Hi,

I've run an up-to-date version of AdAware V6 and now have SpywareBlaster installed. I've been able to get rid of the netsearchsoft toolbar (BLUESTOPCITY) but still get the passthrough via netsearchsoft when opening IE to the start page (which is Google.co.uk, by the way).

Any ideas how I can stop this? My HijackThis log is below.
Cheers,
GR

Logfile of HijackThis v1.97.7
Scan saved at 09:12:42, on 29/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\NuCam Corp\CamCheck\CamCheck.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\TransModePure\ANTEWMA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\CharlesJMLawson\Application Data\Mini\MiniControlPanel.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...ww.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam Corp.\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TEAM LOAD] C:\PROGRA~1\TransModePure\ANTEWMA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\CharlesJMLawson\Application Data\Mini\MiniControlPanel.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix-eu.com/viewers/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21be18c6ae599a...ip/RdxIE601.cab

Hi Grooverider,

You'll need to do the following in SAFE MODE

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Scan with HijackThis and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...ww.google.co.uk

O4 - HKLM\..\Run: [TEAM LOAD] C:\PROGRA~1\TransModePure\ANTEWMA.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21be18c6ae599a...ip/RdxIE601.cab

While still in SAFE MODE, delete the following folder and it's entire contents:

C:\PROGRAM FILES\TransModePure <--delete folder
.............................................
Reboot back into normal mode and scan once more with HijackThis - post a new log to make sure it is gone

Do you know what this program is? Mini is the folder and the file is MiniControlPanel.exe. If not, please navigate to the file and rightclick (only, do NOT lLeftclick) to see the tabs at the top of the file and write down all the information (Properties, Version, etc.) If you do know what it is, it's ok. I just want to make sure it's legit as I could not find any information about it.

??O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\CharlesJMLawson\Application Data\Mini\MiniControlPanel.exe

Hi again.

First, thanks very much for your help! I was running out of ideas!

I've followed your instructions. The R0 (main start page) line referring to netsearchsoft didn't appear when I ran HijackThis in safe mode, but I deleted the other two lines and the TransModePure folder + contents.

So far, everything is looking pretty good. No passthrough when starting IE (yet). The MiniControlPanel you asked about is a bit of software from Iomega for a USB MiniDrive, so I've left it where it is.

One other thing - Windows asked me to reset System Config settings on start-up and delete the changes I'd just made. I ignored this, but is there a way of stopping System Config on start-up but NOT deleting the changes?

I am very grateful for your help - thanks again.
GR (CJML)

My HijackThis log now looks like this:

Logfile of HijackThis v1.97.7
Scan saved at 18:32:00, on 29/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\NuCam Corp\CamCheck\CamCheck.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\CharlesJMLawson\Application Data\Mini\MiniControlPanel.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam Corp.\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\CharlesJMLawson\Application Data\Mini\MiniControlPanel.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix-eu.com/viewers/ipixx.cab

Actually, please ignore the question about System Config - I've worked out what was going on.

Many thanks,
All the best,
GR

Great! Your log looks clean :thumb:

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

http://v4.windowsupdate.microsoft.com/en/default.asp