I caught my first malware infection two days ago, a nasty little bugger called Aurora or "ABetterInternet". From the looks of the forum, I see you're familiar with it.
I've done the following to attempt to remove the program:
1. Ran Microsoft Anti-Spyware
2. Installed Ewido Security Suite, Nailfix.exe, and Cleanup
3. Rebooted in Safe Mode
4. Ran the above programs
5. Ran HijackThis and removed some programs that other people were told to remove.
Unfortunately, the cat came back the very next day. Aurora seems to have reinstalled itself.
Here's my HijackThis report:
Logfile of HijackThis v1.99.1
Scan saved at 11:05:21 AM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\ndejdqt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Microsoft Shared\8C-B880-\dllhost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ruyvnzp.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\ctfmon.exe
c:\windows\SvcProc.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://wwws.wfu.edu/WIN/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://wwws.wfu.edu/WIN/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 152.17.2.151 codesrv1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} -
C:\WINDOWS\System32\pkshxabu.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890}
- C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-
0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0
\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program
Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1
\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mstask32] "C:\Program Files\Common Files\Microsoft
Shared\8C-B880-\dllhost.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32
\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1
\EzEjMnAp.Exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program
Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1
\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI
CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ruyvnzp] C:\WINDOWS\ruyvnzp.EXE
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [clpsrep] C:\WINDOWS\system32\ndejdqt.exe r
O4 - HKCU\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program
Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read It! - C:\WINDOWS\Web\toyagt.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-
C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-
A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-
9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2
-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet
Explorer\plugins\Npcdn32.dll
O12 - Plugin for .csm: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .NPSSView: C:\Program Files\Seagate
Software\Viewers\ActiveXViewer\NPssView.dll
O12 - Plugin for .pdb: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet
Explorer\Plugins\npchime.dll
O16 - DPF: JavaConnect -
http://lewisville.de.../JavaConnect.ca
b
O16 - DPF: Sametime Meeting Room Client ST30SP1 -
http://lewisville.de...omclient/STMeet
ingRoomClient.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control)
-
http://lewisville.de...omClient/STJNIL
oader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access
Support) - file://C:\Program
Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.googl...gleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) -
http://www.installen...gine/isetup.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB}
(STConnectivityAgent Control) -
http://lewisville.de.../InstallSTConnA
gent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
deacnet.wfu.edu
O17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
deacnet.wfu.edu
O20 - AppInit_DLLs: KATRACK.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache
Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco
Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner -
C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - c:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) -
Symantec Corporation - C:\Program
Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner -
C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
(default)) - Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: Software Secure Service (SSISvr32) - Unknown owner -
C:\WINDOWS\system32\ssisvr32.exe