[daray]

Hi, I have become one of the many new victims of Aurora pop-ups. I have looked at many sites and forums and could use a little help. I have ran Ewido Security and HackTHis and Findit. Here are my two logs for HackThis and Findit. I do not know where to go from here. I can see the problem but not sure what are the best steps for removal??

I have also looked at the website that is recommended for removing Aurora; mypctuneup and it just looks a little bizarre. Does anyone know anything about this site. the exact link is as follows: www.mypctuneup.com/aurora

I would appreciate any and all help available.

Here are my logs.

Logfile of HijackThis v1.99.1
Scan saved at 10:12:26 AM, on 5/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe
E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Common Files\WinTools\WToolsS.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Google\ggviewer67-97.exe
E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\SYMANT~2\VPTray.exe
E:\WINDOWS\system32\hphmon04.exe
E:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\seeve.exe
E:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
E:\WINDOWS\system32\nsvsvc\nsvsvc.exe
E:\WINDOWS\system32\picsvr\picsvr.exe
E:\WINDOWS\system32\HPHipm11.exe
E:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
E:\Program Files\Common Files\WinTools\WSup.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
e:\windows\system32\ivotwnd.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINDOWS\System32\HPZipm12.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\Program Files\Windows Media Player\wmplayer.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Invisage\Desktop\David's\Protection Apps\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50243
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50243
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50243
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - E:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "E:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [HPHmon04] E:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "E:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] E:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] E:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [seeve] E:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [WinTools] E:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Nsv] E:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] E:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [TB_setup] E:\DOCUME~1\Invisage\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [hwllut] e:\windows\system32\ivotwnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo.../cabs/alien.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...43/QDow_AS2.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crystal Query Server - Unknown owner - E:\Program Files\Seagate Software\Query Server\querysrv.exe" -service (file missing)
O23 - Service: Crystal Web Image Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe" -service (file missing)
O23 - Service: Crystal Web Page Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe" -service (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - E:\Program Files\Common Files\WinTools\WToolsS.exe



Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 05/13/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! E:\WINDOWS\System32\NCDYBQR.EXE
* UPX! E:\WINDOWS\NAIL.EXE
* UPX! E:\WINDOWS\SVCPROC.EXE

* Sniffed E:\WINDOWS\System32\DRPMON.DLL
* Sniffed E:\WINDOWS\System32\__DELE~1.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive E is Mordac E
Volume Serial Number is B8A2-CD4E

Directory of E:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive E is Mordac E
Volume Serial Number is B8A2-CD4E

Directory of E:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll


Thanks for any help that comes my way. It is greatly appreciated!!!

[Advertisements]

Welcome to GTG.

I see you are way ahead of all the others Since you did the preliminaries already, let's start the removal now.

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

Uninstall WinTools from Add/Remove panel if listed.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

1. SKIP

2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

E:\Windows\svcproc.exe
E:\Windows\Nail.exe
E:\Program Files\Common Files\WinTools\
E:\WINDOWS\seeve.exe
E:\WINDOWS\system32\nsvsvc\
E:\WINDOWS\system32\picsvr\
E:\windows\system32\ivotwnd.exe
E:\DOCUME~1\Invisage\LOCALS~1\Temp\tb_setup.exe
E:\Program Files\Common Files\WinTools\
E:\WINDOWS\System32\NCDYBQR.EXE
E:\WINDOWS\System32\DRPMON.DLL
E:\WINDOWS\System32\__DELE~1.DLL

5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit

6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50243
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50243
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50243
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - E:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O4 - HKLM\..\Run: [seeve] E:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [WinTools] E:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Nsv] E:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] E:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [TB_setup] E:\DOCUME~1\Invisage\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [hwllut] E:\windows\system32\ivotwnd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo.../cabs/alien.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...43/QDow_AS2.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O23 - ServicE: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe
O23 - ServicE: WinTools for IE service (WinToolsSvc) - Unknown owner - E:\Program Files\Common Files\WinTools\WToolsS.exe

7. Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log. Again, try not to restart or shutdown during this time until you do the fixes that I will give you.

[greyknight17]

Welcome to GTG.

I see you are way ahead of all the others Since you did the preliminaries already, let's start the removal now.

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

Uninstall WinTools from Add/Remove panel if listed.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

1. SKIP

2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

E:\Windows\svcproc.exe
E:\Windows\Nail.exe
E:\Program Files\Common Files\WinTools\
E:\WINDOWS\seeve.exe
E:\WINDOWS\system32\nsvsvc\
E:\WINDOWS\system32\picsvr\
E:\windows\system32\ivotwnd.exe
E:\DOCUME~1\Invisage\LOCALS~1\Temp\tb_setup.exe
E:\Program Files\Common Files\WinTools\
E:\WINDOWS\System32\NCDYBQR.EXE
E:\WINDOWS\System32\DRPMON.DLL
E:\WINDOWS\System32\__DELE~1.DLL

5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit

6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50243
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50243
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50243
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - E:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O4 - HKLM\..\Run: [seeve] E:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [WinTools] E:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Nsv] E:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] E:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [TB_setup] E:\DOCUME~1\Invisage\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [hwllut] E:\windows\system32\ivotwnd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo.../cabs/alien.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...43/QDow_AS2.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O23 - ServicE: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe
O23 - ServicE: WinTools for IE service (WinToolsSvc) - Unknown owner - E:\Program Files\Common Files\WinTools\WToolsS.exe

7. Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log. Again, try not to restart or shutdown during this time until you do the fixes that I will give you.

[daray]

Thank you for all your help. I went ahead and followed your instructions. Below are my new HackThis log and Findit's log.

When i rebooted the computer I did receive a windows prompt that said the nail.exe file could not be located. Is this all according to plan so far?

Logfile of HijackThis v1.99.1
Scan saved at 10:01:47 AM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe
E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Google\ggviewer67-97.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
e:\windows\system32\gsavqwc.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINDOWS\System32\HPZipm12.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\Documents and Settings\Invisage\Desktop\David's\Protection Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Uninstall_WinTools] E:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [onfsmta] e:\windows\system32\gsavqwc.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crystal Query Server - Unknown owner - E:\Program Files\Seagate Software\Query Server\querysrv.exe" -service (file missing)
O23 - Service: Crystal Web Image Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe" -service (file missing)
O23 - Service: Crystal Web Page Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe" -service (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe



Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 05/14/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! E:\WINDOWS\System32\GSAVQWC.EXE
* UPX! E:\WINDOWS\EXE~1

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy E:\WINDOWS\EXE~1

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive E is Mordac E
Volume Serial Number is B8A2-CD4E

Directory of E:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive E is Mordac E
Volume Serial Number is B8A2-CD4E

Directory of E:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


This is all I've got right now. But so far I have not received a single pop up while reconnecting to the internet and surfing back to this site right now. (cross my fingers). I am hoping we are looking good right now...thanks you your awesome and most intelligent guidance. Let me know how this all looks I greatly appreciate it. Hopefully alll the problems are gone but i will let you be the judge of that. Also, if it is fixed...do i need to change any settings back that i have changed for this process? Thanks.

[daray]

Just an FYI....I just got an Aurora pop up right after I typed that reply.
I really hate this Aurora!!!!

[greyknight17]

Still have a little more to go, but we had made a lot of progress for that first try, so things are looking good.

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

1. SKIP

2. SKIP

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

E:\Windows\svcproc.exe
E:\Windows\Nail.exe
E:\WINDOWS\System32\GSAVQWC.EXE
E:\WINDOWS\EXE~1

5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit

6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe c:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] c:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [onfsmta] c:\windows\system32\gsavqwc.exe

7. Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log. Again, try not to restart or shutdown during this time until you do the fixes that I will give you.

[daray]

Okay. I have just followed the new directions. Here are my new logs. Again, thank you for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 3:13:58 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe
E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Google\ggviewer67-97.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
e:\windows\system32\uynefm.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINDOWS\System32\HPZipm12.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Invisage\Desktop\David's\Protection Apps\HijackThis.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [qxvsunk] e:\windows\system32\uynefm.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crystal Query Server - Unknown owner - E:\Program Files\Seagate Software\Query Server\querysrv.exe" -service (file missing)
O23 - Service: Crystal Web Image Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe" -service (file missing)
O23 - Service: Crystal Web Page Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe" -service (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - e:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe



Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 05/15/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! E:\WINDOWS\System32\UYNEFM.EXE

* Sniffed E:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive E is Mordac E
Volume Serial Number is B8A2-CD4E

Directory of E:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive E is Mordac E
Volume Serial Number is B8A2-CD4E

Directory of E:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll



Thank you for taking your time to look at this.

[greyknight17]

OK, let's try something else.

Please download Nailfix from here:
http://users.pandora...chy/nailfix.zip
Unzip it to the desktop but please do NOT run it yet.

Boot into Safe Mode. Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Restart and post a new HijackThis log also.

[daray]

Sorry it took me so long to reply but the office has been busy lately. I hope you are still there to help me because I still need it. I am about to the point of reformatting. I am still getting these Aurora pop ups. Do I have any shot at getting rid of them still? I did find that during one of these steps my driver for our scanner was lost. Any way to get that back? Here are my new logs but I know Aurora is still with me because I have gotten two pop-ups since I have been back online.


Logfile of HijackThis v1.99.1
Scan saved at 12:50:08 PM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe
E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Google\ggviewer67-97.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINDOWS\System32\HPZipm12.exe
e:\windows\system32\hlflsq.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\Documents and Settings\Invisage\Desktop\David's\Protection Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lyhmlp] e:\windows\system32\hlflsq.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crystal Query Server - Unknown owner - E:\Program Files\Seagate Software\Query Server\querysrv.exe" -service (file missing)
O23 - Service: Crystal Web Image Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe" -service (file missing)
O23 - Service: Crystal Web Page Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe" -service (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:44:58 PM, 5/17/2005
+ Report-Checksum: A9FF6FD7

+ Date of database: 5/13/2005
+ Version of scan engine: v3.0

+ Duration: 104 min
+ Scanned Files: 161822
+ Speed: 25.72 Files/Second
+ Infected files: 23
+ Removed files: 23
+ Files put in quarantine: 23
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
E:\
F:\

+ Scan result:
E:\Documents and Settings\Invisage\Cookies\envisage@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@list[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\K9QRCPM7\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\K9QRCPM7\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\MNYZWRIT\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
E:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
E:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
E:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
E:\WINDOWS\system32\nsvsvc\__delete_on_reboot__nsvs.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
E:\WINDOWS\system32\ojkeigq.exe -> Trojan.Agent.cp -> Cleaned with backup
E:\WINDOWS\system32\qswtcj.exe -> Trojan.Agent.cp -> Cleaned with backup
E:\WINDOWS\system32\ucrwtrg.exe -> Trojan.Agent.cp -> Cleaned with backup


::Report End

[greyknight17]

Do you want to format? I have worked with many users on this aurora problem and have had many successes. This infection will usually take more than a few tries to fix and I know some users here need their computers working soon and just don't have time to do this. So if you want to format, tell me now so that we can close this topic. Otherwise, I will continue helping you and hopefully get it resolved soon.

I'm using a new method here and not sure how successful this is. So I want you to do this again (see below) and if that fails, I will revert back to how I did it before using this method. So do the following (ignore the download part if you got them already, just go straight to the fixes/scans):

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.bat (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [lyhmlp] e:\windows\system32\hlflsq.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

e:\windows\system32\hlflsq.exe
E:\WINDOWS\Nail.exe
E:\WINDOWS\svcproc.exe

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

[daray]

Let's go ahead and try and get this bad boy. I can hold off the boss for another week.

I am in the process of running Ewido right now on the other computer. I will have the log ready in about an hour but I just wanted to let you know that the nailfix.bat wasn't available after I unzipped it. It does have a process.exe file that I ran (and another .cmd file) and it popped up a screen real quick. Was this the right file to run?

Thanks for sticking it out with me on this.

[daray]

Okay. Followed the directions. I didn't have the nailfix.bat The only files that were in the zipped folder were a .cmd file and Process.exe file. I ran the Process.exe file and followed the rest of the instructions. Here are my new logs.


Logfile of HijackThis v1.99.1
Scan saved at 11:39:11 AM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe
E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Google\ggviewer67-97.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINDOWS\System32\HPZipm12.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\Documents and Settings\Invisage\Desktop\Protection Apps\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.envisageconsulting.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - E:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crystal Query Server - Unknown owner - E:\Program Files\Seagate Software\Query Server\querysrv.exe" -service (file missing)
O23 - Service: Crystal Web Image Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe" -service (file missing)
O23 - Service: Crystal Web Page Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe" -service (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:18:47 AM, 5/18/2005
+ Report-Checksum: 668505BE

+ Date of database: 5/18/2005
+ Version of scan engine: v3.0

+ Duration: 101 min
+ Scanned Files: 163581
+ Speed: 26.96 Files/Second
+ Infected files: 29
+ Removed files: 29
+ Files put in quarantine: 29
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
E:\
F:\

+ Scan result:
E:\Documents and Settings\Invisage\Cookies\envisage@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@hotbar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temp\DrTemp\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\K9QRCPM7\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\K9QRCPM7\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
E:\Documents and Settings\Invisage\Local Settings\Temporary Internet Files\Content.IE5\MNYZWRIT\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
E:\WINDOWS\.exe -> Spyware.BetterInternet -> Cleaned with backup
E:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
E:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
E:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
E:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
E:\WINDOWS\system32\fgccotq.exe -> Trojan.Agent.cp -> Cleaned with backup
E:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
E:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End


I ran the Ewido scan report in Safe Mode. I also ran hijackthis in safe mode and then clicked the 'fix' like directed. This hijack log is after i restarted. I hope that is what you wanted me to do. I didn't make a report for the hijack log, i just ran the scanner and fix on hijack. This log is after i rebooted.

It is now personal with this thing. I will do whatever to get this thing fixed. So I am ready for the next game plan.

[greyknight17]

It was an error on my part. It's nailfix.cmd (see below).

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.envisageconsulting.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - E:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O23 - ServicE: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

[daray]

Okay. Things worked a lot better using the .cmd file
Here are my new logs. I hope they are starting to look better. I can't find the nail.exe file anywhere.


Logfile of HijackThis v1.99.1
Scan saved at 9:20:53 AM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe
E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Google\ggviewer67-97.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINDOWS\System32\HPZipm12.exe
E:\Program Files\Symantec\LiveUpdate\AUpdate.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Invisage\Desktop\Protection Apps\HijackThis.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crystal Query Server - Unknown owner - E:\Program Files\Seagate Software\Query Server\querysrv.exe" -service (file missing)
O23 - Service: Crystal Web Image Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crimgsvr.exe" -service (file missing)
O23 - Service: Crystal Web Page Server - Unknown owner - E:\Program Files\Seagate Software\Crystal Reports\crpgsvr.exe" -service (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:13:20 AM, 5/19/2005
+ Report-Checksum: B804F6B0

+ Date of database: 5/18/2005
+ Version of scan engine: v3.0

+ Duration: 96 min
+ Scanned Files: 163998
+ Speed: 28.29 Files/Second
+ Infected files: 3
+ Removed files: 3
+ Files put in quarantine: 3
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
E:\
F:\

+ Scan result:
E:\Documents and Settings\Invisage\Cookies\envisage@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\envisage@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Invisage\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

[greyknight17]

Perfect

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[daray]

Everything seems to be running great now. NO MORE AURORA POP UPS!!!!!!
Thank you so much for helping me out. You will be well known here in Kansas. Everyone I know will hear the story of the GreyKnight

Thanks for all your time and effort. I appreciate it a lot.
-David


P.S. To anyone reading these logs....this guy's one smart cookie.