outcold Posted June 20, 2005 Share Posted June 20, 2005 I need to get rid of Aurora and I have followed all of the instructions untill the hijack this part. I have the log file but I cannot interpret what to delete and what to keep. Plz help me. The log file is pasted belowLogfile of HijackThis v1.99.1Scan saved at 12:14:44 PM, on 6/20/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\explorer.exeC:\DOCUME~1\Kurt\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mfplay.dll/sp.html (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankR3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\system32\toolbar.dllF2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeO1 - Hosts: 127.0.0.0 localhostO1 - Hosts: 127.0.0.2 auditmypc.comO1 - Hosts: 127.0.0.3 boards.cexx.orgO1 - Hosts: 127.0.0.4 bulletproofsoft.netO1 - Hosts: 127.0.0.5 camtech2000.netO1 - Hosts: 127.0.0.6 cexx.orgO1 - Hosts: 127.0.0.7 computercops.usO1 - Hosts: 127.0.0.8 ct7support.comO1 - Hosts: 127.0.0.9 doxdesk.comO1 - Hosts: 127.0.0.20 kellys-korner-xp.comO1 - Hosts: 127.0.0.21 kephyr.comO1 - Hosts: 127.0.0.22 lavasoft.deO1 - Hosts: 127.0.0.23 lavasoftusa.comO1 - Hosts: 127.0.0.24 lurkhere.comO1 - Hosts: 127.0.0.25 majorgeeks.comO1 - Hosts: 127.0.0.26 merijn.orgO1 - Hosts: 127.0.0.27 mjc1.comO1 - Hosts: 127.0.0.28 moosoft.comO1 - Hosts: 127.0.0.29 mvps.orgO1 - Hosts: 127.0.0.30 net-integration.netO1 - Hosts: 127.0.0.31 noadware.netO1 - Hosts: 127.0.0.32 no-spybot.comO1 - Hosts: 127.0.0.33 onlinepcfix.comO1 - Hosts: 127.0.0.34 pchell.comO1 - Hosts: 127.0.0.35 pestpatrol.comO1 - Hosts: 127.0.0.36 safer-networking.orgO1 - Hosts: 127.0.0.37 secure.spykiller.comO1 - Hosts: 127.0.0.38 secureie.comO1 - Hosts: 127.0.0.39 security.kolla.deO1 - Hosts: 127.0.0.40 spybot.infoO1 - Hosts: 127.0.0.41 spychecker.comO1 - Hosts: 127.0.0.42 spychecker.comO1 - Hosts: 127.0.0.43 spycop.comO1 - Hosts: 127.0.0.44 spyguard.comO1 - Hosts: 127.0.0.45 spykiller.comO1 - Hosts: 127.0.0.46 spyware.co.ukO1 - Hosts: 127.0.0.47 spyware-cop.comO1 - Hosts: 127.0.0.48 spywareinfo.comO1 - Hosts: 127.0.0.49 spywarenuker.comO1 - Hosts: 127.0.0.50 spywareremove.comO1 - Hosts: 127.0.0.51 spywareremove.comO1 - Hosts: 127.0.0.52 stopzillapro.comO1 - Hosts: 127.0.0.53 sunbelt-software.comO1 - Hosts: 127.0.0.54 thiefware.comO1 - Hosts: 127.0.0.55 tomcoyote.orgO1 - Hosts: 127.0.0.56 unwantedlinks.comO1 - Hosts: 127.0.0.57 webattack.comO1 - Hosts: 127.0.0.58 wilders.orgO1 - Hosts: 127.0.0.59 www.auditmypc.comO1 - Hosts: 127.0.0.60 www.bulletproofsoft.netO1 - Hosts: 127.0.0.61 www.cexx.orgO1 - Hosts: 127.0.0.62 www.computercops.usO1 - Hosts: 127.0.0.63 www.ct7support.comO1 - Hosts: 127.0.0.64 www.doxdesk.comO1 - Hosts: 127.0.0.65 www.eblocs.comO1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.comO1 - Hosts: 127.0.0.67 www.free-spyware-scan.comO1 - Hosts: 127.0.0.68 www.free-web-browsers.comO1 - Hosts: 127.0.0.69 www.grc.comO1 - Hosts: 127.0.0.70 www.grisoft.comO1 - Hosts: 127.0.0.71 www.hackfaq.orgO1 - Hosts: 127.0.0.72 www.hazeleger.netO1 - Hosts: 127.0.0.73 www.javacoolsoftware.comO1 - Hosts: 127.0.0.74 www.kellys-korner-xp.comO1 - Hosts: 127.0.0.75 www.kephyr.comO1 - Hosts: 127.0.0.76 www.lavasoft.deO1 - Hosts: 127.0.0.77 www.lavasoftusa.comO1 - Hosts: 127.0.0.78 www.lurkhere.comO1 - Hosts: 127.0.0.79 www.majorgeeks.comO1 - Hosts: 127.0.0.80 www.merijn.orgO1 - Hosts: 127.0.0.81 www.mjc1.comO1 - Hosts: 127.0.0.82 www.moosoft.comO1 - Hosts: 127.0.0.83 www.mvps.orgO1 - Hosts: 127.0.0.84 www.net-integration.netO1 - Hosts: 127.0.0.85 www.noadware.netO1 - Hosts: 127.0.0.86 www.no-spybot.comO1 - Hosts: 127.0.0.87 www.onlinepcfix.comO1 - Hosts: 127.0.0.88 www.pchell.comO1 - Hosts: 127.0.0.89 www.pestpatrol.comO1 - Hosts: 127.0.0.90 www.safer-networking.orgO1 - Hosts: 127.0.0.91 www.secureie.comO1 - Hosts: 127.0.0.92 www.security.kolla.deO1 - Hosts: 127.0.0.93 www.spybot.infoO1 - Hosts: 127.0.0.94 www.spychecker.comO1 - Hosts: 127.0.0.95 www.spychecker.comO1 - Hosts: 127.0.0.96 www.spycop.comO1 - Hosts: 127.0.0.97 www.spyguard.comO1 - Hosts: 127.0.0.98 www.spykiller.comO1 - Hosts: 127.0.0.99 www.spyware.co.ukO2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)O2 - BHO: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\system32\toolbar.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dllO2 - BHO: BRedObj Class - {63CF97E8-4133-438a-A831-CC9C6D47D673} - c:\Program Files\Reg2\Reg2.dll (file missing)O2 - BHO: BRedObj Class - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - c:\Program Files\Xmod\xm320.dll (file missing)O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\system32\toolbar.dllO3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exeO4 - HKLM\..\Run: [wqmPKJ] C:\WINDOWS\oaeksbul.exeO4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Pwsbyo.exeO4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Afrtxy.exeO4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exeO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [bdqgse] c:\windows\system32\wscnwq.exeO4 - HKCU\..\Run: [steam] "c:\valve\steam\steam.exe" -silentO4 - HKCU\..\Run: [spyware Begone] C:\freescan\freescan.exe -FastScanO4 - HKCU\..\Run: [spywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /sO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [wruw] C:\PROGRA~1\COMMON~1\wruw\wruwm.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\system32\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cabO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cabO16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partner...lim/install.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cabO16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cabO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing) Link to comment Share on other sites More sharing options...
dman Posted June 20, 2005 Share Posted June 20, 2005 Aurora is associated with "NAIL.EXE". Believe it or not, as pernicious as this software is, the company behind it actually offers an uninstaller. If only they would avertise that in their popups!http://www.mypctuneup.com/ Link to comment Share on other sites More sharing options...
outcold Posted June 20, 2005 Author Share Posted June 20, 2005 thanks dman. Now I only have regular (but less frequent) pop ups. Link to comment Share on other sites More sharing options...
dman Posted June 21, 2005 Share Posted June 21, 2005 (edited) re run ad-aware, spybot s&d and AV and then post your hijackthis log again. you probably still have crumbs. Edited June 21, 2005 by dman Link to comment Share on other sites More sharing options...
Tarun Posted June 24, 2005 Share Posted June 24, 2005 That computer is infected with CoolWebSearch, Aurora, and several other nasty variants.Download Anti-Malware Package and install all of these. Update them all then boot into Safe Mode (F8 before the Windows splash). Then run CWShredder, MSAS, Ad-Aware, Spybot.THEN you should repost your log. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now