Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Aurora removal
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Aurora removal  
Forum Quick Jump
 
New Topic Post reply to : Aurora removal Printable version of : Aurora removal
[ << Previous Thread | Next Thread >> ]

albar
New Member


Date Joined Mar 2005
Total Posts : 6
  		   Posted 4-17-2005 12:19 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
upon opening certain pages, a new window opens with aurora as the title. also, within the text to some pages are links to unwated sites in the form of highlighted keywords.
heres my hjt log:-
 
Logfile of HijackThis v1.99.1
Scan saved at 11:22:08, on 17/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\WINDOWS\system32\nvsvc32.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\Explorer.exe
f:\windows\system32\qhetwt.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
f:\program files\mcafee.com\agent\mcagent.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\WINDOWS\system32\8758.exe
F:\Program Files\WinZip\WZQKPICK.EXE
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\hjt files\HijackThis.exe
F:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - F:\WINDOWS\system32\nsn8F.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [cnywnc] f:\windows\system32\cnywnc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ap9h4qmo] F:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [pgqeeik] f:\windows\system32\qhetwt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Apwheel] F:\WINDOWS\system32\8758.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = F:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Autodesk Licensing Service - Unknown owner - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe
 
Back to Top
 

Emilio (SVK)
Forum Moderator




Date Joined Jan 2005
Total Posts : 1876
  		   Posted 4-17-2005 12:58 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
Hi Albar

Download Ad-AwareSE

Download SpyBot

Download ScanSpyware
(Serial: 5426-7451-2543)

Download Mwav

Download SysClean (sysclean.com file)
Download pattern file
(unpack and copy with sysclean.com to the same folder)

Download TDS-3
Download TDS-3 update
(just re-copy radius.td3 file to the folder TDS-3)

Download latest Stinger version

Download CCleaner

http://www.docsdownloads.com/Tier1/dr-delete.htm

Download Advanced process termination
www.diamondcs.com.au/index.php?page=apt
(you don´t have to install it....it´s only executable utility)

install and check for updates....

PROCEDURE:
1.Turn off System restore

2.Reboot to the "Safe mode"

3.Show hidden files

4.Run Hijackthis:
Check:
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - F:\WINDOWS\system32\nsn8F.dll
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cnywnc] f:\windows\system32\cnywnc.exe
O4 - HKLM\..\Run: [ap9h4qmo] F:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [pgqeeik] f:\windows\system32\qhetwt.exe
O4 - HKCU\..\Run: [Apwheel] F:\WINDOWS\system32\8758.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe
Fix checked...........

5.Run Advanced Process Termination:
F:\windows\system32\cnywnc.exe
F:\WINDOWS\system32\ap9h4qmo.exe
F:\windows\system32\qhetwt.exe
F:\WINDOWS\system32\8758.exe
F:\WINDOWS\svcproc.exe
F:\WINDOWS\Nail.exe
select and then press "ALL" button in PROCES CONTROL OPTIONS

6.Find and delete these files:(use Dr.Delete)
F:\windows\system32\cnywnc.exe
F:\WINDOWS\system32\ap9h4qmo.exe
F:\windows\system32\qhetwt.exe
F:\WINDOWS\system32\8758.exe
F:\WINDOWS\svcproc.exe
F:\WINDOWS\Nail.exe
F:\WINDOWS\system32\nsn8F.dll (I forgot on this file)

7.Scans:
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot
run scan with ScanSpyware (do complete scan)
run scan with Stinger
run scan with Mwav (all scan options)
run scan with SysClean
run scan with TDS-3 (choose all choices to scan in SCAN CONTROL)

8.Cleaning
run CCleaner (analyze---run cleaner)

9.Enable System restore (reverse progress of disabling)

10.Reboot

post new log for check.....thx

Emilio24

Post Edited (Emilio (SVK)) : 4/17/2005 11:15:32 AM GMT

Back to Top
 

albar
New Member


Date Joined Mar 2005
Total Posts : 6
  		   Posted 4-18-2005 6:04 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
#3 ho do you show hidden files?

i have downloaded everything you said except dr delete which wouldnt work
albar
Back to Top
 

albar
New Member


Date Joined Mar 2005
Total Posts : 6
  		   Posted 4-23-2005 11:41 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
heres my new log
 
Logfile of HijackThis v1.99.1
Scan saved at 10:40:17, on 23/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\Explorer.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\WinZip\WZQKPICK.EXE
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\WINDOWS\system32\rundll32.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\wuauclt.exe
F:\hjt files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - F:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = F:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Autodesk Licensing Service - Unknown owner - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe (file missing)
 
cheers albar
 
Back to Top
 

Mooky
New Member


Date Joined Apr 2005
Total Posts : 2
  		   Posted 4-29-2005 3:09 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
I've been fighting off Spyware/Adware for a number of years and have relied on the tried and true top 4...Adaware, Spybot S&D, SpywareBlaster and WinPatrol.

Your list of remedial actions are impressive, and I had a system that was infected with "ABetterInternet" stuff, as well as VX2 and Nail.exe variants. Nasty stuff.

I'm curious what the "Fix" option in HiJack does. It didn't seem to to about anything in our case...also, in our case with there was a task running HIDDEN from the task manager, as well as from the APT tool. how do we identify and kill hidden tasks? This Aurora thing keeps coming back! (eek).
Back to Top
 

fs_xecutioner
New Member


Date Joined Mar 2005
Total Posts : 37
  		   Posted 4-29-2005 3:59 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
Dude I still have that Aurora thing also.
 
If I knew the name of the .exe(which I think it maybe) I would.............!!!!!!!!!!
 
 
I even keep deleting it in the registry, but keeps coming back.

Post Edited (fs_xecutioner) : 4/29/2005 2:05:40 AM GMT

Back to Top
 

Spytheweb
New Member




Date Joined Apr 2005
Total Posts : 2
  		   Posted 4-29-2005 4:39 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
Try Reg Run. Past 3 days i have had no aurora popups.


http://www.greatis.com/appdata/d/_/_windir__nail.exe_Removal.htm
Back to Top
 

Mooky
New Member


Date Joined Apr 2005
Total Posts : 2
  		   Posted 4-29-2005 6:41 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
fs_xecutioner said...
Dude I still have that Aurora thing also.
Yeah, every time I killed the running task (it had TODO in the company line) two more would try to add themselves to the startup list and load in memory.  I'm going to try the delete on boot method to nuke the files before they have a chance to load.
Back to Top
 

albar
New Member


Date Joined Mar 2005
Total Posts : 6
  		   Posted 4-29-2005 9:34 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
i dont have aurora popping up anymore however, so i think all those scans has worked. internets running fast and computers healthy [or so i believe], thanks for help
Back to Top
 

Emilio (SVK)
Forum Moderator




Date Joined Jan 2005
Total Posts : 1876
  		   Posted 4-29-2005 9:41 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
(for Albar)

please post new log..i am afraid that you are still infected..

Emilio24

>Hijackthis< , >FireFox<

Back to Top
 

albar
New Member


Date Joined Mar 2005
Total Posts : 6
  		   Posted 4-29-2005 10:17 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
oh dear....


Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\WINDOWS\system32\nvsvc32.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\Explorer.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\WinZip\WZQKPICK.EXE
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\WINDOWS\system32\rundll32.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Winamp\winamp.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\hjt files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - F:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = F:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Autodesk Licensing Service - Unknown owner - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe (file missing)
 
 
cheers,
albar
 
Back to Top
 

Emilio (SVK)
Forum Moderator




Date Joined Jan 2005
Total Posts : 1876
  		   Posted 4-29-2005 10:21 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
try this progress on this page:

forum.hijackthis.de/showthread.php?p=16128#post16128

post new log after that.....

Emilio24

>Hijackthis< , >FireFox<

Back to Top
 

kranthi
New Member


Date Joined Apr 2005
Total Posts : 1
  		   Posted 4-29-2005 8:58 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
I have the same problem with Aurora ...
 
The following is my log. Can you help me identify which ones to fix??
Thanks a lot,
Kranthi.
 
Logfile of HijackThis v1.99.1
Scan saved at 2:39:47 PM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\kravi\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=2139421293&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=2139421293&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=2139421293&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=2139421293&id=5.0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Machers Toolbar - {24783341-3411-418C-B6AE-A0775E852A6C} - C:\Program Files\Machers Toolbar\MachersToolbar_dyn.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [zkyczc] c:\windows\system32\qfyhqod.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int121.com
O17 - HKLM\Software\..\Telephony: DomainName = int121.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int121.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = int121.com,intdom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int121.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = int121.com,intdom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = int121.com,intdom.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Back to Top
 

Emilio (SVK)
Forum Moderator




Date Joined Jan 2005
Total Posts : 1876
  		   Posted 4-30-2005 12:50 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
Hi Kranthi

try ABIremover.zip which is placed in previous page in my prevoius post.....

download ABIremover and folow instructions on mentioned page.....(unpack)

also download NewNet uninstaller >click here<.....(unpack)

Download Ad-Aware SE
www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Download Spybot search&destroy
www.safer-networking.org/en/download/index.html

after install these two programs check for update.....

1.reboot to the safe mode
2.run ABIremover
3.run NewNet uninstaller
2.run scan with Ad-AwareSE (full system scan and then scan volume for ADS)
3.run scan with SpyBot (press Imunize and then scan)
4.reboot

post new log after that.....

--------------------------------
Safe mode
service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Emilio24

>Hijackthis< , >FireFox<

Back to Top
 

fs_xecutioner
New Member


Date Joined Mar 2005
Total Posts : 37
  		   Posted 4-30-2005 9:07 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
Yeah that all worked. No more Aurora.
 
yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah yeah burger
Back to Top
 

atlantien
New Member


Date Joined Jun 2005
Total Posts : 1
  		   Posted 6-4-2005 6:01 (GMT +2)    Quote: Aurora removalAlert an admin about: Aurora removal
Sorry but I'm new to the logfile thing, is it just alt/crtl/delete and what programs are running or how do i get to it?
Back to Top
 
New Topic Post reply to : Aurora removal Printable version of : Aurora removal
 
Forum Information
Currently it is Friday, August 29, 2008 7:44 AM (GMT +2)
There are a total of 61.581 posts in 15.387 threads.
In the last 3 days there were 21 new threads and 48 reply posts. View Active Threads
Who's Online
This forum has 26260 registered members. Please welcome our newest member, MN.
26 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Touch, I missed you so much I had to come back:) (12)29-08-2008 05:38:57 (Touch)
Multiple trojans (3)29-08-2008 05:09:51 (Touch)
Cool USEP scandal (19)29-08-2008 04:39:07 (cyberXpert2008)
Redirect virus + problems downloading software (1)29-08-2008 04:23:04 (Touch)
Help remove trojan!!!! my computer became slower 5x than usual (1)29-08-2008 03:26:26 (Touch)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard