Aurora on my wife's computer

Ccleaner is the only spyware related program I left installed, except Norton System Works, which I have disabled, at least I think I have --- I unchecked the boxes under Auto Protect, and the Script Blocking option too. I noticed that I left the Internet Worm Protection on. I will uncheck that and run Ewido again.
Ccleaner isn't a problem though is it?
I'll uninstall that too.

 

okay -- here are log files from QooologicFinder and RKFiles. Still there.
Not only did I remove Ccleaner and disable everything I could find in Norton Antivirus, but I also went back to Add/Remove Programs and discovered that Instant Access was still there - which I removed.
When I ran Ewido again, it found only one instance of msclock32.dll - but apparently it did not remove it entirely because RKFiles shows it's still there.


I'm just about at the end of my rope, unless you can see light at the end of this dark dark tunnel, I'm going to reinstall the system software (and everything else).
What do you think?

 

Because we havnt tried this, lets do the below just to see if they catch it with there new updates.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.


Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

 

okay, scans run and here's the file from HijackThis.

 

First, uninstall Ewido and disable Norton or any other antivirus programs.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\SXZXDLL.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\VIBDENC.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\cbomrca.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot to normal windows and attach 2 new logs from the tools.

 

the only file that actually showed up in blue was the first one, but anyway --- here are the 2 log files.

hmmmmmmmmmmmm.

 

Hi Bob,

I don't want to get in BJ's way here, but a couple ideas:

-- Is there an msplock.exe on your machine? (Exact Spelling)

-- Can you run a search of machine for Instant Access, EGDACCESS and just EGD as search criteria and post the results?

-- Try running a scan with Microworld Antivirus Toolkit Utility and post the results. You don't have to install it and you will not be able to fix anything with it unless you purchase it (I think), but it may give BJ a lead or two.

Best Luck
PP

 

none of the files (msplock.exe, Instant Access, EDGACESS, EDG) showed up in searches of the computer --- attached is the log file from the escan you suggested.
No, I guess not -- the file is too big.

I messed with trying to reduce the size (it's nearly 300 Kb which is 3X the size you'll allow to be uploaded) and I'm having too much trouble.

Frankly, I'm having too much trouble still and I'd like to thank you for all your help, but I feel I'll be better off just reinstalling the system software and all the programs we've got.
Thanks for trying. I really do appreciate your on-going efforts to solve our problem.

 

Hate to hear that, Bob! I'm sorry our collective brainpower couldn't crank out a solution . . . But, we wish you the best of luck!

If you could, though, please copy and paste the MWAV log into this thread - I'd like to see if there is anything there . . .

Frankly, I've never seen this particular baddie put up such a fight! It looked to me like BJ was pretty thorough . . . .

When you reformat, be sure to have all of your protection tools, AV and Firewall up and running before reconnecting to the Internet - I'd hate to see you get reinfected!

Best
PP