Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora again[RESOLVED]


  • This topic is locked This topic is locked

#1
Morti

Morti

    New Member

  • Member
  • Pip
  • 4 posts
Hi i had a nasty infection with all sorts of Trojans, Nail.exe, spyware and the works.The complete retirement package.I removed it at the same evening using Antivir, adaware, hyjackthis, and spybot.But i still geht aurora popups from time to time.

Here my log if u dont believe me.I am a purist concerning programs running in the background so the list is very small :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 19:22:28, on 09.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\ctfmon.exe
d:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\Programme\hyjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Programme\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Programme\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - d:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - d:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

So where the heck is that Aurora popup coming from ?

P.s: I had an old version of hyjackthis.When i tried to post my message the forum informed me of that *g* In the new version i see that last entry O23 seems suspicious.But i already tried to delete that file with killbox and it seems to have gone already.But the entry cant be deleted with hyjackthis nevertheless.

Any thoughts ?


Mfg
Morti
  • 0

Advertisements


#2
Morti

Morti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Never mind i got rid of it.must have been something in the temp folders because i got reinfected fullscale again when one of that popups fully loaded.I then disconnected from the net restartet in safe mode, cleared out all the temp folders and did a deep scan with adaware, spybot and tds-3.That last programm is really recommended it found some nasty files which the other ones missed !


Now its really gone, thank god

Morti
  • 0

#3
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You still have the Aurora 'Service' on your system. Did you set anything to about:blank?
  • 0

#4
Morti

Morti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Which service ? The only thing left suspicous is that last line (file missing svcproc)and i dont know how to remove that since the file is no longer there and hijackthis cant fix it.It shows up erverytime i try to fix it.

Or did you mean something else ? Anyway that aurora popups are gone.For the time beeing it seems like all is well and quiet.I hope it stays that way.

Morti
  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Yes, that's the one I'm talking about. That belongs to Aurora.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

System Startup Service (or SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

SvcProc

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES.
  • 0

#6
Morti

Morti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thanks a lot it worked nicely ! The service was already stopped i just had to switch startup type to disabled and remove it with hijackthis.

Thank you :tazz:
  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're welcome! :tazz:
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP