[TheClamps]

Okay, I tried getting this malware off of my computer with all of the other addware programs on this site (even though I read that the normal addware programs didn't work on this spyware in the lavasoft forum), and none of them seem like they want to get Aurora off of my computer.

I followed all of the instructions on this site and this is the last option I was left with.


So here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:59:02 AM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ryan\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mxqjzm] c:\windows\system32\tppscqf.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



Sorry if I forgot to do something before I posted here. I just really want my computer to get fixed, and I'm sick of always having to deal with spyware.


I'd be very very very greatful if someone could help me with this.

[Advertisements]

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also

Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip
1. Reboot into safe mode
2. Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.
Note: It should save by default to C:\Log.txt
3. Reboot back to Normal Mode.
4. Post the log

Regards,

[Metallica]

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also

Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip
1. Reboot into safe mode
2. Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.
Note: It should save by default to C:\Log.txt
3. Reboot back to Normal Mode.
4. Post the log

Regards,

[TheClamps]

Okay, I tried everything you said in the order you said it and when I get to the part where I need to open the RKFILES.BAT file while in safe mode, I think it's having a problem. I don't know if it's normal for it to just repeat "1 object found" 3 or so times and then it displays a line telling you to wait for the dos window to close and then look at some specific text file.


And it just sits like that and doesn't move. Maybe I didn't wait long enough or something; but I'm going to go try again.


Just checkin in, ya know, keepin ya updated =)


And I really really really really really appreciate you taking your time to help me out.

[Metallica]

You didn't wait long enough.

Go take a shower, walk the dogs, sip some coffee.
Then take a looksee if it's done.
Sitting in front of the screen waiting will seem to take ages.

Regards,

[TheClamps]

You didn't wait long enough.

Go take a shower, walk the dogs, sip some coffee.
Then take a looksee if it's done.
Sitting in front of the screen waiting will seem to take ages.

Regards,

yessir you were right


I brought my younger brother to school and I came back and it was there waiting for me.


Anyway, this is what the log says:

C:\Antispyware\RKFiles folder

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dtndsrx.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\dhdjmgfjvs.exe: UPX!
C:\WINDOWS\Nail.exe: UPX!
Finished
bye


I hope this tells you something because aurora is a real pain in the you know what, if you know what I mean

and again, I really really appreciate this. I know how boring and tedious looking at code and stuff can be especially if you're not getting anything out of it.

[Metallica]

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://users.pandora...chy/nailfix.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [mxqjzm] c:\windows\system32\tppscqf.exe

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Regards,

[TheClamps]

I gotta go to my graduation practice right now, but I'll do it when I get back and post the results!


Thanks!

[Metallica]

OK, later

[TheClamps]

Okay, I did all of that stuff you told me to do like you told me to do it



and now when my computer boots up it's makes weird noises and says some windows nail file is missing O_o..



I'm confused now.

[Metallica]

No problem. It's actually a good sign that Nail.exe is missing.

Post a HijackThis log and we will get rid of that error.

Regards,