Aurora

[Anti spyware]

I have been trying ot clean out this popup for ever now, the title bar title
is Aurora. I have tried adware and microsoft spyware beta, in both normal
windows and safe mode. I still havent had any luck yet. I did searches in
the registry and system drives for the word aur and aurora and still no luck
at all. it stops for a few hours then its back again after i run the
removers in safe mode. Any comments or help would be appriciated, since i
cant find any real help through googles nor the forum search. here is my
hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 04/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\guyqso.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec
Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

 

[D@annyBoy]

no need to post your Logfile of HijackThis because this is a ng for MSAS

--

D@nnyBoy
Have you tried posting your problems
not related to MS AntiSpyware to
news://msnews.microsoft.com

and please don't bother to send me private mail
because I don't check my mailbox regularly

I have been trying ot clean out this popup for ever now, the title bar
title is Aurora. I have tried adware and microsoft spyware beta, in both
normal windows and safe mode. I still havent had any luck yet. I did
searches in the registry and system drives for the word aur and aurora and
still no luck at all. it stops for a few hours then its back again after i
run the removers in safe mode. Any comments or help would be appriciated,
since i cant find any real help through googles nor the forum search. here
is my hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 04/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\guyqso.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program
Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

 

[Bill Sanderson]

I cleaned this one today--it was not easy. I believe this is CoolWebSearch.



This one is the randomly named piece of the code. You can kill the process
using the system explorers process tool, but it is immediately recreated
with a different name. Also look for
(on the system I cleaned) nail.exe - I believe in c:\windows.

Check the registry for the shell line:
HKLM\software\microsoft\windows nt\currentversion\winlogon

shell reg_sz explorer.exe

If you see more besided explorer.exe, remove that, find the executable, and
kill it.

c:\windows\system32\guyqso.exe

OK - so now you have two of the three parts of this critter--the random
part, the shell part (find it in the registry and note the name and
location--it may be different from mine)

Now for the third part. I couldn't find this with any standard
tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it was
Trend Micro's online virus scan:

http://housecall.trendmicro.com

It ID'd an executable in Windows as a trojan, but couldn't do anything to
it--so that's how I found the third piece.

This piece was active in safe mode, safe mode command prompt, etc. Others
here will probably be able to suggest an app designed to kill such things,
but what I did was boot (in my case Windows 2000) via the CD to the Recovery
Console.

I was able to delete the main viral component using the recovery console,
and also nail.exe.

I then searched out the current name for the random-named component and
deleted it.

That seemed to take care of it. I suspect I also booted to safe mode and
did some fairly careful checking by date to look at new stuff in the last
day or two that didn't look kosher--who knows what innocent data files I
blew away!

C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program
Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

 

[Andre Da Costa]

From Chuck:
CoolWebSearch is a constantly mutating major nuisance. The best tool to
diagnose it is HijackThis, and expert advice. HijackThis shows all possible
traces of software, anything that MIGHT be malware, and lets an expert
identify the bad stuff manually.

HijackThis http://www.tomcoyote.com/hjt/

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save
the HJT Log.

http://forums.spywareinfo.com/index.php?showtopic=227

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts,
here):

Aumha: http://forum.aumha.org/index.php

Net-Integration: http://forums.net-integration.net/

Spyware Info: http://forums.spywareinfo.com/

Spyware Warrior: http://spywarewarrior.com/index.php

Tom Coyote: http://forums.tomcoyote.org/
--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I cleaned this one today--it was not easy. I believe this is
CoolWebSearch.



This one is the randomly named piece of the code. You can kill the
process using the system explorers process tool, but it is immediately
recreated with a different name. Also look for
(on the system I cleaned) nail.exe - I believe in c:\windows.

Check the registry for the shell line:
HKLM\software\microsoft\windows nt\currentversion\winlogon

shell reg_sz explorer.exe

If you see more besided explorer.exe, remove that, find the executable,
and kill it.

c:\windows\system32\guyqso.exe

OK - so now you have two of the three parts of this critter--the random
part, the shell part (find it in the registry and note the name and
location--it may be different from mine)

Now for the third part. I couldn't find this with any standard
tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it was
Trend Micro's online virus scan:

http://housecall.trendmicro.com

It ID'd an executable in Windows as a trojan, but couldn't do anything to
it--so that's how I found the third piece.

This piece was active in safe mode, safe mode command prompt, etc. Others
here will probably be able to suggest an app designed to kill such things,
but what I did was boot (in my case Windows 2000) via the CD to the
Recovery Console.

I was able to delete the main viral component using the recovery console,
and also nail.exe.

I then searched out the current name for the random-named component and
deleted it.

That seemed to take care of it. I suspect I also booted to safe mode and
did some fairly careful checking by date to look at new stuff in the last
day or two that didn't look kosher--who knows what innocent data files I
blew away!

C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program
Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program
Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec
Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
(default)) - Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

 

[Bill Sanderson]

Whoops - I see nail.exe there in the hijackthis log as well.

Same critter. Get an ID on the third piece from a competent antivirus. NAV
2005 was installed on the machine I was working with, and had current
definitions, but I'm not sure when the last full scan had been.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I cleaned this one today--it was not easy. I believe this is
CoolWebSearch.



This one is the randomly named piece of the code. You can kill the
process using the system explorers process tool, but it is immediately
recreated with a different name. Also look for
(on the system I cleaned) nail.exe - I believe in c:\windows.

Check the registry for the shell line:
HKLM\software\microsoft\windows nt\currentversion\winlogon

shell reg_sz explorer.exe

If you see more besided explorer.exe, remove that, find the executable,
and kill it.

c:\windows\system32\guyqso.exe

OK - so now you have two of the three parts of this critter--the random
part, the shell part (find it in the registry and note the name and
location--it may be different from mine)

Now for the third part. I couldn't find this with any standard
tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it was
Trend Micro's online virus scan:

http://housecall.trendmicro.com

It ID'd an executable in Windows as a trojan, but couldn't do anything to
it--so that's how I found the third piece.

This piece was active in safe mode, safe mode command prompt, etc. Others
here will probably be able to suggest an app designed to kill such things,
but what I did was boot (in my case Windows 2000) via the CD to the
Recovery Console.

I was able to delete the main viral component using the recovery console,
and also nail.exe.

I then searched out the current name for the random-named component and
deleted it.

That seemed to take care of it. I suspect I also booted to safe mode and
did some fairly careful checking by date to look at new stuff in the last
day or two that didn't look kosher--who knows what innocent data files I
blew away!

C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program
Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program
Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec
Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
(default)) - Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

 

[Bob]

Patric; I have the same thing. Let me know if you come
across a fix.TNX

-----Original Message-----
I have been trying ot clean out this popup for ever now, the title bar title
is Aurora. I have tried adware and microsoft spyware beta, in both normal
windows and safe mode. I still havent had any luck yet. I did searches in
the registry and system drives for the word aur and aurora and still no luck
at all. it stops for a few hours then its back again after i run the
removers in safe mode. Any comments or help would be appriciated, since i
cant find any real help through googles nor the forum search. here is my
hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 04/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost 2003 \GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\guyqso.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91- 8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18- 009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32 \NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32 \ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

 

[Jonzy]

I've been fighting this one as well the fix that worked for
me was adtapted from the thread at this url>
http://forums.maddoktor2.com/index.php?showtopic=3816&st=0&#entry19146
I had Nail, SvcProc, and some others but the aroura was'nt
fixed until I used the "find_it.bat" listed on that page to
correctly ID the real exe which was by the way a totally
different name from the one on the thread. good luck

-----Original Message-----
Whoops - I see nail.exe there in the hijackthis log as well.

Same critter. Get an ID on the third piece from a competent antivirus. NAV
2005 was installed on the machine I was working with, and had current
definitions, but I'm not sure when the last full scan had been.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I cleaned this one today--it was not easy. I believe this is
CoolWebSearch.



This one is the randomly named piece of the code. You can kill the
process using the system explorers process tool, but it is immediately
recreated with a different name. Also look for
(on the system I cleaned) nail.exe - I believe in c:\windows.

Check the registry for the shell line:
HKLM\software\microsoft\windows nt\currentversion\winlogon

shell reg_sz explorer.exe

If you see more besided explorer.exe, remove that, find the executable,
and kill it.

c:\windows\system32\guyqso.exe

OK - so now you have two of the three parts of this critter--the random
part, the shell part (find it in the registry and note the name and
location--it may be different from mine)

Now for the third part. I couldn't find this with any standard
tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it was
Trend Micro's online virus scan:

http://housecall.trendmicro.com

It ID'd an executable in Windows as a trojan, but couldn't do anything to
it--so that's how I found the third piece.

This piece was active in safe mode, safe mode command prompt, etc. Others
here will probably be able to suggest an app designed to kill such things,
but what I did was boot (in my case Windows 2000) via the CD to the
Recovery Console.

I was able to delete the main viral component using the recovery console,
and also nail.exe.

I then searched out the current name for the random-named component and
deleted it.

That seemed to take care of it. I suspect I also booted to safe mode and
did some fairly careful checking by date to look at new stuff in the last
day or two that didn't look kosher--who knows what innocent data files I
blew away!

C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program
Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program
Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec
Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
(default)) - Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

.

 

[Anti spyware]

Sorry for posting the log file, wont do that again.

Patrick

no need to post your Logfile of HijackThis because this is a ng for MSAS

--

D@nnyBoy
Have you tried posting your problems
not related to MS AntiSpyware to
news://msnews.microsoft.com

and please don't bother to send me private mail
because I don't check my mailbox regularly

I have been trying ot clean out this popup for ever now, the title bar
title is Aurora. I have tried adware and microsoft spyware beta, in both
normal windows and safe mode. I still havent had any luck yet. I did
searches in the registry and system drives for the word aur and aurora and
still no luck at all. it stops for a few hours then its back again after
i run the removers in safe mode. Any comments or help would be
appriciated, since i cant find any real help through googles nor the forum
search. here is my hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 04/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\guyqso.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program
Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program
Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec
Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
(default)) - Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

 

[plun]

Sorry for posting the log file, wont do that again.

Feel free to do that again

This Aurora is a troublemaker, if you search with google you
find several users with this problem.

- Please send a suspected spyware report to MS about this,
menu tools within MSAS.

I recommend you to follow this URL and at step 7 post your
HijackThis log if step 1-6 doesn´t help.

http://www.aumha.org/a/quickfix.htm

For step 2 use this tool, CCleaner, www.ccleaner.com

 

[Menno Hershberger]

I have been trying ot clean out this popup for ever now, the title bar
title is Aurora. I have tried adware and microsoft spyware beta, in
both normal windows and safe mode. I still havent had any luck yet.
I did searches in the registry and system drives for the word aur and
aurora and still no luck at all. it stops for a few hours then its
back again after i run the removers in safe mode. Any comments or
help would be appriciated, since i cant find any real help through
googles nor the forum search. here is my hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Take a look at
http://hijackthis.de/logfiles/14f4c8cd0fa2e5900e1b7ca8b4bc0054.html
Don't take it for gospel though....
I saw a couple that I know I'd get rid of though.

 

[Menno Hershberger]

I cleaned this one today--it was not easy. I believe this is
CoolWebSearch.



This one is the randomly named piece of the code. You can kill the
process using the system explorers process tool, but it is immediately
recreated with a different name. Also look for
(on the system I cleaned) nail.exe - I believe in c:\windows.

Check the registry for the shell line:
HKLM\software\microsoft\windows nt\currentversion\winlogon

shell reg_sz explorer.exe

If you see more besided explorer.exe, remove that, find the
executable, and kill it.


OK - so now you have two of the three parts of this critter--the
random part, the shell part (find it in the registry and note the name
and location--it may be different from mine)

Now for the third part. I couldn't find this with any standard
tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it
was Trend Micro's online virus scan:

http://housecall.trendmicro.com

It ID'd an executable in Windows as a trojan, but couldn't do anything
to it--so that's how I found the third piece.

This piece was active in safe mode, safe mode command prompt, etc.
Others here will probably be able to suggest an app designed to kill
such things, but what I did was boot (in my case Windows 2000) via the
CD to the Recovery Console.

I was able to delete the main viral component using the recovery
console, and also nail.exe.

I then searched out the current name for the random-named component
and deleted it.

That seemed to take care of it. I suspect I also booted to safe mode
and did some fairly careful checking by date to look at new stuff in
the last day or two that didn't look kosher--who knows what innocent
data files I blew away!

Probably none. I have done these exact same things. If you list the
files in system32 by date, you can usually find the one you can't delete,
plus a whole bunch more of really suspicious file names... all recently
created. In Windows Explorer there'll usually just be a plain icon beside
the phony ones, and if you notice a lot of the file lengths are exactly
the same length as the one you can't delete. From there, I go into the
recovery console like you said, get rid of that one, then back into Safe
Mode and rename the rest of the suspect ones. Then I'll search the
registry for any reference to the one I deleted. Lots of times you don't
find it, but if I do I get rid of it of course. I've been through this a
few times already, and I've never had to go back and "fix" any of the
renamed files. After a period of time, it'd probably be safe to delete
them.
The most frustrating one I ever got into was on an XP-Pro machine that
I didn't know the password for... nor did the owner. I spent more time
getting that password changed to SUNBELT than I did cleaning the machine.
You may have heard of that one. It cost me $80 and it only totals about
119 Kb on a floppy disk. I probably got ripped off on that one, but I've
used it about 4 or 5 times now. At least it works...

 

[Bill Sanderson]

I'll be interested to hear whether all three pieces can be seen in
HijackThis. I wasn't able to find the main executable that way--two of the
pieces (one of which changed names with every restart of the process)--but
not the main one.

 

[Bill Sanderson]

My strong impression with this one is that the three pieces have a
structure:

1) short 6 character randomly named executable whose process starts with
TODO as viewed by Microsoft Antispyware's running process viewer. In
fact--this may even be listed in add or remove programs.

2) nail.exe
3) a longer (8 character??) also apparently randomly named executable which
retains the same name on a given system, but differs between systems. This
one is active even in safe mode command prompt.

 

[Anti spyware]

Okay, i have tried to clean it out with Hijackthis (service) and did a
removal of the nail.exe and nail***.pf. It still keeps showing up. I
decided to delete the files and hurried up and created a file with the same
name in the directory, so it cant be created by the malware. Seems to be
working so far. I will keep you up to date.

BTW: i cleaned everything in the registry that had nail, svcproc, and
aurora.

 

[Kevin Law]

I fought this one for the past three days and with the help of all of you
and a couple of sites out on the Internet, I finally got rid of it. This is
what I did:

1) Used Microsoft AntiSpyware to find out what the "TODO" running process
was currently named by clicking on "Tools", "Advanced Tools", "System
Explorers", "Running Processes", and looking for the "TODO" process and
writing down the current name and location of the randomly named "EXE".

2) Restarted the computer and booted from my XP CD in "Recovery Console"
mode.

3) Deleted the "nail.exe" and "svcproc.exe" files from the "C:\Windows"
directory.

4) Deleted the randomly named "TODO" file from the "C:\Windows\System32"
directory.

5) Rebooted the computer into "Safe Mode".

6) Used "Task Manager" or Microsoft AntiSpyware to check to see that the
"TODO"/"Aurora"/"nail.exe" processes weren't running anymore.

7) Clicked on "Start", "Run", typed in "Regedit", clicked on "File",
"Export", selected "All" under "Export range", typed in a name for your
Registry backup, and saved it to my "My Documents" directory, just in case.

8) Deleted the "nail.exe" text from the "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell" string (should be after "Explorer.exe", so
delete "nail.exe" so that it only says "Explorer.exe" for this string).

9) Deleted the "String" that references the randomly named "TODO" file under
the "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" key.

10) Closed "Regedit".

11) While in "Safe Mode, feel free to run your anti-spyware programs and
utilities to further remove any other "baddies", if you wish.

12) Reboot your computer and let it come up "regularly" and the
"TODO"/"Aurora"/"nail.exe" stuff should now be gone.

I would definitely look forward to more of the new spyware programs ending
up working just like this one because they will be "impossible" to get rid
of with "antispyware" tools, like this one proved to be for me. I used over
30 different programs and utilities, and all the usual tricks and none
worked at all. Only by using some of the tips that I found here in
Microsoft's spyware newsgroups and putting them together with some tips from
other sites, was I able to get rid of this garbage in the way I detailed
out.

Another tip is to us a program like Zone Alarm so that you can stop the
"baddies" from connecting to the Internet while you're trying to hunt them
down and kill them. This can also help stop them from downloading and
installing their "friends" or "repairing" themselves while you're getting
rid of them. Good luck.

 

[Bill Sanderson]

Good work! FWIW, Steve Wechsler has posted a site with an uninstall for
this one and other VX2 variants in the signatures group.

Thanks for posting the careful step-by-step. I think I missed step 9 in my
very poorly structured descriptions.

I would expect Microsoft Antispyware to be capable of cleaning this, but I
don't know how soon. It is definitely "eligible" for removal.

 

[barry]

Try this site. It seems to work. It appears to be a tool
designed to remove specific adware. I'm suspect it may be
written by the "nice" folks who wrote the adware in the
first place. So use this with caution. The website has no
disclosure of ownership.

http://www.mypctuneup.com/index.php

History: I spent an entire, frustrating evening trying to
remove this program from my kid's computer. MS Antispyware
was good at spotting it in the Running Processes but could
not remove it. Its a nasty self-regenerating program. The
rest of this thread lays out a good plan to remove it.
Just before I was going to follow the instructions I found
the above site. It appears to work. I'll check back if I
have further problems.

Anybody who has knowledge of this company or its
relationships is invited to comment. Lastly, don't go
surfing until you have this problem fixed.

Barry

-----Original Message-----
I have been trying ot clean out this popup for ever now, the title bar title
is Aurora. I have tried adware and microsoft spyware beta, in both normal
windows and safe mode. I still havent had any luck yet. I did searches in
the registry and system drives for the word aur and aurora and still no luck
at all. it stops for a few hours then its back again after i run the
removers in safe mode. Any comments or help would be appriciated, since i
cant find any real help through googles nor the forum search. here is my
hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 04/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost 2003 \GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\guyqso.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91- 8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18- 009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32 \NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32 \ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

 

[Bill Sanderson]

You are absolutely right about the ownership of that site. The executable
distributed there is being analyzed, and hasn't been pronounced safe at this
point.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Try this site. It seems to work. It appears to be a tool
designed to remove specific adware. I'm suspect it may be
written by the "nice" folks who wrote the adware in the
first place. So use this with caution. The website has no
disclosure of ownership.

http://www.mypctuneup.com/index.php

History: I spent an entire, frustrating evening trying to
remove this program from my kid's computer. MS Antispyware
was good at spotting it in the Running Processes but could
not remove it. Its a nasty self-regenerating program. The
rest of this thread lays out a good plan to remove it.
Just before I was going to follow the instructions I found
the above site. It appears to work. I'll check back if I
have further problems.

Anybody who has knowledge of this company or its
relationships is invited to comment. Lastly, don't go
surfing until you have this problem fixed.

Barry

-----Original Message-----
I have been trying ot clean out this popup for ever now, the title bar title
is Aurora. I have tried adware and microsoft spyware beta, in both normal
windows and safe mode. I still havent had any luck yet. I did searches in
the registry and system drives for the word aur and aurora and still no luck
at all. it stops for a few hours then its back again after i run the
removers in safe mode. Any comments or help would be appriciated, since i
cant find any real help through googles nor the forum search. here is my
hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 04/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost 2003 \GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\guyqso.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91- 8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18- 009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32 \NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32 \ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5- 00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D- 00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E- 00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTr ansferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32 \NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec
Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe


.