Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora pop-ups [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Thank you :tazz:

Would you mind do this for me, please?

Set your system to SHOW HIDDEN FILES

Then using Windows Explorer, please locate this file:

C:\WINDOWS\system32\RCSRSS.exe

Right-click on it and go to Send to > Compressed (zipped) folder. It will create a zipped folder called RCSRSS.zip in the system32 folder. Will you please e-mail that zipped folder to submit@atribune.org

I appreciate it :)
  • 0

Advertisements


#17
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok I have a couple of other questions for you :tazz:

Do you or anyone who uses this system have anything to do with University of Wisconsin - Eau Claire?

And are you aware of the Remote Server on your system?
  • 0

#18
mmb222

mmb222

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello :tazz:

I am unable to locate C:\WINDOWS\system32\RCSRSS.exe

I "unhid" my files, but I did not see it anywhere in the system32 folder.

In response to the questions....yes, I am a student at University of Wisconsin--Eau Claire. I no longer live on campus, but this computer was previously linked to the school's network when I lived in the dorms.

I'm not sure what you mean by remote server. Could you elaborate, please? Thanks!
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

In response to the questions....yes, I am a student at University of Wisconsin--Eau Claire. I no longer live on campus, but this computer was previously linked to the school's network when I lived in the dorms.


Ok good, so glad to hear that! :tazz:

The services from when your computer was hooked up to the school network are still present on your system. Would you like to remove them?
  • 0

#20
mmb222

mmb222

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yes, anything I don't need I would like to get rid of. Is that the remote server?
  • 0

#21
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Yes that was the remote server :tazz:

Let's check to make sure your firewall is working as it should.

Go to Start > Run and type firewall.cpl

Click OK.

Let me know if it's on or off and if anything is grayed out where you can't change it.

Then please download remserv.zip from here:
Unzip it to your desktop.

Reboot into Safe Mode and double-click remserv.bat (a window will just open and close for a second)

Reboot into normal mode and run HiJackThis again please a post the new log for me :)
  • 0

#22
mmb222

mmb222

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello :tazz:
When I checked my firewall it was on and nothing was grayed out as far as I could see. Okay, new HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 11:44:05 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Megan Bender\Desktop\Geeks to Go\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: JunoBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\Juno\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.eed.state...sses/CFJava.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  • 0

#23
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Perfect! :tazz: Any other problems?
  • 0

#24
mmb222

mmb222

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Everything seems to be working great!

Thank you so much! :tazz:
  • 0

#25
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Great! :tazz:

You're very welcome :)

Congratulations your log is clean! Great job on the clean up :)

If Mcafee is old or about to run out I highly recommend one of the Anti-Virus applications below - they're free and work great :)

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Some very good free anti-virus programs are Avast, AVG and Anti-Vir
  • Firewall<= A firewall is definitely a must have. Three good free versions are Sygate, Kerio, and ZoneAlarm.

  • 0

Advertisements


#26
mmb222

mmb222

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay....I guess there is one thing I wanted to check with you on. Attached is a screen shot of my add/remove programs window. screen_shot.JPG The highlighted program "The Best Offers" is what I am unsure of--I don't know what it is and I am unable to remove it.

When I click on change/remove, I get an error message telling me:
"Cannot find 'file:///C:/WINDOWS/boncpar.htm' Make sure the path or Internet address is correct"

I have not had any pop-ups recently, but I used to get some with "The Best Offers" in the title bar (I'm not sure if that's what its called or not?) Do I need to worry about it, or did we take care of this?
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We can take care of that. It belongs to Aurora but Aurora has been removed from your system already. When you try to use Add/Remove programs to remove it, it normally will take you to their web site to download their uninstaller - which of course is made by the same people who infected your computer, so I don't trust 'em. :tazz:

Open HijackThis.
Click on None of the above, just start the program
Click Config (bottom right)
Click Misc Tools
Click Open Uninstall Manager
Click to highlight The Best Offers
Click Delete this entry
Click YES when prompted.

That's it :)
  • 0

#28
mmb222

mmb222

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay. Thank you so much for all your help!!
Take care,
megan
:tazz:
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome! I'm happy I could help :tazz:
  • 0

#30
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP