system restore is off, cause I read that somewhere once, but this unfortunately means I have no System Restore point prior to this rubbish happening.

It all started because I had some spyware jobby that brought up about:blank with SearchFor... as homepage which was incredibly annoying. Got rid of that in the end, but don't actually know how.

Please help me, I feel like I've been anally intruded.

 

HI mattsterrr

Well, let's see if we can get it "clean".

First of all - you should go to Windows Update and get ALL critical Updates !

Pls. save your Hijackthis into its own folder - like C:\Hijackthis

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present:
ms32.exe
NDrv.exe

Check the following items in HijackThis.
Close all windows except HijackThis and click "Fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

O4 - HKLM\..\Run: [System Backup] ms32.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <--------optional

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:

C:\WINDOWS\System32\NDrv.exe

Then reboot and use AdAware as described :
HERE

Spybot S&D
The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems".

Close Spybot S&D, reboot your system .

Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Run Hijackthis again and pls. post a FRESH log.

 

Many, many thanks for trying to help cleanse me.

I'll give it a bash on Monday morning, and post a fresh log.

Only problem I can see, at this stage, is that oour IT department (in there infinite wisdom) have asked us NOT to download windows updates anymore as apparently, it was causing havoc.

I suppose I'll have to try without, and post on Monday.

Here's hoping.

Cheers again,

Mattsterrr

 

You're Welcome

Thanks for your feedback and till Monday

 

Right, I followed your instructions implicitly (apart for the critical updates bit, as mentioned in my last post) and this is the latest log. If you can fix this you are truly a a master of cleansing wizardry.

Logfile of HijackThis v1.97.7
Scan saved at 09:44:26, on 19/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\pro91d\bin\AdmSrvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\pro91d\bin\ProSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\RealPopup\RealPopup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Matt Jackson\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.bbc.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C42 Series (Copy 1)" /O5 "LPT3:" /M "Stylus C42"
O4 - HKLM\..\Run: [EPSON C42] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P9 "EPSON C42" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [Stylus] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P6 "Stylus" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.3512615741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi mattsterrr

Any idea what this is?
c:\pro91d\bin\AdmSrvc.exe

Hmmm........ look at this:

O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com

Your Startpage shows: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/

What is correct?

 

Hi, Marianna

I don't have a clue what AdmSrvc is.

And bbc is the correct homepage.

Just to let you know, the bugger was there again this morning despite being conspicuos in it's absence yesterday.

 

Both clueless about this one: AdmSrvc ? Maybe you RIGHTclick on it and look under Properties??

Check O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
in HJT and click "Fix checked"

Reboot

Better now?