[procbp]

I have a laptop that was infected with alot of adware/spyware/etc. I have run Spybot and TZ Spyware, which found and fixed many items. Also, Symantec and AVG free have reported no viruses. There is still some wierd browser behavior. I get some strange pop-ups. Sometimes IE launches while I am browsers Windows Explorer. See my hijack log below and startup log. Thanks for any advice


Logfile of HijackThis v1.97.7
Scan saved at 12:46:21 PM, on 6/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SYSTEM32\Rpcnet.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Instant 802.11a Wireless\WLANCfgA.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Starfish\TrueSync\tstool.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\Program Files\HOTSYNC.EXE
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WLANCfgA.exe] C:\Program Files\Instant 802.11a Wireless\WLANCfgA.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - http://eformrs.com/F...n/RSFormsTV.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - http://eformrs.com/RSLoginModule.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - http://eformrs.com/F...n/RSFormsDP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7711.4206828704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE0FA400-8EF7-11D3-8795-00A0C9EF9624} (RSFPageSave Class) - http://eformrs.com/F...pen/RSFSave.cab
O16 - DPF: {F02C6B3B-AB1A-48D3-914D-169954A11142} (WebForm Launch Control) - http://files.stf.com...ormControl2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aga.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aga.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aga.com


StartupList report, 6/16/2004, 12:44:49 PM
StartupList version: 1.52
Started from : C:\unzipped\hijackthis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SYSTEM32\Rpcnet.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Instant 802.11a Wireless\WLANCfgA.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Starfish\TrueSync\tstool.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\Program Files\HOTSYNC.EXE
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\unzipped\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\rdobie\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
WLANCfgA.exe = C:\Program Files\Instant 802.11a Wireless\WLANCfgA.exe
pdfFactory Dispatcher v2 = C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.Exe
SCRNSAVE.EXE=C:\WINNT\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

WebReg 20030313190909.job

--------------------------------------------------

Enumerating Download Program Files:

[RSFTreeView Class]
InProcServer32 = C:\WINNT\System32\RSFormsTV.dll
CODEBASE = http://eformrs.com/F...n/RSFormsTV.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\SYSTEM32\MACROMED\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[CLRMachineInfoCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\CLRMachineInfo.dll
CODEBASE = http://eformrs.com/RSLoginModule.cab

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0309.cab

[WebIQ Technology Client]
InProcServer32 = C:\Program Files\WebIQ\WebIQClientLib.dll
CODEBASE = http://webiq001.webi...Q/bin/WebIQ.cab

[RdxIE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[ParallelGraphics Cortona Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\cortona_control.dll
CODEBASE = http://www.parallelg...in/cortvrml.cab

[RSFDisplay Class]
InProcServer32 = C:\WINNT\System32\RSFormsDP.dll
CODEBASE = http://eformrs.com/F...n/RSFormsDP.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7711.4206828704

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[RSFPageSave Class]
InProcServer32 = C:\WINNT\System32\RSFSave.dll
CODEBASE = http://eformrs.com/F...pen/RSFSave.cab

[WebForm Launch Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\WebForm.dll
CODEBASE = http://files.stf.com...ormControl2.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,553 bytes
Report generated in 0.280 seconds

[Advertisements]

Hi procbp, welcome to Geeks to Go!

You've done a good job. Your log is clear.

However it's not a good idea to run two antivirus programs on the same system. You should choose either NAV or AVG.

Since your log is clear, but your still getting pop-ups (especially the ones when you're not in Internet Explorer) you probably have a Look2Me infection.

First let's try this removal software: http://www.geekstogo...n=download&id=9

It would also be a good idea to reset your hosts file, try this program:
http://www.geekstogo...tion=show&id=22

[admin]

Hi procbp, welcome to Geeks to Go!

You've done a good job. Your log is clear.

However it's not a good idea to run two antivirus programs on the same system. You should choose either NAV or AVG.

Since your log is clear, but your still getting pop-ups (especially the ones when you're not in Internet Explorer) you probably have a Look2Me infection.

First let's try this removal software: http://www.geekstogo...n=download&id=9

It would also be a good idea to reset your hosts file, try this program:
http://www.geekstogo...tion=show&id=22

[procbp]

Thanks for your help. I will try the removal tool as suggested. I was running only Symantec, but added AVG to help solve this problem. I will remove one. One curious thing is that I actually deleted the hosts file because of some strange entries and the hosts file receated instantly. I cannot change or delete the hosts file.

[procbp]

I ran the removal tool. i'm not sure it did anything. The first message said it could not find any LOP in uninstall and asked me to force remove. I said yes and then nothing appeared to happen. I reset the hosts file with tool suggested. After reboot, the hosts file was changed with some redirection entries and web pages keep popping. The pop-ups initially have c-azjmp or azoogle before they redirect to another site. Any further thoughts would be appreciated. I am about to give-up and reinstall windows.

Brian

[admin]

Hi Brian,

Can you paste the contents of your hosts file? It may help identify what we're dealing with here.

Also, wouldn't hurt to run CWShredder:
http://www.geekstogo...tion=show&id=17

[procbp]

Thanks for your continued help. I have run CWS shredder. first time it appeared it fixed on the of the variants and fixed hosts file. If I run it again everything appears clean.

Below see new entries that keep being added to Hijack log. They return after after being fixed:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch


This is my hosts file. All these entries return after being deleted:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host


127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

[admin]

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

Vx2Finder: http://www.geekstogo...=download&id=19

[procbp]

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\ApLEDIT.DLL


Guardian Key--- is called: GuardianSQNSA
Asynchronous 000
DllName C:\WINNT\system32\ApLEDIT.DLL
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {54BD1A8D-3680-4105-99A1-3105F30455C1}
IDex DS4

User Agent String---
{54BD1A8D-3680-4105-99A1-3105F30455C1}

[admin]

Looks like we've found it.

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder again, and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (go ahead and Reboot).

----------
Once back in Windows

Open VX2Finder once more, and click on these buttons in the right pane:

"user agent", "Guardian.reg" & "restore policy"

Exit and reboot.

Run Vx2Finder for the last time, and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here along with a fresh HijackThis log please.

[procbp]

Ding Dong the witch is dead (I hope). Thanks for all the help.


Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---


Logfile of HijackThis v1.97.7
Scan saved at 2:42:58 PM, on 6/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SYSTEM32\Rpcnet.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Instant 802.11a Wireless\WLANCfgA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WLANCfgA.exe] C:\Program Files\Instant 802.11a Wireless\WLANCfgA.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - http://eformrs.com/F...n/RSFormsTV.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - http://eformrs.com/RSLoginModule.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - http://eformrs.com/F...n/RSFormsDP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7711.4206828704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE0FA400-8EF7-11D3-8795-00A0C9EF9624} (RSFPageSave Class) - http://eformrs.com/F...pen/RSFSave.cab
O16 - DPF: {F02C6B3B-AB1A-48D3-914D-169954A11142} (WebForm Launch Control) - http://files.stf.com...ormControl2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aga.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aga.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aga.com

[admin]

Congratulations! Your system is CLEAN

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use).

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
Link to SpywareBlaster: http://www.geekstogo...tion=show&id=12

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats.

[Kat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.