Tried everything and spyware still there. Reboots system

Please make sure your follow the steps below for installing and running HijackThis. Then post your log as an attachment.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You need to post your complete HijackThis log as saved by HijackThis. You only posted the process list.

Your OS and IE versions are way out of date and represent a major security risk. After we resolve your current problems, you MUST get updated.

 

Okay! Now you have a complete log. You must remember to ALWAYS shut down browsers (
C:\Program Files\Internet Explorer\IEXPLORE.EXE) before running HijackThis.

Did you install Remote Administrator on your PC. See the file: C:\Program Files\Radmin\radmin.exe
Remote Administrator is a legitimate remote administration software. However, some of its components can be used for malicious purposes, as it allows a hacker to control a user's computer. Therefore, Radmin may constitute a security threat.

Did you choose to set the below to about:blank?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

I see no evidence of the Symantec and Trend Micro online scanners being run. Is there reason you did not run them.

We need to stop, disable and remove a couple of bad services. They show in your HijackThis log as:

O23 - Service: rflgdabqfwdowsy - Unknown owner - C:\WINDOWS\System32\fwdowsy\rflgdabq.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for the below service:
rflgdabqfwdowsy

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

System Startup Service

If that does not work, try using the short name of the service: SvcProc

Now repeat the HijackThis step to delete the other NT service:
rflgdabqfwdowsy

Now exit HijackThis.

Let me know how all the above steps go. Then move on to my next message.

 

Some of the items mentioned below (like the O23 Services) may already be gone due to my previous message.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\browselc.exe
C:\WINDOWS\System32\fwdowsy\rflgdabq.exe
After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O4 - HKLM\..\Run: [6bc7c80f5ec8] C:\WINDOWS\System32\browselc.exe
O4 - HKLM\..\Run: [rflgdabq] C:\WINDOWS\System32\fwdowsy\rflgdabq.exe
O23 - Service: rflgdabqfwdowsy - Unknown owner - C:\WINDOWS\System32\fwdowsy\rflgdabq.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\browselc.exe
C:\WINDOWS\System32\fwdowsy <--- the whole folder
C:\WINDOWS\svcproc.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Would you please familiarize youself with our sticky thread procedures so you don't post suggestions that are unnecessary and redundant.

 

Yes you should let MS Antispyware fix those items. You log is clean. You need to get your OS updated now. The steps in the below link should be followed to help keep you clean. The frst step in that link is Microsoft Update:

How to Protect yourself from malware!

 

Part of the problem is because you have not complete the steps in the How to thread I posted. You still do not have a real firewall installed. The one in WinXP SP2 does not provide adequate protection.

Although I'm not saying it is the cause of any of your problems, I still do not like the idea of that Remote Administrator program.

Can you post a log from MS Antispyware? What did it find? And did you run it in safe mode and do you have the current update: