HELP with startnow

[zacnaphobia]

alright, so i downloaded Warez p2p client, big mistake
it loaded up a program called Startnow Navigation helper
i got it out of my browser, but now it wont leave my add/remove programs list.
its really starting to bug me, especially since im kinda starting to think its pulling in other stuff that i would otherwise be able to get rid of easily, and even block before it got on my comp

i dont often download stuff, so i know where it came from

but can anyone give me a clear set of directions of how to get rid of this thing, programs ill need, places ill need to go, something, even a link to somewhere that does

any help is immensely appreciated, thanks guys

 

[Blitze105]

No problem.

Here is what you should try.
1. Reboot in safe mode.
2. Run a search on "startnow" and delete any files that have something to do with your program that you want gone.
3. Remove it from add/remove programs.
4. Run spybot, adware personal, and some free online scans.
5. Reboot, post how it goes.

All the programs mentioned can be found here...
http://www.techist.com/showthread.php?threadid=53623

 

[zacnaphobia]

still no dice with the spybot, adaware, safe mode approach
i heard something about hijack this. any thoughts?
im still lookin for stuff


if it helps

the message i get every time i click to uninstall it is:

fatal error during installation


if that is relevant, lemme know

 

[SkyHi]

Have you removed the folder or files from C:\Program Files\? If you haven't, then do this now, also, it's best to do this in Safe mode. Now, once you're done with that, you can go to
http://www.worldstart.com/weekly-download/archives/reg-cleaner4.3.htm
and download it. This is a registry checker, that is very user-friendly and will let you edit your registry, making backup(s) if you choose. In it you should be able to find this program, and have it removed from the registry via the program, therefore it shouldn't show up in Add/Remove Programs. Hope this helps(ed).

-SkyHi

 

[zacnaphobia]

....thanks for the help, but its still there

 

[Osiris]

Post your Hijack this log. Post your processes also.

 

[zacnaphobia]

Logfile of HijackThis v1.99.1
Scan saved at 8:55:41 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\gwdmssp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Zac Mudd\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [twkxsn] c:\windows\system32\gwdmssp.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


lemme know if you find anything other than startnow as well

 

[Osiris]

Delete this ASAP

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Process File: svcproc.exe
Process Name: Trojan.Win32.Stervis.b

Description: svcproc.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of itÂ’s authorÂ’s sponsors. This program is usually installed through consent, however is sometimes packaged as another product. It is a registered security risk and should be removed immediately.

 

[Osiris]

Detection and Removal
Manual Removal

Follow these steps to remove StartNow.HyperBar from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

Unregister these DLLs with Regsvr32, then reboot:

systemroot+\system\hyperbar.dll
systemroot+\system32\hyperbar.dll


Clean Registry:

HKEY_CLASSES_ROOT\clsid\{1bc1fc4b-b0d2-4d8d-9307-2e40e2a8c257}
HKEY_CLASSES_ROOT\clsid\{4b2f5308-2cb0-40e2-8030-59936ed5d22c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4b2f5308-2cb0-40e2-8030-59936ed5d22c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{1bc1fc4b-b0d2-4d8d-9307-2e40e2a8c257}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4b2f5308-2cb0-40e2-8030-59936ed5d22c}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{1bc1fc4b-b0d2-4d8d-9307-2e40e2a8c257}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4b2f5308-2cb0-40e2-8030-59936ed5d22c}

Remove Files:

systemroot+\system\hyperbar.dll
systemroot+\system32\hyperbar.dll

 

[Osiris]

He also has scvhost.exe running, 2 process

Its a virus known as W32/Agobot-S virus