Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

LOTS OF PROBLEMS! Aurora...

Started by hiyamoose , May 30 2005 08:50 PM

  • This topic is locked This topic is locked

#1
hiyamoose
Posted 30 May 2005 - 08:50 PM

hiyamoose

    New Member

  • Member
  • Pip
  • 3 posts
Having seen the other posts, I will simply post the log file from my latest Ad-Aware scan. Seems like VX2 is everywhere with AURORA. Tried the VX2 cleaner, which always says clean. Tried the killbox with nails.exe. What else can I do?

Logfile removed: Incorrect Logfile type posted

Edited by Andy_veal, 31 May 2005 - 03:22 AM.

  • 0

Advertisements

#2
hiyamoose
Posted 30 May 2005 - 09:24 PM

hiyamoose

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Greyknight

Do I have ewido make corrections or no? I set it to no to get a complete log. Do I need to do this differently? :tazz:

thanks for the help
  • 0

#3
hiyamoose
Posted 31 May 2005 - 12:11 AM

hiyamoose

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Okay Greyknight - here's everything you asked for:

Ewido Scan

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:42:35 PM, 5/30/2005
+ Report-Checksum: BBF01D58

+ Date of database: 5/31/2005
+ Version of scan engine: v3.0

+ Duration: 112 min
+ Scanned Files: 202546
+ Speed: 30.10 Files/Second
+ Infected files: 67
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\

+ Scan result:
C:\Documents and Settings\Jason\Cookies\jason@14254446[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@20262100[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@45813911[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@86859256[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@burstnet[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@com[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@dcs0sapavqljwp9m8brr0j29b_1l1j[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@dcs375hcwoifwzzshyym5x58f_1i9u[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@dcskqeg2voifwznnd6alhtnei_8f3u[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@gostats[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@indiads[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@link[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@LPplayersonly[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@LPquadratec[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@p[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S113855[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S115270[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S123831[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S124248[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S130376[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S148884[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S149247[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S151261[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\fen0eGA.exe -> TrojanDownloader.IstBar.hp -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\QGE\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\RarSFX0\rinst.exe -> TrojanSpy.Perfloger.h -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\temp.fr3C4B -> Trojan.Agent.db -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\temp.fr4E38 -> TrojanDownloader.Intexp.c -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@45813911[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@47780556[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@60960915[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@cj[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@html[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@link[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@S130376[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@S139314[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@S151568[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Local Settings\Temporary Internet Files\Content.IE5\0T2RW12V\Poller[1].exe -> Trojan.Agent.cp -> Ignored
C:\Documents and Settings\Tracie\Local Settings\Temporary Internet Files\Content.IE5\WH2V0PMJ\Nail[2].exe -> Trojan.Nail -> Ignored
C:\Documents and Settings\Tracie\Local Settings\Temporary Internet Files\Content.IE5\ZUOBZTS5\svcproc[2].exe -> Trojan.Stervis.c -> Ignored
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupons -> Ignored
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Ignored
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Ignored
C:\WINDOWS\system32\bpk.exe -> TrojanSpy.PerfectKeyLogger.ad -> Ignored
C:\WINDOWS\system32\bpkhk.dll -> TrojanSpy.PerfectKeyLogger.ac -> Ignored
C:\WINDOWS\system32\bpkr.exe -> TrojanSpy.Perfloger.h -> Ignored
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Ignored
C:\WINDOWS\system32\ltgxrdt.exe -> Trojan.Agent.cp -> Ignored
C:\WINDOWS\system32\rinst.exe -> TrojanSpy.Perfloger.h -> Ignored
D:\Music\Lavasoft Ad-Aware SE Professional 1.06 New Retail.rar/Lavasoft Ad-Aware SE Professional 1.06 New Retail\Lavasoft Ad-Aware SE Professional 1.06.exe -> TrojanDropper.Agent.fr -> Ignored
D:\Music\quicken 2005 (keygen only).zip/quicken 2005 (keygen only).exe -> Spyware.Hijacker.Generic -> Ignored
J:\My D Documents\Program dls\Quicken 2003\Lexware Quicken 2003 Deluxe crack .exe -> Dialer.Generic -> Ignored
J:\My D Documents\Program dls\Quicken 2005\quicken 2005 (keygen only).zip/quicken 2005 (keygen only).exe -> Spyware.Hijacker.Generic -> Ignored


::Report End

New hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:54:46 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
J:\My D Documents\Program dls\CCleaner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qimsvk] c:\windows\system32\ltgxrdt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102210545913
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

and the FindIt's log


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/30/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\EHBIXJ.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is DSK1_VOL1
Volume Serial Number is E6FE-6400

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is DSK1_VOL1
Volume Serial Number is E6FE-6400

Directory of C:\WINDOWS\system32

05/28/2005 07:02 PM 4,286 greenmovie2311.ico
05/28/2005 07:02 PM 3,262 kill all spyware4.ico
05/28/2005 07:02 PM 3,262 poker11212.ico
05/28/2005 07:07 PM 19,942 virushunter1231.ico
4 File(s) 30,752 bytes
0 Dir(s) 34,369,683,456 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\aurora\AUS3t5atusOfSInst
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon\Driver


what can I do now?
  • 0

#4
Guest_Andy_veal_*
Posted 31 May 2005 - 03:20 AM

Guest_Andy_veal_*
  • Guest
In order to assist you, we need to see the log from an Ad-Aware SE 1.06r1 full system scan.

Important Note! Before performing a scan, be sure that you have the most recent definitions file by using WebUpdate. (Click on the Globe icon, Click connect, Click OK, Click Finish.) At this current point * SE1R48 30.05.2005 * is the most recent definition file.

Ad-Aware SE comes preconfigured with default options so we need you to make only one change. Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Select "Perform Full System Scan" and press "Next". When the scan has completed, click "Show Logfile".

Please copy/paste the complete log file here using the reply button. Don't quarantine or remove anything at this time, just post a complete logfile. This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the "Summary of this scan" information has been posted.

When you have posted your log here, Team Lavasoft can advise on what to do next.

Please post back if you have any questions or other problems.

Good luck

Andy

Edited by Andy_veal, 31 May 2005 - 03:23 AM.

  • 0
Back to Lavasoft Support (Ad-aware) · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Lavasoft Support (Ad-aware)

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP