Hijack This Log

Please read and follow the instructions in step 7 of the READ & RUN ME sticky. But before posting a new HJT log, perform the steps below.


- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

- Now boot in safe mode and run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now run the steps in this link and post the SpySweeper log too: Running Spy Sweeper...

Now post a new HJT log (make sure you have it properly installed this time by following step 7 of the sticky).

 

If you are going to wait this long in between working on problems, there is no sense working on them. In 3 months problems can totally change. You should have really just started the READ ME over again.

You need to go back to step 7 right now and follow it properly as I stated in my last message. We will not continue until you install HJT properly. You are running it like this:
C:\Documents and Settings\Carl Svendsen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

That means you are running it directly from the ZIP file which we specifically indicate is not acceptable.

After installing HJT properly, attach a new HJT log and indicate what your current problems are.

 

Okay before doing the below, shut SpySweeper down because it may block the fixes.

Goto Add/Remove programs and uninstall Party Poker and BestOffers if found.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [fsgwfvt] C:\WINDOWS\System32\ywngtt.exe r
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\PartyPoker <-- the whole folder
C:\Program Files\TBONAS <-- the whole folder
C:\WINDOWS\System32\ywngtt.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.