Ad Aware did manage to remove other programs like "CoolWebSearch" toolbar, but not Aurora. After every system restart, Ad Aware will find new VX2 malware, delete them, but come back again after next reboot, and I suspect them to relate to Aurora.
Also, there is a program which I cannot uninstall (though have tried to HijackThis -> Misc Tools -> Uninstall Manager ), called ABI Network - Division of Direct Revenue.
Please help. Many thanks in advance for your effort!
Here's my HijackThis log. Note that my pc is IBM ThinkPad, and my company domain is "nwie". Also, I notice that once I am working in my company domain which has Firewall, the Aurora never manage to pop up.
Logfile of HijackThis v1.99.1
Scan saved at 9:47:04 AM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\ibmpmsvc.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\SMSLog\smslog.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\CCM\CcmExec.exe
C:\WINXP\System32\tp4serv.exe
C:\WINXP\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINXP\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINXP\system32\SMC2635WMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINXP\System32\MDM.EXE
C:\Documents and Settings\tongs\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwportal.nwie.net/wps/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xpress.nwie.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Nationwide
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://confserver.en...proxy/proxy.pac
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://nwportal.nwie...net/wps/portal"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINXP\Downloaded Program Files\CnsHook.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINXP\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HTTP1_1.exe] C:\WINXP\System32\http1_1.exe /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xpress.nwie.net
O15 - Trusted Zone: http://*.custrel01
O15 - Trusted Zone: http://*.ddcweba02
O15 - Trusted Zone: http://*.edcsrv33
O15 - Trusted Zone: http://*.edcweba03
O15 - Trusted Zone: http://*.edcweba59
O15 - Trusted Zone: http://edcapps109.nwie.net
O15 - Trusted Zone: http://script.nwie.net
O15 - Trusted Zone: http://*.Xtremelearning.com
O15 - Trusted Zone: http://*.custrel01 (HKLM)
O15 - Trusted Zone: http://*.ddcweba02 (HKLM)
O15 - Trusted Zone: http://*.edcsrv33 (HKLM)
O15 - Trusted Zone: http://*.edcweba03 (HKLM)
O15 - Trusted Zone: http://*.edcweba59 (HKLM)
O15 - Trusted Zone: http://edcapps109.nwie.net (HKLM)
O15 - Trusted Zone: http://script.nwie.net (HKLM)
O15 - Trusted Zone: http://*.Xtremelearning.com (HKLM)
O16 - DPF: Nationwide SignOn LNotes Password Sync - https://nationwidedi...Notespwdchg.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://nwsst01.nwie...STJNILoader.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microstrateg...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nwie.net
O17 - HKLM\Software\..\Telephony: DomainName = nwie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nwie.net
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINXP\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: SMS Alerting Service (SMSLog) - Nationwide Services Corp. - C:\PROGRA~1\SMSLog\smslog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINXP\svcproc.exe