cannot get rid of shopnav

After checking out what Star gave you, if you still have a problem then proceed with the below.

I don't believe that C:Windows\System32\??rss.exe is related to ShopNav. And note that filename is not csrss.exe which is valid. There will be a hidden/system file actually named ??rss.exe in your system32 folder.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Well as I said, if you still have a problem after the clean up procedure, post your log.

 

Have you disabled the built-in firewall of WinXP SP2? If not, you need to do that. You must not use more than one software firewall and you have ZoneAlarm running already. And it is better than the WinXP firewall.

Do you use this Wanadoo Toolbar stuff? Did you install it? I'm not saying it's bad, I just asking if you require it.
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

Is this a Dell PC? I wondering what the below service is:
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe

 

Download this LSP - Fix Don't run it! We may or may not need it.

You have traces of an HSA/about:blank hijacker in your log. It's possible after fixing some of the problems below that this may show its ugly head.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.

Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\??rss.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yofwh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O4 - HKLM\..\Run: [HPZEZLEW] c:\windows\system32\hpzezlew.exe /install
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [Qpx] C:\WINDOWS\System32\??rss.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)


After clicking Fix, exit HJT.


Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\yofwh.dll
C:\Program Files\NewDotNet <--- the whole folder



Now reboot in normal mode and post a new HJT log. And tell us how things are working.



What do you know about this ErrorNuker program?
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

 

What version of Spybot are you using? What is the detections list version?

You can get this by running Spybot and the click Help and select About!

Then with Spybot open and want you to do the below to fix a few problems with certain malware (include new.net) being ignore by default.

Fixing SpyBot's Ignore Products Bug:
I want you to run SpyBot and get into the Advanced mode by selecting Mode and then
Advanced mode. Then select Settings and the in the left column select Ignore Products.
In the right window pane make sure the All products tab is selected. Then in that
window, right click your mouse and choose "Deselect all". Now in the left pane click
at the top on SpyBot S&D and then choose Search for Updates. Download any updates
required. Now click Check for Problems. Fix any that are found.

If that does not fix the new.net problem, try it again after booting to safe mode. Let me know what happens.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixnew.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixnew.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Let me know if that finishes it off or not.

 

These HSA hijackers sometimes delete certain files on your PC. Tell me where you are finding notepad.exe and also tell me the filesize and dates.

 

You should rename the file in c:\windows\system32 from notepad.exe.bak to notepad.exe
See if everything works now.

If not, you should look at your Accessories shortcut and see where it is pointing to.

 

Okay! So fix them so that the Target and Start in: info are correct.

Target: %SystemRoot%\system32\notepad.exe

Start in: %HOMEDRIVE%%HOMEPATH%


I would be worried that you may have more problems like this.

 

You need to click Start, All Programs, Accessories and right click the notepad icon and then select the Shortcut tab and enter the info I already gave you in the fields as labeled"

Target: %SystemRoot%\system32\notepad.exe

Start in: %HOMEDRIVE%%HOMEPATH%

I cannot tell where this came from. Yes some piece of malware could have done it to prevent you from using notepad. This happens sometimes with HSA hijackers and some other CWS infections.

 

You're HJT log is clean! Are you having any problems?

 

Do you mean when you REBOOT?

Do you have this file on your computer:

Zerocfgsvc.exe which is pert of Intel ProSet.

See info about it here: http://www.answersthatwork.com/Tasklist_pages/tasklist_z.htm

 

You're welcome! You could try checking for new drivers for your hardware. Perhaps that would help.