Re: Aurora

[Jim]

"Anti spyware" <patrick@nguyenweb.net> wrote in message
news:bwY7e.7121$An2.6756@newsread2.news.pas.earthl ink.net...
>I have been trying ot clean out this popup for ever now, the title bar
>title is Aurora. I have tried adware and microsoft spyware beta, in both
>normal windows and safe mode. I still havent had any luck yet. I did
>searches in the registry and system drives for the word aur and aurora and
>still no luck at all. it stops for a few hours then its back again after i
>run the removers in safe mode. Any comments or help would be appriciated,
>since i cant find any real help through googles nor the forum search. here
>is my hijack log..
>
> Heres a print screen:
>
>
> Logfile of HijackThis v1.99.1
> Scan saved at 6:43:03 PM, on 04/15/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
> C:\Program Files\NavNT\defwatch.exe
> C:\WINDOWS\system32\gearsec.exe
> C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\Program Files\NavNT\rtvscan.exe
> C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\Explorer.exe
> C:\WINDOWS\system32\MsgSys.EXE
> C:\Program Files\NavNT\vptray.exe
> C:\Program Files\Microsoft IntelliPoint\point32.exe
> C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
> C:\Program Files\ASUS\Probe\AsusProb.exe
> C:\Program Files\QuickTime\qttask.exe
> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\VIA\RAID\raid_tool.exe
> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
> C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
> C:\Program Files\Internet Explorer\iexplore.exe
> c:\windows\system32\guyqso.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://cnet.com/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://cnet.com/
> R3 - Default URLSearchHook is missing
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
> c:\program files\google\googletoolbar1.dll
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> c:\program files\google\googletoolbar1.dll
> O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
> O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
> IntelliPoint\point32.exe"
> O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
> Hardware\Keyboard\type32.exe"
> O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
> Panel\atiptaxx.exe
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
> AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
> Files\Adobe\Calibration\Adobe Gamma Loader.exe
> O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
> Technologies\ATI.ACE\CLI.exe
> O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
> Systems\VPN Client\vpngui.exe
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Global Startup: RAID Tool.lnk = C:\Program
> Files\VIA\RAID\raid_tool.exe
> O8 - Extra context menu item: &Google Search - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsearch.html
> O8 - Extra context menu item: &Translate English Word - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmwordtrans.html
> O8 - Extra context menu item: Backward Links - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
> O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmcache.html
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Similar Pages - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsimilar.html
> O8 - Extra context menu item: Translate Page into English -
> res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
> C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
> Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
> C:\Program Files\AIM\aim.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
> http://transfers.one.microsoft.com/F...ansferCtrl.cab
> O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
> O23 - Service: Ati HotKey Poller - Unknown owner -
> C:\WINDOWS\system32\Ati2evxx.exe
> O23 - Service: ATI Smart - Unknown owner -
> C:\WINDOWS\system32\ati2sgag.exe
> O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
> C:\Program Files\Symantec\pcAnywhere\awhost32.exe
> O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
> Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
> O23 - Service: DefWatch - Symantec Corporation - C:\Program
> Files\NavNT\defwatch.exe
> O23 - Service: GEARSecurity - GEAR Software -
> C:\WINDOWS\system32\gearsec.exe
> O23 - Service: GhostStartService - Symantec Corporation - C:\Program
> Files\Symantec\Norton Ghost 2003\GhostStartService.exe
> O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
> Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
> O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
> Analog Devices, Inc. - C:\Program Files\Analog
> Devices\SoundMAX\SMAgent.exe
> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
> C:\WINDOWS\svcproc.exe
>
>
>

Me too I might have managed to get rid of it (I'll reserve that that until
tomorrow). First I deleted a key in the registry that contained the
nail.exe reference. Then deleted a file that was created the day I had the
problem. Sorry I cant recall the file name but it was a .pf file. So far
so good.