abetterinternet is getting the better of me

I have the abetterinternet spyware on my machine and try as i will I cannot get rid of the thing. I ran my tools alot of times and got rid of some things but abtterinternet re-occurs via ZoneAlarm warning. I checked your suggestions at generic removal and found I already had most of the tools. I downloaded the one's I didn't have and followed your instructions to the letter.

In safe mode I have run these with the following results:
CCleaner (I seem to empty the bin endlessly these days)
Trend Micro (found one that it couldn't clean - file specified is:
c:/windows/system32/vcybbiw.exe)
Symantec (nothing)
CCleaner (I can't help myself)
AdAware (nothing)
Spybot (nothing)
CWShredder, Kill2Me, about:buster (nothing)
HSRemover (8 items removed)

Once back in normal mode it wasn't long before ZoneAlarm revealed to hits. As follows:
docs and settings/local settings/temp/OWT/aurareco.exe
and c:windows/prefetch had files as well
thnall1ac.exe in prefetch and docs and settings somewhere.

I have downloaded Hijackthis and placed it in a program files folder.

I think I am ready for your treatment doctors.

 

Here is the HJT file as requested.

 

Firstly, thanks alot Chaslang for your advice.

I examined your suggestions and did most of it and everything now seems fine.

Let me explain what I did do and what I didn't do.

I killed the three R0's - i understand they are registry changes that need to be removed but not why - any suggestions as to where I can learn more.

Killed the 02 which I understand is a browser hook and I assume that since it didn't have any meaningful reference then it can only be bad - am I right at least a bit

The 03 iiBar is a useful DSL usage counter related to my ISP hence I kept it.

I kept the 015 as they referred to musicmatch which I have and it also seemed to imply that it had access to my trusted zone via zonealarm - I took the risk that they are OK - don't get cross ... pls

Now the fun part - i suspected (or hoped) that you would suggest that I kill the 04 and its related file - so I used HJT to 'fix' it and then I couldn't help myself to have a quick look to see if the file existed (via windows explorer) before I went over to safe mode and found that it was gone.

I suspected that it had regenerated itself. So since I had already broken the rules I started to play around with this. I got another HJT log and noted that it had in fact regenerated itself in the system32 folder under another name. I noted that the file in both cases was 75k in size and that the random name was always 6 chars in length. I repeated the HJT fix and look process and found that when i perform the HJT fix the file regenerates and hence I could not delete the file as it did not exist. Therefore i decided to reverse your instructions (sort of). I renamed the file first (in safe mode) and then in normal mode used HJT to fix the 04 record. Generated a new HJT log and noted that the little buggar had not regenerated. Decided then to delete the renamed file and do a CCleaner. Restore is now back on and I have played with the machine for a number of hours and all seems quite OK.

Here's the latest HJT log. How does it look to you Chas?

By the way this has been a most illuminating experience and I'd say even fun. I have learnt a few new things and got a good result. Tempted to get infected again with something to see if I can fix it myself - on second thoughts I don't think I'll push it.

Anyway I am interested in learning more - any suggestions?

Thanks again.http://forums.majorgeeks.com/newreply.php?do=newreply&noquote=1&p=559407#
Big Grin