Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

aurora


  • This topic is locked This topic is locked

#1
AMSorbet

AMSorbet

    New Member

  • Member
  • Pip
  • 3 posts
I have been fighting this Aurora issue all day. I found a post on your site and I have...

Booted into safe mode
Ran nailfix
Ran Edwido Security Suite
Ran Hijack this

I am going to attach the log file from Edwido and Hijack. I will leave that pc in safe mode until I hear back.

Can anyone give me a clue on the next step??!?!?!


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:36:26 PM, 5/16/2005
+ Report-Checksum: 3450B468

+ Date of database: 5/16/2005
+ Version of scan engine: v3.0

+ Duration: 66 min
+ Scanned Files: 69833
+ Speed: 17.37 Files/Second
+ Infected files: 50
+ Removed files: 50
+ Files put in quarantine: 50
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\rphillips\Cookies\rphillips@5560198[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@62968629[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@88244075[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@ads.vnuemedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@asp[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@dcsp4kqizoifwzba77gm9fqc9_3w1v[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@orbitz.rpts[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S130376[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S139288[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S148884[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S149247[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S151261[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temp\pcs_0002.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN\protector[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN\version[1].exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\8X69QZY7\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\GVKNAD8N\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\MJ83IZ6H\downloaddll[1].htm -> Spyware.DealHelper.ab -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\O12741YB\download[1].htm -> Trojan.Popmon.a -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\O12741YB\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0499DA92-D976-46F8-8544-1FC1E8\1D3C792F-A402-47B5-AB19-E3B39C -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0499DA92-D976-46F8-8544-1FC1E8\F8151747-48E6-4ACF-99BC-220F4D -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\11461759-7E57-4C62-AEC8-67B968\2CD09C46-1FCE-4DEA-A911-107850 -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\11461759-7E57-4C62-AEC8-67B968\A4C20011-6D4B-4B18-B340-892B94 -> Spyware.BargainBuddy -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\11461759-7E57-4C62-AEC8-67B968\B029CFEC-699E-453B-A6A3-42E968 -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5F3F8AC9-8DFA-4441-8D16-A7F574\FD2C0251-EE3B-4777-8459-975C96 -> Spyware.CashBack.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\62D43DE2-B6BB-4323-842C-476948\57D72C68-E5E0-4BCD-8EEC-AA0443 -> TrojanDownloader.VB.eu -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\00F3923E-755E-4479-85E3-910983 -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\125CED53-B1B2-4BFC-AD96-D0CB5F -> Spyware.VirtualBouncer.j -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\8A5F0AE6-6560-4A01-A621-0A37F2 -> Spyware.VirtualBouncer -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\F479B9BE-1EFD-451F-B546-725182 -> Spyware.VirtualBouncer.j -> Cleaned with backup
C:\WINDOWS\delcvwmongt.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ieatgpc.dll -> Spyware.WebEx -> Cleaned with backup
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll -> Spyware.EliteBar.z -> Cleaned with backup
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\WINDOWS\system32\bngkox.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\eliteslj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitewgf32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitexie32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack.b -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack.d -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:37:43 PM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\rphillips\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [InterBase Server] C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vp6O33T] dpchlp32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://spsi.webex.c...bex/ieatgpc.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://64.251.13.37/...tivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = conco.lan
O17 - HKLM\Software\..\Telephony: DomainName = conco.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = conco.lan
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = conco.lan
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
  • 0

Advertisements


#2
pomp

pomp

    the man

  • Member
  • PipPipPipPip
  • 1,366 posts
Hello, are you still having problems?? If so, please post a new hijackthis log.
  • 0

#3
AMSorbet

AMSorbet

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for the reply. I was able to remove aurora only to reboot into a different profile to get back some other spyware I thought I had already removed. I was under the gun to get him up and running before some vacation I had planned so I just burned him down. Do you have any advice for spyware with multiple profiles??

This was my first time in one of these forums. Is there a procedure to close this topic when we are done?
  • 0

#4
pomp

pomp

    the man

  • Member
  • PipPipPipPip
  • 1,366 posts
Hello, do you mean to help prevent spyware? If so, here....

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot.  Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system.  It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc.  Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must!  Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have.  Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser.  There are safer and better alternatives available.  I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.




Also, just reply back when you get this, then I will close this topic.
  • 0

#5
AMSorbet

AMSorbet

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I currently use adaware se. I also use Microsoft's version. A lot of times these programs will find the spyware and say it is removing and it doesn't completely remove. It also seems like when you log on with another profile, the computer reinfects itself.

Anyway, thanks for your time. I appreciate the links you sent. I will read through it all. Spyware seems like it is becoming more and more a part of my job lately.
  • 0

#6
pomp

pomp

    the man

  • Member
  • PipPipPipPip
  • 1,366 posts
This topic is now closed, if you need it reopened, PM a staff member with a link to this topic
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP