Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help Removing Aurora popups![RESOLVED]


  • This topic is locked This topic is locked

#16
LLTean

LLTean

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
The Windows Service Pack 1 was FINALLY able to download to the computer. I again went through the process from scratch of running The Removal Tool, Nailfix, Ewido and finally HijackThis. Please find below the Ewido and HijackThis Logs:

Kristine

=====================================================

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:39:55 AM, 5/20/2005
+ Report-Checksum: AAB3E9EA

+ Date of database: 5/20/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 37344
+ Speed: 27.04 Files/Second
+ Infected files: 6
+ Removed files: 6
+ Files put in quarantine: 6
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\31R4034T\uninst[1].exe -> TrojanDownloader.VB.ge -> Cleaned with backup
C:\WINDOWS\system32\down.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\system32\efvefefe.exe -> TrojanDownloader.IstBar.it -> Cleaned with backup
C:\WINDOWS\system32\kntylv.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\pd33.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\sefer.exe -> Spyware.Small.ga -> Cleaned with backup


::Report End

=====================================================

Logfile of HijackThis v1.99.1
Scan saved at 3:40:24 AM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OtyLNB] C:\WINDOWS\beidcwu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Epson printer Registration.lnk = E:\titles\ereg\EPSONREG.EXE
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {3571D15E-8C69-759D-C536-51C145FAFD30} - http://67.19.178.86/1/rdgUS1742.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
  • 0

Advertisements


#17
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Kristine, Much better !!!

Please disable Microsoft AntiSpyware for the moment ,
  • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [OtyLNB] C:\WINDOWS\beidcwu.exe
    O16 - DPF: {3571D15E-8C69-759D-C536-51C145FAFD30} - http://67.19.178.86/1/rdgUS1742.exe


    Click on Fix Checked when finished and exit HijackThis.


    *Please open notepad and save these instructions, Name it something you will remember
    *Click Here to download Killbox by Option^Explicit.
    *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
    *In the killbox program, select the Delete on Reboot option.
    *Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\Nail.exe
    C:\WINDOWS\beidcwu.exe

    *Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
    *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


    After the computer restarts,Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
  • Unzip/extract the files inside to a folder on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
  • Then post the results here please, along with the new HijackThis log.
[/list]
  • 0

#18
LLTean

LLTean

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Here are the 2 logs. However I did have a "problem" with Killbox. I was able to copy and paste them seperately, since the 'Paste from Clipboard' menu didnt seem to work, but when I went to delete them, after the reboot prompts, it said "PendingFileRenameOperations Registry Data has been Removed by an External Process!" and only had a button for "OK" not Yes or No. so, I clicked ok. I went ahead and manually rebooted because it did not do so from Killbox, so I'm hoping that deleted the Nail and beidcwu programs. Lastly, my desktop stil has an internet explorer desktop screen as my desknop. It no longer has the warning sign, just a blue screen that I cannot change from the properties/Display/desktop menu. All other pictures and the browse button are locked. ;) Haha, sorry. :tazz:

Kristine

=====================================================

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 05/20/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 1C8B-82CD

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 1C8B-82CD

Directory of C:\WINDOWS\system32

05/09/2005 11:23 PM 3,262 creditcard32123123123asdsa.ico
05/20/2005 02:41 AM 3,262 creditcard32123123123asdsa1.ico
05/20/2005 02:41 AM 2,238 red_kas21.ico
3 File(s) 8,762 bytes
0 Dir(s) 57,750,175,744 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\mfiltis


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\System Updater


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} REG_SZ 1

=====================================================

Logfile of HijackThis v1.99.1
Scan saved at 4:23:32 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Epson printer Registration.lnk = E:\titles\ereg\EPSONREG.EXE
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
  • 0

#19
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK, we are gaining on it,
Lets do this first to see if you can get control of your desktop, Then we will have a few more minor issues to clean up

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt

Reboot and let me know if the desk top is working properly again
  • 0

#20
LLTean

LLTean

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Yup! Desktop is back to normal! tahnk you! Now what, boss?
  • 0

#21
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Good deal !!!!

Lets see if we can do a bit of cleaning with some tools,

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Run a scan with Ad-aware and have it fix all it finds please, Reboot your computer,

Next:

Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD


C:\WINDOWS\system32
Search for the following item in the folder and nothing else,


creditcard32123123123asdsa.ico

Restart your computer,

Run Findit again please and post back a findits log please
  • 0

#22
LLTean

LLTean

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I want to make sure I'm understanding. I rebooted into safe mode. I made all hidden files appear, but where was I sopposed to search for bold files? I assumed you meant bold files in the Windows/system32 folder which were only 2 files, and they were highlighted in blue. :tazz: the 2 files I deleted were dllcasch and red_cas21. I have not officially emptied the recycle bin yet, incase they were incorrect. I then searched in the same folder for the creditcard file. There were 2; creditcard.....asdsa and creditcard.....asdsa1. I deleted those also. that correct? eek. and here is my findIts log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 05/20/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 1C8B-82CD

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 1C8B-82CD

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\mfiltis


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\System Updater


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} REG_SZ 1
  • 0

#23
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Thats fine, You can clean out your recycle bin
My bad I forgot to Bold it :tazz:

Go to Start->Run and type in regedit and hit OK. Go to Registry (make sure my computer is highlighted)->Export and save the registry somewhere on your desk top as a backup. While in the Registry Editor, navigate to:



HKEY_CLASSES_ROOT\mfiltis

HKEY_LOCAL_MACHINE\SOFTWARE\System Updater

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} REG_SZ 1


Delete if found. If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.


Post back a fresh findits when done please
  • 0

#24
LLTean

LLTean

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK, keys deleted. All except the (Default) key, but all of them had that so no worries, im assuming. ok now on with the log . . :tazz:

Kristine

*oh yea, can I now delete the back up from my desktop, since all was succesful?
=====================================================

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 05/20/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 1C8B-82CD

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 1C8B-82CD

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».
  • 0

#25
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Well Kristine
Your system is clean !!!!!!!!

Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.3 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,
  • 0

Advertisements


#26
LLTean

LLTean

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Wonderful! so Aurora is gone? Awesome! so are you single?! :tazz: j/k ThankYou again, and i'll definaly hunt ya down if i ever come across any other problems..

Thank You!

Kristine
  • 0

#27
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Yes Aurora is gone !!
Your very welcome, glad I could help

so are you single?!  j/k ThankYou again, and i'll definaly hunt ya down if i ever come across any other problems..


You can find me here !!! :tazz:
  • 0

#28
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP