Options
spyware messed my home page and other stuff
Hi,
I got some bad case of spyware I guess. By reading similar postings looks like I'm not alone. I tried a lot of what's out there but all the spyware programs could not help me. The thing is something messed up with my IE and now my home page is set to res://prawy.dll/index.html#96676, and I have all sort of pup ups (most of them sell anti pup up software!)
I downloaded hijak this and here is the log
Logfile of HijackThis v1.97.7
Scan saved at 1:52:37 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\mfckw32.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Windows\system32\mfcym32.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\xavier\My Documents\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\prawy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prawy.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prawy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\prawy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prawy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\prawy.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.bloomberg.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {74EE13F3-4F7F-9428-EAE7-54C71206013B} - C:\Windows\winsb32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [mfcym32.exe] C:\Windows\system32\mfcym32.exe
O4 - HKLM\..\RunOnce: [mfckw32.exe] C:\Windows\mfckw32.exe
O4 - HKLM\..\RunOnce: [apibb.exe] C:\Windows\system32\apibb.exe
O4 - HKLM\..\RunOnce: [appgg.exe] C:\Windows\system32\appgg.exe
O4 - HKLM\..\RunOnce: [crsx32.exe] C:\Windows\crsx32.exe
O4 - HKLM\..\RunOnce: [sdkej32.exe] C:\Windows\system32\sdkej32.exe
O4 - HKLM\..\RunOnce: [d3cr.exe] C:\Windows\system32\d3cr.exe
O4 - HKLM\..\RunOnce: [atlfv.exe] C:\Windows\atlfv.exe
O4 - HKLM\..\RunOnce: [netpa.exe] C:\Windows\netpa.exe
O4 - HKLM\..\RunOnce: [crxv.exe] C:\Windows\system32\crxv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.advisorinsight.com
O15 - Trusted Zone: http://www.gunnallen.net
O16 - DPF: Pristine RTR Client - http://chat.pristine.com/rtr/PristineRTR.CAB
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STJNILoader.cab
O16 - DPF: Sametime Meeting Toolkit ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STMeeting.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37741.8030671296
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
In addition, one of the spyware programs found "Alexa" no clue what is it but would like to get rid of it as well.
Your help is most appreciated.
X
I got some bad case of spyware I guess. By reading similar postings looks like I'm not alone. I tried a lot of what's out there but all the spyware programs could not help me. The thing is something messed up with my IE and now my home page is set to res://prawy.dll/index.html#96676, and I have all sort of pup ups (most of them sell anti pup up software!)
I downloaded hijak this and here is the log
Logfile of HijackThis v1.97.7
Scan saved at 1:52:37 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\mfckw32.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Windows\system32\mfcym32.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\xavier\My Documents\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\prawy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prawy.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prawy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\prawy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prawy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\prawy.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.bloomberg.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {74EE13F3-4F7F-9428-EAE7-54C71206013B} - C:\Windows\winsb32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [mfcym32.exe] C:\Windows\system32\mfcym32.exe
O4 - HKLM\..\RunOnce: [mfckw32.exe] C:\Windows\mfckw32.exe
O4 - HKLM\..\RunOnce: [apibb.exe] C:\Windows\system32\apibb.exe
O4 - HKLM\..\RunOnce: [appgg.exe] C:\Windows\system32\appgg.exe
O4 - HKLM\..\RunOnce: [crsx32.exe] C:\Windows\crsx32.exe
O4 - HKLM\..\RunOnce: [sdkej32.exe] C:\Windows\system32\sdkej32.exe
O4 - HKLM\..\RunOnce: [d3cr.exe] C:\Windows\system32\d3cr.exe
O4 - HKLM\..\RunOnce: [atlfv.exe] C:\Windows\atlfv.exe
O4 - HKLM\..\RunOnce: [netpa.exe] C:\Windows\netpa.exe
O4 - HKLM\..\RunOnce: [crxv.exe] C:\Windows\system32\crxv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.advisorinsight.com
O15 - Trusted Zone: http://www.gunnallen.net
O16 - DPF: Pristine RTR Client - http://chat.pristine.com/rtr/PristineRTR.CAB
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STJNILoader.cab
O16 - DPF: Sametime Meeting Toolkit ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STMeeting.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37741.8030671296
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
In addition, one of the spyware programs found "Alexa" no clue what is it but would like to get rid of it as well.
Your help is most appreciated.
X
0
Comments
CW shredder did most of it:
CWShredder direct download: http://209.133.47.12/~merijn/files/CWShredder.exe
then I ran 3 spyware programs like Ad-aware and S&D
I had it come up one more time on a reboot, and the first thing I did was run Hijack this and fixed everything related to sp.html and about:blank. Which would be all of the R0 and R1s ur showing. Its also showing a prawy.dll in your windows dir u prolly want to delete, but wait till someone seconds that, bc Im not an expert on this.
Hope it helps man, I had an annoying time researching that thing.
Make sure it is version 1.59.0 (It will show the version in the first open screen)
Next, move HiJack This (HJT) to its own folder. HJT makes a backup when items are fixed and the backups are easier to find when in their own folder, rather than in the "Downloads" folder, where other programs probably reside.
Close all windows and run CWShredder.
Then, reboot into safe mode and run CWShredder again.
Run HJT and remove the following entries if they still exist (I suspect most will be gone):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\prawy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prawy.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about_:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prawy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\prawy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prawy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\prawy.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about_:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about_:blank
O2 - BHO: (no name) - {74EE13F3-4F7F-9428-EAE7-54C71206013B} - C:\Windows\winsb32.dll
O4 - HKLM\..\Run: [mfcym32.exe] C:\Windows\system32\mfcym32.exe
O4 - HKLM\..\RunOnce: [mfckw32.exe] C:\Windows\mfckw32.exe
O4 - HKLM\..\RunOnce: [apibb.exe] C:\Windows\system32\apibb.exe
O4 - HKLM\..\RunOnce: [appgg.exe] C:\Windows\system32\appgg.exe
O4 - HKLM\..\RunOnce: [crsx32.exe] C:\Windows\crsx32.exe
O4 - HKLM\..\RunOnce: [sdkej32.exe] C:\Windows\system32\sdkej32.exe
O4 - HKLM\..\RunOnce: [d3cr.exe] C:\Windows\system32\d3cr.exe
O4 - HKLM\..\RunOnce: [atlfv.exe] C:\Windows\atlfv.exe
O4 - HKLM\..\RunOnce: [netpa.exe] C:\Windows\netpa.exe
O4 - HKLM\..\RunOnce: [crxv.exe] C:\Windows\system32\crxv.exe
Then, while still in safe mode, check to see if any of these files still exist, and if so, delete them:
C:\Windows\mfckw32.exe
C:\Windows\system32\mfcym32.exe
Run CWShredder again (while still in safe mode).
Reboot normal.
Run HJT again and post a new log (there are some questionable entries e.g., trusted zones and restrictions that can be discussed).
Also, I assume that you installed XOFTSPY.
This may or may not completely cure the about:blank problem. If about:blank comes back, we'll have to work on removing the hidden reloader.
Logfile of HijackThis v1.97.7
Scan saved at 5:49:07 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.bloomberg.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.advisorinsight.com
O15 - Trusted Zone: http://www.gunnallen.net
O16 - DPF: Pristine RTR Client - http://chat.pristine.com/rtr/PristineRTR.CAB
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STJNILoader.cab
O16 - DPF: Sametime Meeting Toolkit ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STMeeting.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37741.8030671296
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
I must tell you so far so good
There are; however two items in the control panel add/remove software that I assumed were part of this. One is "Home Search Assistant" and the other one is "Shopping wizard".
I am eternaly thankful for your help!
PS how do I know if i'm really cured?
I guess you'll know that you're really cured when after a couple of days you are still not getting the pop-ups and redirects.
I would say "Home Search Assistant" and "Shopping wizard" could be removed.
I will now pass this for review to one of the other moderators with more experience than me.
Anyone else see something I missed?
The other one sends me the same error, just the last part changes. I don't know if this an issue or not.
X
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
and Im not sure about:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.advisorinsight.com
O15 - Trusted Zone: http://www.gunnallen.net
O16 - DPF: Pristine RTR Client - http://chat.pristine.com/rtr/PristineRTR.CAB
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine.com/RTR/Packag...STJNILoader.cab
O16 - DPF: Sametime Meeting Toolkit ST30SP1 - http://chat.pristine.com/RTR/Packag...0/STMeeting.cab
I would leave those there, because I'm almost positive that it's for your touchpad controls.
Nothing there looks questionable. I would definitely advise leaving the touchpad entry though.
Entries o6 to o9 I'm deleting.
Thanks again for helping me out!