Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another Aurora Victum


  • Please log in to reply

#1
mixmastamusic

mixmastamusic

    Member

  • Member
  • PipPip
  • 22 posts
I HATE AURORA -PART OF THE ABI NETWORK. I cant get rid of it, ive cleaned it from the registry, ive used spy sweeper spyware doctor, ad-aware, norton antivirus and Hijack this, nothing has worked i cante get rid of it totally, i just got another popup for Aurora - Part of the ABI network, i can't get rid of it
  • 0

Advertisements


#2
mixmastamusic

mixmastamusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
o yeah here is my hijack this logfile, if you can help me,

Logfile of HijackThis v1.99.1
Scan saved at 2:53:21 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\UT2004\Applications\Spyware Doctor\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Norton AntiVirus\navapsvc.exe
F:\UT2004\Applications\Spyware Doctor\sweeper\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\aosoub.exe
F:\NORTON~1\navapw32.exe
F:\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Quicktime\qttask.exe
C:\WINDOWS\SM1BG.EXE
F:\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
F:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Nostromo\nost_LM.exe
F:\UT2004\Applications\Spyware Doctor\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\UT2004\Applications\Spyware Doctor\sweeper\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blink182.com/home.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] F:\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "f:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sysregx] C:\WINDOWS\System32\sysregx.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AnyDVD] F:\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [r53P36U] dmu_qic.exe
O4 - HKLM\..\Run: [ciivvda] C:\WINDOWS\System32\aosoub.exe r
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a2sFRWYnh] devidc32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = F:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = F:\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: sysregx - sysregx.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - F:\UT2004\Applications\Spyware Doctor\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\UT2004\Applications\Spyware Doctor\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Norton AntiVirus\navapsvc.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - F:\UT2004\Applications\Vip\PXAgent.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\UT2004\Applications\Spyware Doctor\sweeper\Spy Sweeper\WRSSSDK.exe
  • 0

#3
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Hi Mixmastamusic and welcome to GeeksToGo!
I'm working on your log, as soon as another staff member reviews it I'll post a reply.
Thank you for your patience.
Skate_Punk_21
  • 0

#4
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Downloads
Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net...wnload/updates/ DO NOT RUN IT YET

Download Nailfix at http://www.noidea.us...050711214630636 Save it to the desktop but DO NOT RUN IT YET.

Download CWShredder from http://www.greyknigh...hredder.sfx.exe and run it. The File will ask where to install to, navigate to your desktop and click install. Now double click the new desktop files CWShredder.exe and at the bottom click "check for updates" DO NOT RUN IT YET

Download Process Explorer from http://www.sysintern...ssExplorer.html


To begin: Please open Hijack This and click on Scan.
look for any entry in the O4 section that has a lonely " r" at the end. LEAVE HIJACKTHIS OPEN, and note the path to that file

Run Process Explorer and find the file we just found in HijackThis in the list of Processes.
Select the process and click Process > Suspend.
DO NOT CLOSE THIS PROGRAM

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window Navigate to the file we just found and click Open
When prompted if you want to reboot click YES
Leave Process explorer running with the process suspended.


Boot Into Safe Mode
Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Run Downloaded Program's
Once in Safe Mode, please double-click on nailfix.exe. Your desktop and icons may disappear and reappear, and a window should open and close very quickly --- this is normal.

Double-click the Ewido Security Suite icon to run the program. Set the program up as follows:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
  • Click on Start Scan
  • Let the program scan the machine
    While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop.
Run CWShredder and Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


Start HijackThis Fix
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blink182.com/home.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [sysregx] C:\WINDOWS\System32\sysregx.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [r53P36U] dmu_qic.exe
O4 - HKLM\..\Run: [ciivvda] C:\WINDOWS\System32\aosoub.exe r <<--or any other entry that ends with "r"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [a2sFRWYnh] devidc32.exe
O20 - Winlogon Notify: sysregx - sysregx.dll (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe <<--if it appears

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions

C:\WINDOWS\Nail.exe <<--Should be gone but double check
C:\WINDOWS\System32\sysregx.exe
C:\WINDOWS\msresearch.exe
dmu_qic.exe <<--Search for via "Start | Search"
C:\WINDOWS\dinst.exe
devidc32.exe <<--Search for via "Start | Search"
C:\WINDOWS\svcproc.exe <<-- If the O23 entry appears



Only Complete the following if "O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe" appears in your HijackThis Scan

Stop NT Service
Part1

  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the "System Startup Service (SvcProc)" service and double-click on it to open the Properties dialog.
  • Click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the command Prompt window and press the Enter key:
  • sc delete SvcProc
  • Close the Command Prompt window



Reboot your system in Normal Mode.


Downloads again...
Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat. Save That file and post it here


Please post a fresh Hijack This log, FindIt log, and the Log from the Ewido Scan so that we can check if your system is clean.

Edited by skate_punk_21, 04 August 2005 - 04:40 PM.

  • 0

#5
mixmastamusic

mixmastamusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
thanks ill do that and send you the logs and results, hope it all goes well thanks alot
  • 0

#6
mixmastamusic

mixmastamusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
well i just got out of safemode and did everything you told me to do, i didn't have to do a find it log because i didnt end up using find it, the only problem was, ewido didn't come up with anything at all, but ive had ewido and used it and i used it before i carried out the instructions u told me to do and it came up with alot, but this time nothing, and i had some trouble with safe mode but i finally got in, other than that, nothing went wrong and no more aurora popups, so here are my log files.

Logfile of HijackThis v1.99.1
Scan saved at 2:06:19 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\UT2004\Applications\Spyware Doctor\sweeper\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
F:\UT2004\Applications\Spyware Doctor\sweeper\hijackthis\HijackThis.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] F:\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "f:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AnyDVD] F:\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = F:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = F:\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - F:\UT2004\Applications\Spyware Doctor\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Norton AntiVirus\navapsvc.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - F:\UT2004\Applications\Vip\PXAgent.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\UT2004\Applications\Spyware Doctor\sweeper\Spy Sweeper\WRSSSDK.exe



and here is my ewido log, not that youll need it


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:28:08 PM, 8/8/2005
+ Report-Checksum: F6B221D

+ Scan result:

No infected objects found.


::Report End
  • 0

#7
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
If it's all the same with you I'd like to get a log from FindIt anyways just in case. You've had some sort of root infection and they are usually well hidden, I'd like to double check and see that there is nothing there. That last log and then i'll give you your last sets of instructions.
  • 0

#8
mixmastamusic

mixmastamusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
alright thanks, im getting find it now
  • 0

#9
mixmastamusic

mixmastamusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
well you were correct, i just got the find it log and it seems that Find It has found some sort of Todo files? And the worst of all it has found Aurora Files, well heres the log.



Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 08/08/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TWVXGO~1.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is WINXP
Volume Serial Number is 2658-12DE

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is WINXP
Volume Serial Number is 2658-12DE

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».
  • 0

#10
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
And We're Back!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads
Download Killbox DO NOT RUN IT YET

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:

C:\WINDOWS\TWVXGO~1.EXE
C:\windows\sp2update.exe

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.



Reboot now please


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe

Please remember to close all other windows, including browsers then click Fix checked.

Please post a fresh hijackthis log so we can check to see if your computer is clean.
  • 0

#11
mixmastamusic

mixmastamusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
alright i did what you said, everything went smoothly, i just was a bit confused when i opened hijack this, i could not find

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

in my search, so i assume i may have gotten rid of it because i scanned my computer after sending you in my last log with Spy Sweeper and it found 1 or 2 things which i got rid of, i think that may be one of them. here is my new logfile.

Logfile of HijackThis v1.99.1
Scan saved at 7:46:53 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\NORTON~1\navapw32.exe
F:\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Quicktime\qttask.exe
C:\WINDOWS\SM1BG.EXE
F:\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
F:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Nostromo\nost_LM.exe
F:\UT2004\Applications\Spyware Doctor\sweeper\hijackthis\HijackThis.exe
F:\UT2004\Applications\Spyware Doctor\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\UT2004\Applications\Spyware Doctor\sweeper\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blink182.com/home.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] F:\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "f:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AnyDVD] F:\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = F:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = F:\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\UT2004\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - F:\UT2004\Applications\Spyware Doctor\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Norton AntiVirus\navapsvc.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - F:\UT2004\Applications\Vip\PXAgent.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\UT2004\Applications\Spyware Doctor\sweeper\Spy Sweeper\WRSSSDK.exe
  • 0

#12
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Congratulations Your Log is Clean!! :tazz:


System Restore

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.


Windows Updates

I Highly reccomend making the upgrade to Windows XP Service Pack 2 Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It is chalk full of security patches and such, as well it comes with a Free Popup Blocker!!!!!


Preventative Measures

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?.

Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.[/color]
  • 0

#13
mixmastamusic

mixmastamusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank You Skate_Punk_21!! thank you and all of Geeks to Go for helping me with my comp proplems. You really helped me and I am very greatful. It's been fun and thanks again. Ill do what you told me to help keep my system clean and I will see you later! :tazz: ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP