Need help with Aurora plz. Steps completed...

Hi,

First of all, thank you for all the help you're providing.

I was stuck with Aurora, IEPlugin and ABetterInternet and ran all the steps in the sticky up to the Optional steps. I downloaded HJT but have not posted.

During the cleanup process(safe mode), Houseclean found two trojan. Deleted them. Symantec found Adware.BetterInternet in four files and Bloodhound.Exploit in one. App wouldn't let me delete/heal. Stinger np. AdAware found a lot of stuff, mainly VX2 and reg entries that included BetterInternet and Aurora. Fixed problems. Spybot then came with clean scan. Kill2Me np. CW Shredder np. about:Buster np. HSRemove deleted 8 items.

Rebooted in normal mode and Aurora still pops up. Ran AdAware again and it still found stuff with BetterInternet and Aurora entries. Cleanup process seems to have removed IEPlugin.

Not sure where to go from here. Can anyone help...? Thx, Fred

 

Please follow the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Update:

Never mind the removal of IEPlugin. MS Antispyware just announced the arrival (again).

 

CaptFred,

Do as jeff6303j requested and we will go from there.


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for your quick reply...

 

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the xfire_lsp_9425.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move xfire_lsp_9425.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file xfire_lsp_9425.dll is already in the remove section, then just click FINISH.)


Next, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

After you completed the above, REBOOT and post a fresh HJT log.

 

Done!

 

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Next, Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Once in Safe Mode, scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [gfxiisa] c:\windows\system32\igcoqz.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\igcoqz.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Seems to be a tough cookie...

I did what you instructed.

O3 went away. The O4 was not in the scan, neither was the .exe that i looked for(good?). O23(Norton) is still there even after I mark it for removal.

After, when scanning in safe, Spybot detected IEPlugin, ABetterInternet and HotSearchBar. Fixed them.

However, when I restart normal, Aurora still pops up and I get warning from MS Antispyware that Transponder.BetterInternet as well as IEPlugin are trying to install. Don't know if block works...

 

Please make sure you have System Restore disabled!

Locate ABIremover you downloaded earlier:

Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot into normal mode and attach a fresh HJT log.

 

Did it again. Restore is off - checked both in normal and safe. All browsers off as well when i run abiremover (safemode).

This time however, I logged in as Admin. Hope it makes a difference...

 

This may not appear in the HJT scan, let me know if it doesnt!

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [pzkjnyf] c:\windows\system32\meovkwu.exe

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

c:\windows\system32\meovkwu.exe

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Also, if you no longer have Norton installed which it doesnt seem you do. This is about the O23 entry that says file missing.

Click Start > Run > type services.msc and Click OK

Locate Norton Unerase Protection (NProtectService) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

 

I don't know what's going on!

I followed your instructions exactly as far as the ABIremove goes. Also ran CCleaner and Spybot before normal boot.

At 2 o'clock, the MS Spyware kicks in with an automated scan and detects 4 problems:

Transponder.ABetterInternet.DrPMon in windows\system32\dpmon.dll
Transponder.ABetterInternet.Aurora in windows\svcproc.exe
ShopAtHome in windows\redir.txt
IEPlugin in windows\tdtb.exe

I don't know what I'm doing wrong!?

I will run the HJT and remove the new O4 stuff.

 

Okay! Lets put a stop to everything we are doing at the moment. I want to try a program that should remove this.

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After you have done this, check MSAS and be sure your running Spyware Definitions 5719.

 

Running TH right now. Got to go to bed though...

TH Guard countinously finds Agent.167 while scanning and when I tell it to clean, a new .exe file with a different 7 letter code is the bad boy every time. Seems like it "reinvents" itself somehow.

Anyway, I really appreciate your time and effort. I need to go to bed now and will post the outcome of TH as soon as possible.

The service disable worked btw.(Norton)

Thanks again, Fred

 

Okay! Disable the TH Guard, it gets annoying..just run the scan and remove all found infections. Afterwards REBOOT and post a fresh HJT log.

 

Done! Fund 8 items. Cleaned.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now, run the ABIremover once more while in Safe Mode. After you run the tool reboot and again boot back into Safe Mode. Procede with the following steps below.

Now scan with HijackThis and Check the Boxes for the following:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [ygpgff] c:\windows\system32\rtbbxcx.exe

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.webpcfos.com/webpcfos/Citrix/wficat.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Done!

I think I missed something before; When I boot normal there's no option as to what account I use. User is Fredrik. However, when I boot safe, I can choose between Administrator and Fredrik. I have used Fredrik acct when working in safe. During your last instruction, I did the steps booting safe with both accts respectively and noticed HJT gave me different logs. Also, hidden F&F were marked in Admin acct(but not Fredrik acct). I unchecked and did steps in both accts.

Maybe thats the reason it hasn't worked before?

Anyway, here's new log...

 

Thats normal for that to happen as in the user accounts. Each user account will have a different log and needs to be cleaned individually. If you do not use the Admin account its ok.

Your HJT log is now clean, are you having any further problems?

 

bjgarrick

Everything seems to be working fine. Scans come back clean too...

Thanks again for time and effort you put in to solve my problem. I really appreciate it.

Take care, CaptFred

 

Your Welcome!

You should see this article on How to Protect yourself from malware!