Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora popups and vx2 files [RESOLVED]


  • This topic is locked This topic is locked

#1
lc.chris

lc.chris

    Member

  • Member
  • PipPip
  • 21 posts
Hey guys i got "big" problem! with none of my programms i normally remove spy or adware i am able remove this aurora and abetterinternet or vx2 [bleep] ....

I use adaware and spyware S&D (also hijackthis! )



here is my hijackthis logfile maybe you guys can help me .....

(sorry for my bad english i am a german ^^ )


Logfile of HijackThis v1.99.1
Scan saved at 19:57:02, on 29.07.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\QuickTime\qttask.exe
c:\windows\system32\zppgkz.exe
E:\Programme\oOffice\program\soffice.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Programme\ICQ\Icq.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\DOKUME~1\chris\LOKALE~1\Temp\Rar$EX00.125\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKLM\..\Run: [hhfpnme] c:\windows\system32\zppgkz.exe r
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe
O4 - Startup: OpenOffice.org 1.0.2.lnk = E:\Programme\oOffice\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
  • 0

Advertisements


#2
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Please post a new HJT log and don't reboot/switch off from here on unless otherwise instructed.
  • 0

#3
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
here is the fresh hjt log ....

Logfile of HijackThis v1.99.1
Scan saved at 12:20:58, on 30.07.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\QuickTime\qttask.exe
c:\windows\system32\skayll.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
E:\Programme\oOffice\program\soffice.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOKUME~1\chris\LOKALE~1\Temp\Rar$EX00.031\HijackThis.exe
C:\Programme\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKLM\..\Run: [edeioy] c:\windows\system32\skayll.exe r
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe
O4 - Startup: OpenOffice.org 1.0.2.lnk = E:\Programme\oOffice\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
  • 0

#4
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download Nailfix. Unzip it to the desktop but please do NOT run it yet.

Download Process Explorer from http://www.sysintern...ssExplorer.html

Run Process Explorer and find c:\windows\system32\skayll.exe in the list of Processes.

Select the process and click Process > Suspend.

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select c:\windows\system32\skayll.exe
When prompted if you want to reboot click YES

Leave Process Explorer running with the process suspended through the reboot.

Have it reboot into Safe Mode by tapping F8 after the BIOS has loaded. Once in Safe Mode, click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKLM\..\Run: [edeioy] c:\windows\system32\skayll.exe r
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe[/url]

Reboot again when done. Apply Service Pack 1a for Windows XP. Without this update, you're wide open to reinfection and we're both just wasting our time.

Click here: http://www.microsoft...&DisplayLang=en

Apply the update, reboot, and post a fresh HijackThis log.
  • 0

#5
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
i`ve done what you told me but when having booted in save mode all the symbols on my desktop were gone .... i could not start nailfix or hjt because they were not on my desktop


shall i reapeat all the steps from the beginning on or shall i post a fresh hjt log ?!

Edited by lc.chris, 30 July 2005 - 04:52 AM.

  • 0

#6
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Get the windows update then post a fresh log.
  • 0

#7
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
i updated to sp1 here is the fresh log ....

but htere is an other problem appearing ..... after booting a messeges appears which says that there is a problem with the explorer.exe and it has to be closed ....

if i hit the don´t send button all the symbols on the desktop and the taskbar dissapear and re-appear and the messege pops up again .... what can i do ?!


Logfile of HijackThis v1.99.1
Scan saved at 13:27:57, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\zppgkz.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
E:\Programme\oOffice\program\soffice.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKLM\..\Run: [hhfpnme] c:\windows\system32\zppgkz.exe r
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
  • 0

#8
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, you still have the original infection.

Create a new folder called HijackThis on your C drive and copy the nailfix and HijackThis files into it so that you can access the files later.

Click here to download ewido security suite - it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update ewido. Do NOT run a scan yet. Exit the program.

Run Process Explorer and find zppgkz.exe in the list of Processes.

Select the process and click Process > Suspend.

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select c:\windows\system32\zppgkz.exe
When prompted if you want to reboot click YES

Leave Process Explorer running with the process suspended through the reboot.

Have it reboot into Safe Mode by tapping F8 after the BIOS has loaded. Once in Safe Mode, go to the new folder you created and please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next open ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKLM\..\Run: [hhfpnme] c:\windows\system32\zppgkz.exe r
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe[/url]

Reboot again when done, rescan with HJT and post a new log here together with the ewido log.
  • 0

#9
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
done what you told me ...

here the 2 new logs ... btw the problem with the explorer.exe is gone ...

Logfile of HijackThis v1.99.1
Scan saved at 14:34:44, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Programme\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe





--------------------------------------------------------
ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 14:31:39, 30.07.2005
+ Report-Checksumme: 54D03115

+ Scanergebnis:

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Gesäubert mit Backup
[860] VM_00F90000 -> Adware.BetterInternet : Fehler beim Säubern
C:\Dokumente und Einstellungen\chris\Cookies\chris@2o7[1].txt -> Spyware.Cookie.2o7 : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@ad.adition[1].txt -> Spyware.Cookie.Adition : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@adtech[2].txt -> Spyware.Cookie.Adtech : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@axa.addcontrol[1].txt -> Spyware.Cookie.Addcontrol : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@revenue[2].txt -> Spyware.Cookie.Revenue : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@srv1.ad.adition[2].txt -> Spyware.Cookie.Adition : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@www.adtiger[2].txt -> Spyware.Cookie.Adtiger : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Cookies\chris@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Lokale Einstellungen\Temp\Cookies\chris@ad.adition[1].txt -> Spyware.Cookie.Adition : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Lokale Einstellungen\Temp\Cookies\chris@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Lokale Einstellungen\Temp\Cookies\chris@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Lokale Einstellungen\Temp\Cookies\chris@ppms.popularix[1].txt -> Spyware.Cookie.Popularix : Gesäubert mit Backup
C:\Dokumente und Einstellungen\chris\Lokale Einstellungen\Temp\Cookies\chris@srv1.ad.adition[1].txt -> Spyware.Cookie.Adition : Gesäubert mit Backup
C:\Programme\common files\wuro\wuroa.exe -> TrojanDownloader.TSUpdate.l : Gesäubert mit Backup
C:\Programme\common files\wuro\wurol.exe -> TrojanDownloader.TSUpdate.j : Gesäubert mit Backup
C:\Programme\common files\wuro\wurop.exe -> Spyware.Xupiter : Gesäubert mit Backup
C:\WINDOWS\aaonnhq.exe -> Adware.BetterInternet : Gesäubert mit Backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Gesäubert mit Backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Gesäubert mit Backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Gesäubert mit Backup


::Report Ende



sorry for german logs but i forgot to download the english version of the programms ....

*edit (first hjt log was the one from save mode ....

this is the one after rebooting

Logfile of HijackThis v1.99.1
Scan saved at 14:49:48, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
E:\Programme\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O15 - Trusted Zone: http://www.neededware.com
O23 - Service: ewido security suite control - ewido networks - E:\Programme\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Edited by lc.chris, 30 July 2005 - 06:51 AM.

  • 0

#10
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
first i want to thank you for your great support and that you have been so patient with me .... you are really great !

but correct me if i am wrong but i guess it will still take a large amount of time to get rid of those malware things on my sys .... would it be better to just format c: and re-install win xp and then update it .... ?!

*i gotto to an important meeting now .. i am back tonight or tomorrow ...

Edited by lc.chris, 30 July 2005 - 07:54 AM.

  • 0

Advertisements


#11
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
No, we can fix it. Please repeat my last post (skip the ewido part) as aurora is still there.
  • 0

#12
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
okay i am back and haven`t rebooted the pc yet i gonna repeat the steps without edwin ...

*work in progress*

Edited by lc.chris, 30 July 2005 - 09:55 AM.

  • 0

#13
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
hjt log in safe mode ...


ogfile of HijackThis v1.99.1
Scan saved at 17:35:01, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Programme\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



hjt log after reebot to normal mode ..

Logfile of HijackThis v1.99.1
Scan saved at 17:38:17, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
E:\Programme\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O15 - Trusted Zone: http://www.neededware.com
O23 - Service: ewido security suite control - ewido networks - E:\Programme\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#14
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, we seem to be getting on top of it.

Download this file to your desktop. Click HERE.

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Click here to download fixme.zip. Extract fixme.reg from the zip file and save it to the desktop. Double-click the fixme.reg, when asked to merge say yes.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O4 - HKCU\..\Run: [wuro] C:\PROGRA~1\COMMON~1\wuro\wurom.exe


Close HiJackThis.

Please download the Killbox by Option^Explicit. Save it to your desktop and doubleclick Killbox.exe.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\ehe.exe

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

C:\PROGRAM FILES\COMMON FILES\wuro\wurom.exe

When it prompts you to reboot this time, press the YES button.

After restarting, post a new HiJackThis log.
  • 0

#15
lc.chris

lc.chris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
fresh log:

Logfile of HijackThis v1.99.1
Scan saved at 18:16:19, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Programme\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\devldr32.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehe] C:\WINDOWS\System32\ehe.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O15 - Trusted Zone: http://www.neededware.com
O23 - Service: ewido security suite control - ewido networks - E:\Programme\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP