Aurora and probably a lot of other things

Tallmidget11 · 2005/09/10

i just ran xoft spy on my computer and deleted some 250 files it detected. im sure there are atleast a few things left though, aurora for one keeps popping up. i would really aprreciate it if anyone could take a ook at my hjt log and see whats going on. thanks for you help

Logfile of HijackThis v1.99.1
Scan saved at 1:26:34 PM, on 9/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\dhpudkx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ubvyon\Eqckpp.exe
C:\WINNT\exe81.exe
C:\WINNT\System32\wuamkop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ms-dos.pif
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\johnf\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check "
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [microsft windows updates] mwupdate32.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\Run: [Clcveh] C:\Program Files\Ubvyon\Eqckpp.exe
O4 - HKLM\..\Run: [elos] C:\WINNT\exe81.exe
O4 - HKLM\..\Run: [:C=e] C:\WINNT\exe81.exe
O4 - HKLM\..\Run: [MS-DOS Security Service] ms-dos.pif
O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\Run: [mjzywf] C:\WINNT\System32\dhpudkx.exe r
O4 - HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKLM\..\RunServices: [MS-DOS Security Service] ms-dos.pif
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MS-DOS Security Service] ms-dos.pif
O4 - HKCU\..\RunServices: [MS-DOS Security Service] ms-dos.pif
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2519c98ffe711a1ca016/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124316996545
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/winupds.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://colorgraphics.ws/TSWeb/msrdp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACCE6098-B0FE-4029-A01F-8E2AA9FA0D8E}: NameServer = 192.33.4.143
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINNT\aim.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

oshwyn5 · 2005/09/11

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
Click to expand...

Download and run the removal tool
CWS 2.15 as of May,2005
Click on the download stand alone version of coolwebshredder
Download it and run it and choose fix.

Use Nailfix.Zip to remove Nail.
How to boot to safe mode.
Alternative method.
Aurora removal tool
Click on the download uninstaller.
Close all windows, but stay connected to the net

Run the Aurora Uninstaller
Follow the prompts/instructions

Reboot to safe mode.

Empty all Temp folders (delete all files within):

C:\Documents and Settings\(profile)\Local Settings\Temp\
C:\Windows\Temp\
C:\Temp\ (if it exists)

Go to: Control Panel > Internet Options
General tab > Temporary Internet Files > Delete Files:
Checkmark "Delete all offline content "
Click OK

If they still exist, delete all those C:\WINDOWS\system32\*.ico (icon) files
Go to start/ run and type services.msc and locate and stop "System Startup Service" Change startup to disabled.
Use hijackthis to fix these entries.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

If they stil exist, delete these files
C:\WINNT\svcproc.exe
C:\WINNT\Nail.exe

Run Hijackthis with all other windows closed choose scan only and select the following if they remain and choose fix
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

You have
http://securityresponse.symantec.com/avcenter/venc/data/adware.zquest.html
Which installs aurora
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
I think it is best to tell you to print out the removal instructions.

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:
"Windows More Choice" = "%Windir%\TopContext.exe "
Navigate to and delete the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22131A58-5F9A-3EAA-28A7-C3059A3D0632}

Exit the Registry Editor.
Click to expand...

go to start / run and type
regsvr32 /u dsr.dll
Hit enter and then locate and delete the file
C:\WINNT\dsr.dll
Also search for
lofqf.exe
SSK3_B5.exe
%Windir%\TopContext.exe (%windir% means the windows directory, probably C:\windows or C:\Winnt)
Delete if found.
Have Hijackthis fix the entry.

You have
http://securityresponse.symantec.com/avcenter/venc/data/adware.mirar.html
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
Lots of entries, so probably best to print out instructions from symantec.

4. To delete the values from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start > Run.
Type regedit

Then click OK.

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"ToolbarInstall" = "MirarSetup.exe "

Navigate to the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

In the right pane, delete the value:

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = " "

Navigate to the key:

HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

In the right pane, delete the values:

"C:\WINDOWS\Downloaded Program Files\MirarSetup.exe" = " "
"C:\WINDOWS\System32\WinDmy.dll" = " "

Navigate to and delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4035DE1B-D54A-411E-9EE7-923295D2E86E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{753B9349-7E46-4E5C-A27F-A60A6BF1EAB5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MirarSetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinDmy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

Exit the Registry Editor.
Click to expand...

You have win32 toxbot Follow the removal instructions there .
O4 - HKLM\..\Run: [microsft windows updates] mwupdate32.exe
O4 - HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe

Win32 rbot Follow the removal instructions there.
O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\Run: [MS-DOS Security Service] ms-dos.pif
O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKLM\..\RunServices: [MS-DOS Security Service] ms-dos.pif
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
O4 - HKCU\..\Run: [MS-DOS Security Service] ms-dos.pif
O4 - HKCU\..\RunServices: [MS-DOS Security Service] ms-dos.pif

Unknown trojan, probably CWS
O4 - HKLM\..\Run: [Clcveh] C:\Program Files\Ubvyon\Eqckpp.exe
Fix with hijackthis,
Kill process [Clcveh] with task manager or Codestuf starter startup manager and process viewer
delete folder C:\Program Files\Ubvyon

O4 - HKLM\..\Run: [elos] C:\WINNT\exe81.exe
O4 - HKLM\..\Run: [:C=e] C:\WINNT\exe81.exe
Fix with hijackthis, kill process [elos] , delete file C:\WINNT\exe81.exe

O4 - HKLM\..\Run: [mjzywf] C:\WINNT\System32\dhpudkx.exe r
Fix with hijackthis, kill process [mjzywf] delete file C:\WINNT\System32\dhpudkx.exe

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
Go to tools/ internet options/ security/ trusted zone / sites
remove these from the list, Run hijackthis and fix if they remain.

Fix these with hijackthis
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/winupds.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Reboot to safe mode, disable system restore if you have not done so.

Reboot and run hijackthis and post a new log.

I hope I got them all.
You may want to first just run an antivirus and anti trojan and anti spyware utilities and see if they can fix any of this.
A squared free trojan remover
Avast free antivirus
Spybot search and destroy

Log in or Sign up

Aurora and probably a lot of other things

Tallmidget11 Inactive Thread Starter

oshwyn5 Inactive

Share This Page

Log in or Sign up

Aurora and probably a lot of other things

Tallmidget11 Inactive Thread Starter

oshwyn5 Inactive

Share This Page

Useful Searches