I really need help... [DSRch + Aurora - HJT log]

For some strange reason for the last 24 hours my computer is being bombarded with all sorts of spy-ware. I have Zone Alarm Pro firewall and I am using the Microsoft AntiSpyware but I can't seem to get rid of any of it. I will get a pop-up from the AntiSpyware program that says DSRch is trying to download and I click to remove it. It does and I reboot and a couple of hours later it comes back. I use RegSeeker to take all the entries out of the registry for DSRch and there are 25 and I remove them and then reboot. Still it comes back. Then there's Aurora. Zone Alarm tells me that Aurora is trying to access the internet so I click deny and Always remember but then 10 min later I get another notice from Zone Alarm for the same thing however it says that the program has changed from the last alert. When the program changes like this remembering the previous setting doesn't work. This Aurora is trying to access 127.0.0.1 which I think is Local Host but the ports keep changing. I also am getting bombed with Abetterinternet; Ahoa; ICanNews; BookedSpace and AproposMedia. I don't usually surf the internet so I really don't know where they came from but I sure could use some help from you experts.

I am running WinXP Home SP2
Cable Access

Thanks

 

Hello Sfantasia,

Download HijackThis to a folder of it's own - unzip and run. After the scan, click the save scan button, the saved scan will be in the same folder - then copy & paste it into your next post.

Download from here: http://radiosplace.com/

Regards - Charles

 

Sfantasia

Also watch your E-MAIL CAREFULLY

I had roughly the same problem awhile back. Eventually found it has gotten in via E-Mail. And had added something to the Startup Group.

Unless you know where something came from ( even then ) be very carefull about clicking on any contained links.

I myself use MailWasher to prescreen the mail. Then I can delete any supicious mail right off of the server and it never makes my machine.

BillyBob

 

I really need help

Done, here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:44 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MemoryBoost\MemoryBoost.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\windows\system32\ehknru.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Flippen Menus v4.0.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\tbom\ahoa.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe "
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ycpmho] c:\windows\system32\ehknru.exe r
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: APC UPS Status.lnk = ?
O4 - Startup: Flippen Menus v4.0.lnk = C:\Flippen Menus v4.0.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://www.buy.com
O15 - Trusted Zone: http://www.chase.com
O15 - Trusted Zone: http://www.fansgifts.com
O15 - Trusted Zone: http://*.fansgifts.com
O15 - Trusted Zone: http://www.foodnetwork.com
O15 - Trusted Zone: http://*.foodtv.com
O15 - Trusted Zone: http://www.fragrancenet.com
O15 - Trusted Zone: http://board.gostats.com
O15 - Trusted Zone: http://c3.gostats.com
O15 - Trusted Zone: http://cgi.igl.net
O15 - Trusted Zone: http://cgi1.igl.net
O15 - Trusted Zone: http://users.igl.net
O15 - Trusted Zone: http://www.igl.net
O15 - Trusted Zone: http://www4.igl.net
O15 - Trusted Zone: http://by106fd.bay106.hotmail.msn.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.myleague.com
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://www.pcpitstop.com
O15 - Trusted Zone: http://help.rr.com
O15 - Trusted Zone: http://home.satx.rr.com
O15 - Trusted Zone: http://*.salfantasia.us
O15 - Trusted Zone: http://hoylegames.sierra.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://www.twc-sa.com
O15 - Trusted Zone: http://www.txlottery.org
O15 - Trusted Zone: http://*.usps.com
O15 - Trusted Zone: http://www.washingtonpost.com
O15 - Trusted Zone: http://forum.zonelabs.org
O15 - Trusted IP range: http://12.129.201.83
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) -
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\ikfgnt5.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I hope this helps
Thank you

 

Hello Sfantasia,

This is probably the origin of your problem:

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe "

From http://castlecops.com/s2034-MsgPlus_exe.html

Regards - Charles

 

I really need help

Well when I did install it I opted out of the sponsor program and I have had it for several months. My problems started about 48 hours ago. I googled Aurora and I noticed that it is tied to the program "nail.exe" and I notice in the log that there is a reference to this at:

"F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe "

Could this be the source of the problem? If so how would I go about correcting it?

 

Hi Sfantasia,

http://netrn.net/spywareblog/archives/2005/05/10/got-aurora-nailexe/ Yep, missed that.

If you do a google search on nail.exe, you'll hit a lot of sites offering to remove it. I would follow the spyware warrior links or wait for noahdfear or Mark to lead you thru removal. Stuff like this is usually hard to remove.

Regards - Charles