Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Taken over by Aurora [RESOLVED]

Started by kepayne228 , Jun 08 2005 02:21 PM

  • This topic is locked This topic is locked

#1
kepayne228
Posted 08 June 2005 - 02:21 PM

kepayne228

    Member

  • Member
  • PipPip
  • 79 posts
Hello good people of Geeks to Go. Any help is greatly appreciated.

I am having a problem with constant Aurora pop-ups and I cannot access many of the websites I usually go to.

I have followed your instructions from the "Posting a HijackThis Log" section

The following is my HijackThis log and Ewido Log

Logfile of HijackThis v1.99.1
Scan saved at 1:08:49 PM, on 6/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118249633983
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BROTHERHOODCRUSADE.ORG
O17 - HKLM\Software\..\Telephony: DomainName = BROTHERHOODCRUSADE.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{1523ECD0-B4BE-4E7C-890B-365F053CFCE2}: NameServer = 192.168.1.2,206.13.29.12,216.219.253.211,206.13.30.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BROTHERHOODCRUSADE.ORG
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\INTERB~1\Bin\ibserver.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Ewido Log


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:24:13 PM, 6/8/2005
+ Report-Checksum: FF98C6A9

+ Date of database: 6/8/2005
+ Version of scan engine: v3.0

+ Duration: 31 min
+ Scanned Files: 55834
+ Speed: 29.89 Files/Second
+ Infected files: 47
+ Removed files: 47
+ Files put in quarantine: 47
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Local Settings\Temp\temp.frB46A -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Local Settings\Temp\VTU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP702\A0060849.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP719\A0061451.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP719\A0061473.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP719\A0061477.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP720\A0061530.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP721\A0061537.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP722\A0061543.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP722\A0061546.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP722\A0061551.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP722\A0061576.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP722\A0061577.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP722\A0061579.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP722\A0061586.dll -> Spyware.Winsta -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP723\A0061629.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP723\A0061635.dll -> Spyware.Winsta -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP723\A0061654.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP723\A0061655.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP723\A0061666.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP723\A0061667.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP723\A0061668.dll -> Spyware.Winsta -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0061686.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0061688.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0061706.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0061716.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0061718.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0061998.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062003.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062012.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062013.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062017.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062020.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062021.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062022.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062026.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062027.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\ahwzrqx.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\NDNuninstall4_50.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall5_20.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\WinStat11.dll -> Spyware.Winsta -> Cleaned with backup


::Report End
  • 0

Advertisements

#2
greyknight17
Posted 08 June 2005 - 03:46 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Update to Service Pack 1a at your earliest convenience. Hold off on SP2 until we are all clear.

Let's try this again:

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net...wnload/updates/ Do NOT the Ewido scan yet.

Please download Nailfix at http://www.noidea.us...050515010747824 Unzip it to the desktop but do NOT run it yet.

Right click on this link http://www.greyknigh...lO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Save the log from the Ewido scan so that you can post it later.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the results here along with the new HijackThis log. Also post the Ewido scan results here.

Then do this:
Please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here
  • 0

#3
kepayne228
Posted 08 June 2005 - 04:01 PM

kepayne228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Help! I cannot get to the Sp1a download page. My computer has been taken over!

Any suggestions?
  • 0

#4
greyknight17
Posted 08 June 2005 - 04:39 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, try doing the other things I mentioned first then. Restart and try again. Post the new logs I asked for also.
  • 0

#5
kepayne228
Posted 15 June 2005 - 10:36 AM

kepayne228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Sorry it has taken me so long to reply again. I probably have to start all over don't I?

I think I loaded the Windows SP 1a pack.

When I got to the point where I was to reboot in safe mode and double click on nailfix.cmd is where I am having trouble. When I reboot in safe mode there is no nailfix.cmd on my desktop. There is one folder with no label but I click on it and nothing at all happens. Is this normal?

Please help, I will make sure to do everything you tell me TODAY.

Thanks again.
  • 0

#6
greyknight17
Posted 15 June 2005 - 02:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I guess you never went into safe mode before right? Safe Mode usually has a separate administrator account. So if you saved the nailfix.cmd to a folder on your desktop (or just in your desktop), you will have to navigate to that user account's desktop to get it. This happens to all users, so it's normal.

To do that, go into My Computer->Documents and Settings->your_username_folder->Desktop and look for that nailfix.cmd file. For the your_username_folder part, look for the folder that has the account name you login to in Normal Mode. That should be where the nailfix.cmd file is located.

Follow the rest of the instructions and post back those new logs I asked for when you are done.
  • 0

#7
kepayne228
Posted 16 June 2005 - 11:50 AM

kepayne228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Okay I ran the Hijack this while in Safe Mode, but I did not save it. Should I run one now?


This is the Ewido Scan and Find It results


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:15:49 AM, 6/16/2005
+ Report-Checksum: 7BB1F800

+ Date of database: 6/16/2005
+ Version of scan engine: v3.0

+ Duration: 42 min
+ Scanned Files: 54537
+ Speed: 21.48 Files/Second
+ Infected files: 26
+ Removed files: 26
+ Files put in quarantine: 26
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@247realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@adrevolver[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@html[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@LPneimanmarcus[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Cookies\tfoster@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062037.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062038.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062039.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP725\A0062040.dll -> Spyware.Winsta -> Cleaned with backup


::Report End





Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 06/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 2C3D-C939

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 2C3D-C939

Directory of C:\WINDOWS\system32

06/08/2005 09:37 AM 2,238 partypoker.ico
1 File(s) 2,238 bytes
0 Dir(s) 30,673,063,936 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\aurora\AUS3t5atusOfSInst
HKEY_CURRENT_USER\Software\aurora\AUL3a5stMotsSDay
HKEY_CURRENT_USER\Software\aurora\AUL3a5stSSChckin
HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSDist





Going to do the Active Scan now, will post results shortly
  • 0

#8
greyknight17
Posted 16 June 2005 - 12:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run HijackThis in Normal Mode and save the log. Post the new log here along with your Panda log (after it's done).

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\ and delete aurora

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\system32\partypoker.ico

Awaiting for the HijackThis and Panda logs now...
  • 0

#9
kepayne228
Posted 16 June 2005 - 12:55 PM

kepayne228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
HiJackThis log and Active Scan results


Logfile of HijackThis v1.99.1
Scan saved at 11:49:59 AM, on 6/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\TFoster.BROTHERHOODCRUS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118249633983
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BROTHERHOODCRUSADE.ORG
O17 - HKLM\Software\..\Telephony: DomainName = BROTHERHOODCRUSADE.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{1523ECD0-B4BE-4E7C-890B-365F053CFCE2}: NameServer = 192.168.1.2,206.13.29.12,216.219.253.211,206.13.30.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BROTHERHOODCRUSADE.ORG
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\INTERB~1\Bin\ibserver.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




Active Scan


Incident Status Location

Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/ScBar No disinfected C:\Program Files\Winex
Adware:Adware/DownloadWare No disinfected C:\Program Files\mlh
Adware:Adware/PortalScan No disinfected C:\Program Files\Common Files\slmss
Adware:Adware/DelFinMedia No disinfected C:\Program Files\DelFin
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_80.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_94.exe
  • 0

#10
kepayne228
Posted 16 June 2005 - 01:04 PM

kepayne228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Two things,

First, at the end of your last post it says something about the party poker icon. Should I just wait for that later?

Second, you say i need to "save the registry somewhere as a backup"

How do I make that backup?


Thanks
  • 0

#11
greyknight17
Posted 16 June 2005 - 04:03 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you install the Party Poker program on June 8? If not, remove that ico file.

The instructions were given for the backup there. All you have to do is go to File->Export Registry and save it somewhere. That's the backup.

C:\Program Files\Winex
C:\Program Files\mlh
C:\Program Files\Common Files\slmss
C:\Program Files\DelFin
C:\GatorPatch.log
C:\WINDOWS\NDNuninstall4_80.exe
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_94.exe

See if you can find any other NDNuninstall exe files there and delete them.

Check and fix this in HijackThis:

R3 - Default URLSearchHook is missing

No need for a new log.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Update to XP SP2 as soon as possible.
Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#12
kepayne228
Posted 16 June 2005 - 06:45 PM

kepayne228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Everything looks good so far. Might need you for my laptop next.

Thank you!

Check your paypal account, I did what i could...


:tazz:
  • 0

#13
greyknight17
Posted 16 June 2005 - 09:40 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP