Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! Removal of Aurora Pop-Ups. (and Ebates) [RESOLVED]

Started by surge , Jun 25 2005 12:25 PM

  • This topic is locked This topic is locked

#1
surge
Posted 25 June 2005 - 12:25 PM

surge

    Member

  • Member
  • PipPip
  • 29 posts
Hello, everyone.

Recently, my computer has been infected with various spyware/malware/adware. I need help in removing VX2, Ebates, and the Aurora Browser pop-ups. I have ran Ad-Aware multiple times (in Safe Mode) along with Microsoft Anti-Spyware. Also, I have run the VX2 Cleaner Add-On for Ad-Aware with little success.

Here is my Hijack-This log:
Logfile of HijackThis v1.99.1
Scan saved at 2:25:12 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\harcsvc.exe
c:\winnt\system32\hglaopd.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINNT\GCZLDLL.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\harcenc.EXE
C:\WINNT\harcdll.EXE
C:\WINNT\System32\jujpkl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\paqip6.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USSHKJ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [GCZLDLL] C:\WINNT\GCZLDLL.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [harcenc] C:\WINNT\harcenc.EXE
O4 - HKLM\..\Run: [harcdll] C:\WINNT\harcdll.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp] C:\WINNT\System32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\jujpkl.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitefvy32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [wfsmbi] c:\winnt\system32\hglaopd.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [sfcrfm] C:\WINNT\System32\sfcrfm.exe
O4 - HKCU\..\Run: [ao4mRkJ8h] paqip6.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://falcon1t.lasa...d502/ase510.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://usas-ny021/wf..._3_1_02-win.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://nlm417s01.ao....dbin/Spider.ocx
O17 - HKLM\Software\..\Telephony: DomainName = amcs.abnamro-net.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\harcsvc.exe
  • 0

Advertisements

#2
tampabelle
Posted 25 June 2005 - 02:13 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Reboot the PC and post a fresh Hijack This log here.
  • 0

#3
surge
Posted 26 June 2005 - 09:26 AM

surge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hmm... I followed your instructions, and it seems that there I have more spyware on my computer than yesterday. Please help.
:tazz:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:21 AM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
c:\winnt\system32\xcbnxx.exe
C:\Documents and Settings\USSHKJ\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [GCZLDLL] C:\WINNT\GCZLDLL.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\jujpkl.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [zvphuw] c:\winnt\system32\xcbnxx.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [sfcrfm] C:\WINNT\System32\sfcrfm.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: kcki.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://falcon1t.lasa...d502/ase510.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://usas-ny021/wf..._3_1_02-win.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://nlm417s01.ao....dbin/Spider.ocx
O17 - HKLM\Software\..\Telephony: DomainName = amcs.abnamro-net.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\harcsvc.exe (file missing)

Harcsvs.exe? http://websearch.drs...esearch.cgi?id=?
Please help.
  • 0

#4
tampabelle
Posted 26 June 2005 - 11:15 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Surge,

Yes, you do have a few more infections on your PC. It usually takes a few iterations to get rid of all the infections so please be patient.

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall sosme programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

Please download FindQoologic from here:
http://forums.net-in...=post&id=134981
Unzip the file and save the extracted files on the desktop. Dont run it yet.


Click on Start ---> Run. Type Services.msc and hit enter. In the hand pane of the new window, locate the item Windows VisFx Components. Right click on it and then click on Properties. In the STartup Type, choose the option Disable.


Reboot the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\jujpkl.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [zvphuw] c:\winnt\system32\xcbnxx.exe r
O4 - HKCU\..\Run: [sfcrfm] C:\WINNT\System32\sfcrfm.exe
O4 - Global Startup: kcki.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\harcsvc.exe (file missing)

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

C:\WINNT\harcsvc.exe
C:\WINNT\cfgmgr52.dll
C:\WINNT\VCMnet11.exe
C:\WINNT\System32\jujpkl.exe
C:\WINNT\System32\xcbnxx.exe
C:\WINNT\System32\sfcrfm.exe
kcki.exe

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Click on Start ---> Run and hit enter. Type Msconfig and hit enter. Choose the option Normal Startup and hit enter.

Reboot the PC in Normal Mode.


Run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

Edited by tampabelle, 26 June 2005 - 11:18 AM.

  • 0

#5
surge
Posted 26 June 2005 - 12:16 PM

surge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hello, again. Thank you for putting in your time to help me.

When I ran Hijack This! in Safe Mode, I could not find these lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O4 - HKLM\..\Run: [zvphuw] c:\winnt\system32\xcbnxx.exe r
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\harcsvc.exe (file missing)

(I think Microsoft AntiSpyware might have removed them, which I ran earlier today).

Also, I found NAIL.exe, again and Aurora is back! :tazz:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

These are the files that I could not find:
C:\WINNT\harcsvc.exe
C:\WINNT\cfgmgr52.dll (I only found cfgmgr52.ini)
C:\WINNT\System32\xcbnxx.exe
C:\WINNT\System32\sfcrfm.exe

Also, what folder would kcki.exe be in?

Next, when I restarted my computer Microsoft Anti-Spyware flashed and said IEPlugin Spyware was trying to install, this has been happening on each restart.

Also, I found a file that might be to interest in removing the Aurora malware:
C:\WINNT\urauzmuud.exe, it has the same icon as the Aurora pop-up browser.

Ok, now for the logs.
This is the Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nknxgsxs
<NO NAME> REG_SZ {a7d15ef6-751d-4896-b6b1-1f7e9b0790f7}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
<NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin


And here's a fresh Hijack This! log:

Logfile of HijackThis v1.99.1
Scan saved at 2:04:53 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINNT\GCZLDLL.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\winnt\system32\hrntatr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\USSHKJ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [GCZLDLL] C:\WINNT\GCZLDLL.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [rghdtm] c:\winnt\system32\hrntatr.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://falcon1t.lasa...d502/ase510.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://usas-ny021/wf..._3_1_02-win.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://nlm417s01.ao....dbin/Spider.ocx
O17 - HKLM\Software\..\Telephony: DomainName = amcs.abnamro-net.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Thank you, for the help. ;)
  • 0

#6
tampabelle
Posted 26 June 2005 - 01:41 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Looks like Microsoft Anti-Spyware did fix a few of the bad files :tazz:

Lets try the aurora fix again.

You have Ewido installed. Run it and update the definitions to the newest files. Do NOT run a scan yet.

You also have the nailfix files on your PC.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [GCZLDLL] C:\WINNT\GCZLDLL.EXE
O4 - HKLM\..\Run: [rghdtm] c:\winnt\system32\hrntatr.exe r

Close all open windows except for HijackThis and click Fix Checked.

Delete the files -
C:\WINNT\urauzmuud.exe
C:\WINNT\GCZLDLL.EXE

Reboot the PC and post a fresh Hijack This log here along with Ewido scan report.
  • 0

#7
surge
Posted 26 June 2005 - 02:45 PM

surge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Thank you for responding so quickly.

Ok...
I couldn't find the following line in Hijack This!:

O4 - HKLM\..\Run: [rghdtm] c:\winnt\system32\hrntatr.exe r

Also, neither of the files were to be found (I think Ewido deleted them):

C:\WINNT\urauzmuud.exe
C:\WINNT\GCZLDLL.EXE

Hmm.... I think Aurora is finally gone though!!! Also, I did not get the Microsoft Anti-Spyware notice that "IEPLUGIN" is trying to install.

But.....
When scanning with Ewido, I went away for like 5 minutes when it was at 50% and when I came back a notice said: "To Complete the Scan, Restart Your Computer". Does that mean the scan finished?

Anyway I still saved a log (Ewido log):

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:34:15 PM, 6/26/2005
+ Report-Checksum: E8C5B23C

+ Date of database: 6/26/2005
+ Version of scan engine: v3.0

+ Duration: 14 min
+ Scanned Files: 45939
+ Speed: 52.07 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\USSHKJ\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\USSHKJ\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINNT\system32\rbcwnm.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINNT\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINNT\urauzmuud.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End

And, finally a Hijack This! log:

Logfile of HijackThis v1.99.1
Scan saved at 4:44:19 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\winnt\system32\fuszoi.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\USSHKJ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [orhozl] c:\winnt\system32\fuszoi.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://falcon1t.lasa...d502/ase510.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://usas-ny021/wf..._3_1_02-win.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://nlm417s01.ao....dbin/Spider.ocx
O17 - HKLM\Software\..\Telephony: DomainName = amcs.abnamro-net.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe


Thank you for your help, please tell me if the logs are clean or not! :tazz:

Should I run Microsoft Anti-Spyware or Ad-Aware now?
Should I update Windows Service Pack? I think I still have Service Pack 1.

[SIZE=14]UPDATE

Microsoft Anti-Spyware just alerted me about SvcProc (I may be mistaken), and it said an application change was allowed, then it said IEPlugin is trying to install, so I clicked Block, within 5 seconds. Then, I GOT THE AURORA Pop-Ups again!!! NOOO... I was only surfing this site, to see everyone elses problems!!!

Edited by surge, 26 June 2005 - 02:52 PM.

  • 0

#8
tampabelle
Posted 26 June 2005 - 02:50 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Surge,

I had noticed from your first log that you have SP1a installed and need to get SP2.

I will tell you when the PC is completely clean. Hold your horses.

Let me study your log and revert with a fix
  • 0

#9
surge
Posted 26 June 2005 - 02:53 PM

surge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
UPDATE

Microsoft Anti-Spyware just alerted me about SvcProc (I may be mistaken), and it said an application change was allowed, then it said IEPlugin is trying to install, so I clicked Block, within 5 seconds. Then, I GOT THE AURORA Pop-Ups again!!! NOOO... I was only surfing this site, to see everyone elses problems!!!

New Hijack This! Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:55:05 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\winnt\system32\fuszoi.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USSHKJ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [orhozl] c:\winnt\system32\fuszoi.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://falcon1t.lasa...d502/ase510.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://usas-ny021/wf..._3_1_02-win.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://nlm417s01.ao....dbin/Spider.ocx
O17 - HKLM\Software\..\Telephony: DomainName = amcs.abnamro-net.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Edited by surge, 26 June 2005 - 02:55 PM.

  • 0

#10
tampabelle
Posted 26 June 2005 - 03:03 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download Process Explorer from http://www.sysintern...ssExplorer.html

Run Process Explorer and find the orhozl in the list of Processes.
Select the process and click Process > Suspend. Leave Process explorer running with the process suspended.

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\winnt\system32\fuszoi.exe
When prompted if you want to reboot click YES


After the reboot check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [orhozl] c:\winnt\system32\fuszoi.exe r

Reboot the PC and post a fresh HJT log
  • 0

Advertisements

#11
surge
Posted 26 June 2005 - 03:08 PM

surge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No "orhozl" was found in Process Explorer, but there is a fuszoi.exe in purple. Do I suspend that, instead?
  • 0

#12
tampabelle
Posted 26 June 2005 - 03:14 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
yes please
  • 0

#13
surge
Posted 26 June 2005 - 03:37 PM

surge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Ok, I did it. Here's the Hijack This! log:

Logfile of HijackThis v1.99.1
Scan saved at 5:36:25 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\userinit.exe
C:\Documents and Settings\USSHKJ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://falcon1t.lasa...d502/ase510.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://usas-ny021/wf..._3_1_02-win.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://nlm417s01.ao....dbin/Spider.ocx
O17 - HKLM\Software\..\Telephony: DomainName = amcs.abnamro-net.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
  • 0

#14
tampabelle
Posted 26 June 2005 - 03:42 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Surge,


Lets do this one more time - to get rid of aurora again !!!!!!


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Reboot the PC and post a fresh Hijack This log here.
  • 0

#15
surge
Posted 26 June 2005 - 07:45 PM

surge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Ok, here it goes again ;)

Hijack This! Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:02 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\userinit.exe
C:\Documents and Settings\USSHKJ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://falcon1t.lasa...d502/ase510.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://usas-ny021/wf..._3_1_02-win.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://nlm417s01.ao....dbin/Spider.ocx
O17 - HKLM\Software\..\Telephony: DomainName = amcs.abnamro-net.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amcs.abnamro-net.com,treas.na.abnamro.com,net.na.abnamro.com,abnamro-net.com,lasalle.na.abnamro.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

I see no sign of IEPlugin or Aurora, hopefuly that lasts! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP