Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Timith - Aurora removal

Started by timith , Nov 23 2005 01:57 AM

  • Please log in to reply

#1
timith
Posted 23 November 2005 - 01:57 AM

timith

    New Member

  • Member
  • Pip
  • 3 posts
I have a program called Aurora installed that I can't seem to get rid of.

I've scanned for viruses, run Ad-Aware and checked for windows updates.
  • 0

Advertisements

#2
timith
Posted 23 November 2005 - 01:59 AM

timith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:04:18 AM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\itfvlww.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\OFFICE11\OUTLOOK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tim\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatherof...2_metric_e.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ftbtkjj] C:\WINDOWS\system32\itfvlww.exe r
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O15 - Trusted Zone: http://www.allmusic.com
O15 - Trusted Zone: http://www.comedycentral.com
O15 - Trusted Zone: http://www.imdb.com
O15 - Trusted Zone: http://by103fd.bay103.hotmail.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125352719718
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#3
jwbirdsong
Posted 23 November 2005 - 05:16 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You will need to print out these instructions or save a copy in Notepad for easier reference.

First, download Ewido Security Suite.

In your opening post you say you have run Ad-Aware so please make sure you have the latest updates and are using the settings below EXACTLY

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.
  • 0

#4
timith
Posted 24 November 2005 - 11:02 AM

timith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thank-you,

Here are the log files:

Logfile of HijackThis v1.99.1
Scan saved at 10:06:21 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tim\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatherof...2_metric_e.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O15 - Trusted Zone: http://www.allmusic.com
O15 - Trusted Zone: http://www.comedycentral.com
O15 - Trusted Zone: http://www.imdb.com
O15 - Trusted Zone: http://by103fd.bay103.hotmail.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125352719718
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE





---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:21:10 AM, 11/24/2005
+ Report-Checksum: 2ECB1473

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-21-3433403899-4274017757-2296396051-1005\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-3433403899-4274017757-2296396051-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-3433403899-4274017757-2296396051-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\hs5sjgbu.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@adtrak[1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tim\Local Settings\Temp\D3228\aurora.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Tim\Local Settings\Temp\FTF\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Tim\Local Settings\Temp\nsrB.tmp -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Content.IE5\ODM7S527\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Content.IE5\UP3K5S7Q\abiuninst[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONAS\TBONlchr.dll -> Spyware.ActivShopper : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\gltdwif.exe -> TrojanDownloader.IstBar.er : Cleaned with backup
C:\WINDOWS\hsuacbrhrq.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\kwynhku.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\wfo.exe -> Trojan.Pakes : Cleaned with backup


::Report End
  • 0

#5
jwbirdsong
Posted 27 November 2005 - 11:17 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Sorry for the late response..Is everything running Ok now??

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Please run HijackThis and click "Scan." Place checks next to the following entries:
  • O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
  • O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
  • O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Delete the following files (if they exist):

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
  • C:\Windows\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested. But you will have to manually log on to all internet sites the first time you visit them again.
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
  • Empty your "Recycle Bin"
There are always a couple of files that you will not be able to delete..this is normal and expected

Restart your computer and rerun HijackThis. Please post a new HijackThis log in a reply to this thread.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP