Ran cleans with Spybot, MS Antispyware, some Symantec stuff... did the safe mode clean with ewido following instructions posted on this site. Ran CCleaner and restarted in normal mode.
Here's the ewido report and my latest HJT log. What about it? When I checked my registry, Aurora was still there. Any suggestions?
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 4:20:32 PM, 7/24/2005
+ Report-Checksum: C567EE9A
+ Scan result:
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.o7b\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.o7b\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.o7b\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.o7b\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Temp\Installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\odbyjoyemip.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\atiupdate5.exe -> Spyware.Adtomi : Cleaned with backup
C:\WINDOWS\system32\bamrnco.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\system32\bH.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\biH.exe/bi.dll -> Trojan.Bispy.A : Cleaned with backup
C:\WINDOWS\system32\biH.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\WINDOWS\system32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\dshjgfl.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\system32\hclean32.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\WINDOWS\system32\ntfsnlpa.exe -> Spyware.Msnagent : Cleaned with backup
C:\WINDOWS\system32\pop.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\rdsndin.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\zpjyhee.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 5:19:14 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\HJT\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com
/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1
\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:
\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3
\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [SystemNetwork] "C:\windows\system\SYSNET30.EXE" kernel32.
dll,LoadUserSetting
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [zddarb] c:\windows\system32\wixslr.exe r
O4 - HKLM\..\Run: [dmqnf.exe] C:\WINDOWS\System32\dmqnf.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft
Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money
Express.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:
\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C
608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0
AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:
\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt0_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtm_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.game...nts/y/bt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...games/clients/y
/cct0_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...lients/y/dot2_x.
cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt0_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt0_x.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...lients/y/grt1_x.
cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...clients/y/tt0_x.
cab
O16 - DPF: Yahoo! Pinochle - http://download.game...clients/y/ut2_x.
cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.game...ames/clients/y/
vtj_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game.../clients/y/ywt0
_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...clients/y/wt0_x
.cab
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://
www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540
/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://
update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?
1122083416609
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://
gamesoduser.comcast.net/classes/ExentCtl.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/
GoogleActivate.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.
dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) -
http://ccon.madonion.../global/msc.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\kzdcr.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\kzdcr.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:
\WINDOWS\System32\nvsvc32.exe