[Drege]

Hi!

I have had some problems with Aurora (and maybe other things?). I have gone through your guide and also read on other auroratopics and followed all steps.

Here is my fresh log taken after cleaning out what i found.


Logfile of HijackThis v1.99.1
Scan saved at 05:09:58, on 2005-06-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
c:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program\Saitek\Software\Profiler.exe
C:\Program\Saitek\Software\SaiMfd.exe
C:\Program\Delade filer\ACD Systems\EN\DevDetect.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ägaren\Skrivbord\cleaner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bredband.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Device Detector] "C:\Program\Delade filer\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe


It would be nice to know if I have been able to clean it out or if there is still something left=).

[Advertisements]

Welcome Drege to Geeks to Go!

Copy and paste the text from the box to an empty file in Notepad.

dir %SystemDrive%\*ndw*lib.dll /a h /s >> look.txt

Save this as look.bat
Choose to save as all files and place it on your desktop.
Now doubleclick on look.bat and it will scan.
Notepad will open afterwards with some txt in it, so copy and paste this in your next reply.

[g2i2r4]

Welcome Drege to Geeks to Go!

Copy and paste the text from the box to an empty file in Notepad.

dir %SystemDrive%\*ndw*lib.dll /a h /s >> look.txt

Save this as look.bat
Choose to save as all files and place it on your desktop.
Now doubleclick on look.bat and it will scan.
Notepad will open afterwards with some txt in it, so copy and paste this in your next reply.

[Drege]

Ok here it is!

Volymen i enhet C har etiketten PRESARIO
Volymens serienummer „r 8079-5B4C


Im kinda curious what you can get out of that=). The text was in swedish wich is my language. Dont know if that matters since i guess you know what you are looking for in those two lines but ill translate the swedish anyways=P.

The volume in unit C has the label PRESARIO
The volumes serialnumber is 8079-5B4C

[g2i2r4]

Looks as if this is all that was left behind then:


Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.
Reboot the computer.

***

Do this:

Panda online scan

Make sure that you choose "fix" or "clean".

Save the results from the scan! Post them here in your reply please.

[Drege]

Are you sure i should remove the expekt.com one? I use their pokersoftware tbh;P

NM i deleted it anyway=).

Edited by Drege, 16 June 2005 - 11:32 AM.

[g2i2r4]

I'm just having you remove a button, the poker game files are still there. If you know and trust this pokergame, leave it.

[Drege]

OK. Here is the activescan report:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Ägaren\Application Data\Sskcwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Ägaren\Application Data\Sskknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temp\iE.tmp
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\0HGNO3SZ\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\0HGNO3SZ\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\25KBMDY5\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\25KBMDY5\webservice[4].htm
Virus:VBS/Psyme.C No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\QXXMB6X4\ADL[1].CHM[adl.htm]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\YV2JYDEZ\webservice[4].htm
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Ssk.log
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\system32\c.bat
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\ii
Adware:Adware/Transponder No disinfected C:\WINDOWS\xzbwfw.exe

[g2i2r4]

Open H ijackThis.
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
SurfSideKick
Press ‘delete this entry’.
Close HijackThis.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Use Windows Explorer to remove this folder:
c:\program files\surfsidekick\

***

Reboot back to normal mode.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.

***

Run ActiveScan again. Post me that log to check.

[Drege]

Hmm i couldnt find any surfsidekick items to delete, i dont even have a program files folder=P.

Anyway heres the logs

uninstall list:

ACDSee 6.0 PowerPack
Ad-Aware SE Personal
Adobe Acrobat 5.0
ArcSoft ShowBiz 2
ATI - Hjälp för avinstallation av program
ATI Control Panel
ATI Display Driver
Bazooka Scanner
CleanUp!
Creative Driver
Creative MediaSource
DAEMON Tools
DC++ 0.674
DiamondCS TDS-3
DivX
DivX Player
ewido security suite
Expekt.com Poker
HijackThis 1.99.1
Intel® Extreme Graphics Driver
InterVideo WinDVD Player
InterVideo WinDVRX
Java 2 Runtime Environment SE v1.4.1_02
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 1.1 Swedish Language Pack
Microsoft Word 2002
Microsoft Works 7.0
MSN Messenger 7.0
Norton AntiVirus 2003
Norton WMI Update
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
Pacific Fighters
PlayGATE Setup
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
RecordNow!
S3Display
S3Gamma2
S3Info2
S3Overlay
Secret Weapons Over Normandy
Snabbkorrigering för Windows Media Player 9 [Mer information finns i KB885492]
Sonic Update Manager
Sound Blaster Audigy 2
Spybot - Search & Destroy 1.3.1 TX
SST Programming Software
Säkerhetsuppdatering för Step by Step Interactive Training (KB898458)
Säkerhetsuppdatering för Windows XP (KB883939)
Säkerhetsuppdatering för Windows XP (KB890046)
Säkerhetsuppdatering för Windows XP (KB896358)
Säkerhetsuppdatering för Windows XP (KB896422)
Säkerhetsuppdatering för Windows XP (KB896428)
TeamSpeak 2 RC2
The ABI Network- A Division of Direct Revenue
Ventrilo
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR
World War II Online version 1.18.4




And the activescan:

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Ägaren\Application Data\Sskcwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Ägaren\Application Data\Sskknwrd.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\xzbwfw.exe

[g2i2r4]

Open HijackThis.
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:

The ABI Network- A Division of Direct Revenue

Press ‘delete this entry’.
Close HijackThis.

***

Download the Killbox.

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Documents and Settings\Ägaren\Application Data\Sskcwrd.dll
C:\Documents and Settings\Ägaren\Application Data\Sskknwrd.dll
C:\WINDOWS\xzbwfw.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

Let the system reboot.

***

Download and install Registrar Lite.

Let's go search the Registry for WhenU
Please be very carefull what you do. A corrupt Registry is a broken down machine.

Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.

Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.

Press the magnifying glass
In the box 'text to search for' type
WhenU
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'

Open notepad
Click the right mousebutton and choose 'paste'.

Go back to Registrar Lite and close the bookmarks window.

Go to the next row
Repeat the steps from (*) untill all items are done.

Then close Registrar Lite.

In Notepad you can copy all lines and post them here in your answer.

I don't have to see a new log using HijackThis.

[Drege]

Sorry for my delayed reply. Registrar Lite did not find anything when i searched for WhenU!

[g2i2r4]

Would you mind rescanning, maybe it´s already gone.

Also, let me know how things are now.

[Drege]

Ok. Iused activescan again and this time i clicked on the description link of WhenU.
Then i saw its different aliases WhenU.SaveNow, WhenUSave, Adware-SaveNow. When i tried those different aliases in registrar lite i got 5 hits when searching for Adware-SaveNow. Want me to get rid of those?

[g2i2r4]

That's the one I didn't try to look for

In Registrar Lite you do it like this:

In the results (right hand side) select a row. At the left hand bottom you see a red X. Press the X and select 'delete key and value'. Do this for all 5 results.
Then close Registrar Lite.

After a reboot the ActiveScan should be clean.

Let me know?

[Drege]

Hmm I think I was looking in the wrong window earlier;P. I didnt find anything when searching for adware-savenow tbh, guess its because im not used to reglite yet=P. Activescan still finds that Adware/SaveNow in the registry;/. Do you know any other aliases for it that i can search for in Reglite?