Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Remove Aurora [RESOLVED]


  • This topic is locked This topic is locked

#1
sebbel

sebbel

    New Member

  • Member
  • Pip
  • 4 posts
i will post a new one thx

Edited by sebbel, 13 June 2005 - 04:18 AM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_04da.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_04da.dll"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [WINDOWStriods] C:\WINDOWS\triods.exe

O4 - HKLM\..\Run: [twrkcb] c:\windows\system32\khhykkf.exe r
O4 - HKLM\..\RunServices: [MP Services] mpsvc.exe
O4 - HKLM\..\RunServices: [MS Manager32c Startup] manager32c.exe
O4 - HKLM\..\RunServices: [scvhost] spoolsv32.exe
O4 - HKLM\..\RunServices: [Windows Compliant] krxeml.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe

O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_04da.dll"

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Regards,
  • 0

#3
sebbel

sebbel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I've now done everything you said, and it feels very good :tazz: Here is my new logfile from HijackThis. Tell me if there is anything bad left on my computer please.

Logfile of HijackThis v1.99.1
Scan saved at 11:52:49, on 2005-06-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\Creative\ShareDLL\CtNotify.exe
C:\Program\NORTON~1\navapw32.exe
C:\Program\Creative\ShareDLL\MediaDet.Exe
C:\Program\Telia\Supportassistent\bin\tgcmd.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\HP\hpcoretech\hpcmpmgr.exe
C:\Program\Winamp\winampa.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\Program\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Sebastian\Mina dokument\Allt\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.humanclock.com/clock.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TeliaTGCMD] "C:\Program\Telia\Supportassistent\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9881F2-98CC-4F15-BC5C-CEBCDA478910}: NameServer = 10.0.0.1
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: dlite (dllmanager.exe) - Unknown owner - C:\WINDOWS\System32\dllmanager.exe" -netsvcs (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

Thx a lot!!
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Looks good to me. :tazz:

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0

#5
sebbel

sebbel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks a lot, it's very good thing you are doing here!! :tazz: ;)
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP