|
| ||
| Another "Aurora me too"...sorry Here are my reports from Ewido and HijackThis. They were generated in Safe Mode, as suggested in other threads. Before scanning the system with the two above I run Nailfix. No popups so far, but a message at startup saying that a module cannot be be found by rundll. Would anybody help me understand the contents of the two logfiles? Thanks in advance. Logfile of HijackThis v1.99.1 Scan saved at 9:22:30 PM, on 6/2/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust...//my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {51082128-B9B7-B51B-BB19-C9EE8980B9BF} - C:\WINDOWS\system32\lqu.dll (file missing) O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerVCR II\Agent.exe O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\Medion\PowerVCR II\RemoteAgent.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE O4 - HKLM\..\Run: [3] C:\documents and settings\alessia\local settings\temp\3.exe O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe" O4 - HKLM\..\Run: [oF7] C:\documents and settings\rino\local settings\temp\oF7.exe O4 - HKLM\..\Run: [gcqdf] C:\documents and settings\alessia\local settings\temp\gcqdf.exe O4 - HKLM\..\Run: [q6bYXh] C:\documents and settings\alessia\local settings\temp\q6bYXh.exe O4 - HKLM\..\Run: [Hyw7aeXO] C:\documents and settings\alessia\local settings\temp\Hyw7aeXO.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [o6USPRl] C:\windows\system32\o6USPRl.exe O4 - HKLM\..\Run: [mXMLIK.exe] c:\windows\system32\mXMLIK.exe O4 - HKLM\..\Run: [4JATK3@4#AJHRM] C:\WINDOWS\system32\Kqxpex.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/021e0f24...p/RdxIE601.cab O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.globalwebsearch.com/winenc32.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 9:17:04 PM, 6/2/2005 + Report-Checksum: 26E5C01D + Date of database: 6/2/2005 + Version of scan engine: v3.0 + Duration: 89 min + Scanned Files: 188131 + Speed: 35.09 Files/Second + Infected files: 113 + Removed files: 113 + Files put in quarantine: 113 + Files that could not be opened: 0 + Files that could not be cleaned: 0 + Binder: Yes + Crypter: Yes + Archives: Yes + Scanned items: C:\ D:\ K:\ L:\ M:\ + Scan result: C:\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup C:\Documents and Settings\LocalService\Cookies\rino@S005-01-9-28-233860-106434[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@ads.guardian.co[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@guide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Cookies\rino@www.ebates[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\Del2C.tmp -> Spyware.180Solutions.e -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\jAl.dll -> Spyware.Midadle.b -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\mm_reco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\temp.fr0021 -> Spyware.IBISToolbar -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\temp.fr643C\WSup.exe -> Spyware.Wintol -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\temp.fr7BB6\common.dll -> Spyware.WebSearch.f -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\temp.frD4BC -> Spyware.IBISToolbar -> Cleaned with backup C:\Documents and Settings\Rino\Local Settings\Temp\THI10F1.tmp\mxTarget.dll -> Spyware.BiSpy.o -> Cleaned with backup C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrojanDownloader.TSUpdate.f -> Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrojanDownloader.Dyfuca.ak -> Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrojanDownloader.Rameh.c -> Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> Spyware.VirtualBouncer.g -> Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup C:\WINDOWS\Buddy.exe -> Spyware.BetterInternet -> Cleaned with backup C:\WINDOWS\docsygxhhy.exe -> Spyware.BetterInternet -> Cleaned with backup C:\WINDOWS\Downloaded Program Files\RCXAE.tmp -> Spyware.180Solutions.g -> Cleaned with backup C:\WINDOWS\htpatch.exe -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup C:\WINDOWS\prelimhanse.exe -> Spyware.WebHancer -> Cleaned with backup C:\WINDOWS\system32\D0CE0C16B1.DLL -> Spyware.Agent.dh -> Cleaned with backup C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d -> Cleaned with backup C:\WINDOWS\system32\Epoc.exe -> Backdoor.VB.nb -> Cleaned with backup C:\WINDOWS\system32\fpmat78.dll -> TrojanDownloader.Rameh.c -> Cleaned with backup C:\WINDOWS\system32\lqu.dll -> Spyware.PurityScan.ak -> Cleaned with backup C:\WINDOWS\system32\Poller.exe.vir -> Trojan.Agent.cp -> Cleaned with backup C:\WINDOWS\system32\Qxi7.exe -> Backdoor.VB.nb -> Cleaned with backup C:\WINDOWS\system32\Rnfiy4co.exe -> Backdoor.VB.nb -> Cleaned with backup C:\WINDOWS\system32\Tcmo3IDd.exe -> Backdoor.VB.nb -> Cleaned with backup C:\WINDOWS\system32\UbaM7.exe -> Backdoor.VB.nb -> Cleaned with backup C:\WINDOWS\system32\Xzm0JgoS.exe -> Backdoor.VB.nb -> Cleaned with backup C:\WINDOWS\system32\υserinit.exe -> Spyware.PurityScan.am -> Cleaned with backup C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@713779[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@ads.monster[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@media[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S0012-01-1-7-217494-47679[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S129915[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S130376[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S149983[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S150263[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@33707992[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@45652814[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@53401622[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@59176631[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@63676511[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@6966407[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@843040[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@adopt.hotbar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.businessweek[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.guardian.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.monster[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.specificclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.telegraph.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads4.clearchannel[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@buy.rpts[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@cz6.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@cz8.clickzs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcs06mqp0oifwz7nihkvjql18_9j6m[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcsg07hinpifwz3wy8eqs4slv_7t7h[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcshfx5gloifwzvxiz6ywz3r7_5o1l[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcsk50o4ppifwzri43z3zpag9_7d6h[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcslcvny1oifwzrqi727s7ceh_1x4g[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcsq537tboifwzzc1768f34r7_1s1h[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@gostats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@hotbar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@linkexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@listen.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@orbitz.rpts[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-8-30-256517-100295[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-9-4-256517-101276[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-9-4-275483-101362[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-9-4-275483-101370[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S131010[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S141753[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S144524[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S147034[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S150263[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@stats.klsoft[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@track-star[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup ::Report End |
| ||
| Re: Another "Aurora me too"...sorry Rino, Hello! and welcome to the Daniweb forums :). - You'll need to download uninst.exe to remove the 'peper' infection, then: 1. run uninst.exe ... (first pass). 2. reboot your computer. 3. run uninst.exe ... (final pass). Note: You must have an active internet connection, each time this program is run, for it to properly work. =============== Go to www.trendmicro.com, and then: 1. Click "Free Online Scan". 2. Click "Scan now, it's free". It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down: 1. Select all available drives. 2. Check(tick) "Auto Clean". 3. Click "Scan". When it completes, post back the full filename of any files that cannot be cleaned or deleted. =============== Run HiJackThis, click "Scan", then check(tick) the following, if present: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: (no name) - {51082128-B9B7-B51B-BB19-C9EE8980B9BF} - C:\WINDOWS\system32\lqu.dll (file missing) O4 - HKLM\..\Run: [3] C:\documents and settings\alessia\local settings\temp\3.exe O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe" O4 - HKLM\..\Run: [oF7] C:\documents and settings\rino\local settings\temp\oF7.exe O4 - HKLM\..\Run: [gcqdf] C:\documents and settings\alessia\local settings\temp\gcqdf.exe O4 - HKLM\..\Run: [q6bYXh] C:\documents and settings\alessia\local settings\temp\q6bYXh.exe O4 - HKLM\..\Run: [Hyw7aeXO] C:\documents and settings\alessia\local settings\temp\Hyw7aeXO.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [o6USPRl] C:\windows\system32\o6USPRl.exe O4 - HKLM\..\Run: [mXMLIK.exe] c:\windows\system32\mXMLIK.exe O4 - HKLM\..\Run: [4JATK3@4#AJHRM] C:\WINDOWS\system32\Kqxpex.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/021e0f2...ip/RdxIE601.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.globalwebsearch.com/winenc32.cab Now, with all windows closed except HiJackThis, click "Fix checked". =============== Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: folders... C:\Program Files\Open Site files... C:\documents and settings\alessia\local settings\temp\3.exe C:\documents and settings\rino\local settings\temp\oF7.exe C:\documents and settings\alessia\local settings\temp\gcqdf.exe C:\documents and settings\alessia\local settings\temp\q6bYXh.exe C:\documents and settings\alessia\local settings\temp\Hyw7aeXO.exe C:\windows\system32\o6USPRl.exe c:\windows\system32\mXMLIK.exe C:\WINDOWS\system32\Kqxpex.exe search for... D0CE0C16B1 and D0CE0C16B1 - Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode". - Reboot. =============== To help protect your system from hostile ActiveX content, or special 'downloadable' files: Download, install and keep updated, SpywareBlaster. If you've installed it for the first time: 1) Check for any available updates; if present, they'll be automatically downloaded and installed. 2) Next, "Enable all protection". 3) Exit the program. - Note: Remember to regularly check for updates. =============== After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes. |
| ||
| Re: Another "Aurora me too"...sorry Crunchie, Thank you very much. I never received such clear and concise set of instrunctions!!! I'm at work now, as soon as I get home I'll give it a try and let you know how it goes. Thanks, again. |
| ||
| Re: Another "Aurora me too"...sorry No worries :). |
| ||
| Re: Another "Aurora me too"...sorry Hi. Here is my new Hijackthis report. A couple of things: 1) uninst.exe runs quite fast and I'm not sure what does it do 2) in the ..\..\local settings\temp directory I cannot see a oF7.exe, but I see a of7.dll; should I delete that? Finally, I now have Ad-Aware, SpyBot, VirusScan and now, per Crunchie suggestion, SpywareBlaster - I usually run then weekly or so, and I keep them updated. Anything else? Again, I really appreciate your help. Logfile of HijackThis v1.99.1 Scan saved at 2:02:26 PM, on 6/4/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Medion\PowerVCR II\Agent.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCFDRTM.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerVCR II\Agent.exe O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\Medion\PowerVCR II\RemoteAgent.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
| ||
| Re: Another "Aurora me too"...sorry uninst.exe removes the peper trojan :). Congratulations! Your log looks clean - good work! =============== Now that your PC is clean you need to follow these easy steps to keeping it this way: Secure your Internet Explorer by going here and following the instructions there. Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still. Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature. [color=blue]Install and keep updated, Ad-Aware SE, and Spybot S&D. Run them both on a regular basis, following the manufacturer's recommendations. Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others. Clear your Temp folders. Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >Internet Options. Under the General tab click the Delete temporary internet files, delete all Offline content as well. Clear out Cookies. Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.) C:\Documents and Settings\username\Local Settings\Temp\ In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. Empty the Recycle Bin. =============== If you have any more problems, post back. - Happy surfing, crunchie. |
| ||
| Re: Another "Aurora me too"...sorry Thanks Crunchie. Great work!!! |
| ||
| Re: Another "Aurora me too"...sorry You too :). |
| All times are GMT -4. The time now is 2:23 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC