- Close all windows, open HijackThis then SCAN.
- Post a NEW HijackThis Log.
- Please tell me how your system is working now.
Rapidly changing name exe...aurora? [RESOLVED]
Started by
koniord
, Jul 12 2005 11:53 AM
#16
Posted 15 July 2005 - 06:09 PM
#17
Posted 16 July 2005 - 06:18 AM
The system appears to be working just fine. I have no problems now but is there anything I should do to check?
The floppy drive has stopped doing tricks.
The only thing is that when I open Microsoft outlook it gives me a message that an error has occured in the script on this page and asks me whether I want to continue running script on this page. Choosing yes or no makes no difference and it works fine both ways.
Logfile of HijackThis v1.99.1
Scan saved at 3:08:37 μμ, on 16/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.ex
The floppy drive has stopped doing tricks.
The only thing is that when I open Microsoft outlook it gives me a message that an error has occured in the script on this page and asks me whether I want to continue running script on this page. Choosing yes or no makes no difference and it works fine both ways.
Logfile of HijackThis v1.99.1
Scan saved at 3:08:37 μμ, on 16/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.ex
#18
Posted 16 July 2005 - 06:23 AM
Very good koniord! Great job!
Congratulations! your system is CLEAN!
WinXP Reset & All-Clean1
We have a couple of last steps to perform and then you're all set.
First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.
To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
Congratulations! your system is CLEAN!
WinXP Reset & All-Clean1
We have a couple of last steps to perform and then you're all set.
First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
- SpywareBlaster to help prevent spyware from installing in the first place.
- SpywareGuard to catch and block spyware before it can execute.
- IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.
To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
#19
Posted 16 July 2005 - 06:53 AM
You have done all the work...thanks again.
I'm a psycho workaholic but don't you ever sleep?
Your answers were posted during day and night...I'm amazed!
THANK YOU!!!
Should I uninstall all the progrs used to fix the problems and then install the new ones you proposed?
I'm a psycho workaholic but don't you ever sleep?
Your answers were posted during day and night...I'm amazed!
THANK YOU!!!
Should I uninstall all the progrs used to fix the problems and then install the new ones you proposed?
#20
Posted 16 July 2005 - 04:41 PM
yeah its a bit tiring but ya know we love the job so I guess we dont care about the time
You have the options to keep or uninstall all the trial versions of the programs. Just one tip, when it comes to antivirus and protection programs just keep at least one since others conflict with each others. Lets say Symantec AV conflicts with McAfee so you must choose only one of them.
The best protection combination is the updated spyware guard, spyware blaster, IE Spyad, a firewall, weekly scan with spybot & ad-aware. Most of all windows update. You should also have weekly online virus scan with panda, trend micro, bitdefender.
You have the options to keep or uninstall all the trial versions of the programs. Just one tip, when it comes to antivirus and protection programs just keep at least one since others conflict with each others. Lets say Symantec AV conflicts with McAfee so you must choose only one of them.
The best protection combination is the updated spyware guard, spyware blaster, IE Spyad, a firewall, weekly scan with spybot & ad-aware. Most of all windows update. You should also have weekly online virus scan with panda, trend micro, bitdefender.
#21
Posted 17 July 2005 - 04:16 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
#22
Posted 28 July 2005 - 06:11 AM
Hi,
Thanks,
What concerns me is that there are 33 processes open.
They were fewer before and the only thing I have installed is 1 program(e-donkey).
I will disable opening this program at startup but the rest seem a lot.
Here's the HijackThis log (I turned off AVG, SpywareGuard and Kerio firewall before scanning)
Logfile of HijackThis v1.99.1
Scan saved at 2:59:15 μμ, on 28/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Kind regards,
Kostas
Thanks,
What concerns me is that there are 33 processes open.
They were fewer before and the only thing I have installed is 1 program(e-donkey).
I will disable opening this program at startup but the rest seem a lot.
Here's the HijackThis log (I turned off AVG, SpywareGuard and Kerio firewall before scanning)
Logfile of HijackThis v1.99.1
Scan saved at 2:59:15 μμ, on 28/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Kind regards,
Kostas
#23
Posted 28 July 2005 - 04:56 PM
NOTE: E-donkey is an infected P2P Networking : http://www.spywareinfo.com/articles/p2p/
Open up your Ad-Aware 1.06r then have all the updates downloaded.
Reboot in SAFE MODE. (How to boot in Safe Mode...)
- Uninstallation
We need to uninstall the following programs: - Go to Control Panel > Add/Remove Programs
- Please locate if they exist
- e-donkey 2000
- Click Uninstall
- Confirm with OK
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
Make sure to double check the items you have selected, then click Fix Checked.
Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
- C:\Program Files\eDonkey2000
Reboot back into Windows have an online scan with Panda ActiveScan, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log.
Let us know if any problems persist.
#24
Posted 28 July 2005 - 08:53 PM
Oh!
I purchased e-donkey 3 days ago.....
Do you think I should revove it...I mean is anything else infected?
Thanks again
I purchased e-donkey 3 days ago.....
Do you think I should revove it...I mean is anything else infected?
Thanks again
#25
Posted 29 July 2005 - 01:43 AM
That depends upon you if you want to keep that e-donkey as long as you have read the notes on infected P2P networking then you have the responsibility to keep it or remove it.
Good luck to you!
Good luck to you!
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users