Web Browser Homepage Problem (HiJackThis Log Supplied)

Hey dudes, some how I got spyware onto my pc.. I've cleaned it out with Ad-Aware 6 and SpyBot, but it's taken over my browsers (IE & MYIE2) and sets the homepage to http://jetsearch.org and if I change it just changes it back.. I've cleaned out Temporary Internet Files heaps of times and still it won't go away.. here's my HiJackThis log, hopefully someone can help me.

Logfile of HijackThis v1.97.7
Scan saved at 4:49:40 PM, on 28/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\SYSTEM32\runsvc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SYSTEM32\runsvc32.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\Kareem\mIRC\mirc.exe
E:\Kareem\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ESFTP] E:\Kareem\ESftp\esftp.exe /STARTUP
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37359.7897337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C344F572-2563-4D41-9CFA-941962AAB922}: NameServer = 203.2.75.132,198.142.0.51

Thanks in advance

 

Hi kinetx,

Update Windows and IE at earliest convenience please.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org

O4 - HKLM\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe

O4 - HKCU\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe

Then reboot and let me know if it was permanent this time.

Could you please mail me a (preferably zipped) copy of:
C:\WINDOWS\SYSTEM32\runsvc32.exe
Use the address in my profile please.

Regards,

Pieter

 

Hi kinetx,

Thanks for the file.
It was recognized by my scanner as Trojan.Startpage.jp

So you can safely assume it was responsible for your hijack and delete it.

Regards,

Pieter