[Michelle]

Thank you

Would you mind do this for me, please?

Set your system to SHOW HIDDEN FILES

Then using Windows Explorer, please locate this file:

C:\WINDOWS\system32\RCSRSS.exe

Right-click on it and go to Send to > Compressed (zipped) folder. It will create a zipped folder called RCSRSS.zip in the system32 folder. Will you please e-mail that zipped folder to [email protected]

I appreciate it

[Advertisements]

Ok I have a couple of other questions for you

Do you or anyone who uses this system have anything to do with University of Wisconsin - Eau Claire?

And are you aware of the Remote Server on your system?

[Michelle]

Ok I have a couple of other questions for you

Do you or anyone who uses this system have anything to do with University of Wisconsin - Eau Claire?

And are you aware of the Remote Server on your system?

[mmb222]

Hello

I am unable to locate C:\WINDOWS\system32\RCSRSS.exe

I "unhid" my files, but I did not see it anywhere in the system32 folder.

In response to the questions....yes, I am a student at University of Wisconsin--Eau Claire. I no longer live on campus, but this computer was previously linked to the school's network when I lived in the dorms.

I'm not sure what you mean by remote server. Could you elaborate, please? Thanks!

[Michelle]

In response to the questions....yes, I am a student at University of Wisconsin--Eau Claire. I no longer live on campus, but this computer was previously linked to the school's network when I lived in the dorms.

Ok good, so glad to hear that!

The services from when your computer was hooked up to the school network are still present on your system. Would you like to remove them?

[mmb222]

Yes, anything I don't need I would like to get rid of. Is that the remote server?

[Michelle]

Yes that was the remote server

Let's check to make sure your firewall is working as it should.

Go to Start > Run and type firewall.cpl

Click OK.

Let me know if it's on or off and if anything is grayed out where you can't change it.

Then please download remserv.zip from here:
Unzip it to your desktop.

Reboot into Safe Mode and double-click remserv.bat (a window will just open and close for a second)

Reboot into normal mode and run HiJackThis again please a post the new log for me

[mmb222]

Hello
When I checked my firewall it was on and nothing was grayed out as far as I could see. Okay, new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:05 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Megan Bender\Desktop\Geeks to Go\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: JunoBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\Juno\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.eed.state...sses/CFJava.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

[Michelle]

Perfect! Any other problems?

[mmb222]

Everything seems to be working great!

Thank you so much!

[Michelle]

Great!

You're very welcome

Congratulations your log is clean! Great job on the clean up

If Mcafee is old or about to run out I highly recommend one of the Anti-Virus applications below - they're free and work great

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Some very good free anti-virus programs are Avast, AVG and Anti-Vir
• Firewall<= A firewall is definitely a must have. Three good free versions are Sygate, Kerio, and ZoneAlarm.

[mmb222]

Okay....I guess there is one thing I wanted to check with you on. Attached is a screen shot of my add/remove programs window. The highlighted program "The Best Offers" is what I am unsure of--I don't know what it is and I am unable to remove it.

When I click on change/remove, I get an error message telling me:
"Cannot find 'file:///C:/WINDOWS/boncpar.htm' Make sure the path or Internet address is correct"

I have not had any pop-ups recently, but I used to get some with "The Best Offers" in the title bar (I'm not sure if that's what its called or not?) Do I need to worry about it, or did we take care of this?

[Michelle]

We can take care of that. It belongs to Aurora but Aurora has been removed from your system already. When you try to use Add/Remove programs to remove it, it normally will take you to their web site to download their uninstaller - which of course is made by the same people who infected your computer, so I don't trust 'em.

Open HijackThis.
Click on None of the above, just start the program
Click Config (bottom right)
Click Misc Tools
Click Open Uninstall Manager
Click to highlight The Best Offers
Click Delete this entry
Click YES when prompted.

That's it

[mmb222]

Okay. Thank you so much for all your help!!
Take care,
megan

[Michelle]

You're very welcome! I'm happy I could help

[Michelle]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.