Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

aurora again

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 1 posts
Hi All

New to all this, but got this pain in the proverbial aurora thing the other day, and its bugging the [bleep] out of me.

I've scanned a few of the forums, and followed some of the advice there, getting me to this point. I've downloaded and run nailfix, done a ewido scan, and a hijack this log.

Question is, am I now clean!

Ewido lo here

ewido security suite - Scan report

+ Created on: 13:35:26, 18/05/2005
+ Report-Checksum: 80B3B520

+ Date of database: 18/05/2005
+ Version of scan engine: v3.0

+ Duration: 29 min
+ Scanned Files: 113634
+ Speed: 63.63 Files/Second
+ Infected files: 14
+ Removed files: 14
+ Files put in quarantine: 14
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:

+ Scan result:
C:\Documents and Settings\fatboy\Local Settings\Temporary Internet Files\Content.IE5\4XURGH2Z\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\019F8EDC-1BD4-4AC9-9CF4-D0423F\083DE058-20F7-4B68-9966-1D1F8C -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F6F24D2-A0F5-44F0-A4F5-F0F728\E0E04A0B-948C-4F3C-8C3C-FAD5DA -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DB43A215-A4D5-4595-B02C-F46E55\264ED6A9-0DA1-4841-A49F-4279E6 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DB43A215-A4D5-4595-B02C-F46E55\577B8D2A-4A9C-4B86-B926-BBC7A8 -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DB43A215-A4D5-4595-B02C-F46E55\BDAD9432-4754-4B91-B3C4-B716DD -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DE98650B-9FA5-4978-B630-735200\E4955903-0D17-4908-95C1-2A5263 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E176A4C6-4263-4A9B-AD78-D18D40\10E24F4E-1E7B-47B3-BC27-712B11 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E176A4C6-4263-4A9B-AD78-D18D40\1D460E50-2663-4F53-B348-F0A4D3 -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\ravbogzgyy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\drivers\etc\HOSTS.bak -> Trojan.Qhost.av -> Cleaned with backup
E:\program files and downloads\WinXP CDKey Changer [sUprass]\xp_cd_key_changer\update_xp_cd_key.exe -> TrojanSpy.DakrOmen.13 -> Cleaned with backup
E:\program files and downloads\WinXP CDKey Changer [sUprass].zip/xp_cd_key_changer/update_xp_cd_key.exe -> TrojanSpy.DakrOmen.13 -> Cleaned with backup
E:\program files and downloads\xpkeykit.zip/changekey.exe -> TrojanSpy.DakrOmen.13 -> Cleaned with backup

::Report End

And my hijack this log is as follows

Logfile of HijackThis v1.99.1
Scan saved at 13:36:17, on 18/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Documents and Settings\fatboy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.cha...57&f=5796002921
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.cha...57&f=5796002921
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" M=150 T=4 P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [DeleteDAE] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\dae.dll"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe " -silent
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O4 - Startup: DigiGuide.lnk = C:\Program Files\DigiGuide\client.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Autorun Killer.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://H:\Resources\IntraLaunch.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48148DBB-6FA8-4794-A60D-659F0FDD21D7}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B249D21-FAAD-42AF-B96C-1F3465AE56F0}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{D08737A7-B35B-439F-9D33-93201AE4317A}: NameServer =,
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

Thanks in advance for your help, you guys rule!

  • 0




    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome tomcierzo to Geeks to Go!

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.


Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

O4 - HKLM\..\RunOnce: [DeleteDAE] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\dae.dll"

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close HiJackThis.
Reboot the computer.


Download CleanUp!.
If that doesn’t work, use this link.

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.


Please download the trial version of Ewido Security Suite here:
Install it, and update the definitions to the newest files.
Then please run Ewido, and run a full scan. Save the logfile from the scan.


Post back here in this topic with a fres log using HijackThis and the scanlog from Ewido.

As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 09 June 2005 - 03:24 PM.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP