Google Answers: Aurora Spyware

View Question

Q: Aurora Spyware ( No Answer, 6 Comments )

Question

Subject: Aurora Spyware
Category: Computers > Internet
Asked by: cliffnanney-ga
List Price: $2.00

Posted: 30 May 2005 13:40 PDT
Expires: 29 Jun 2005 13:40 PDT
Question ID: 527367

How can I get rid of the Aurora Spyware that is taking over my
computer via pop-up ads?  I ran the Hijackthis program and below is
the code.

Logfile of HijackThis v1.99.1
Scan saved at 3:40:33 PM, on 05/22/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINDOWS\System32\mpgfg32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system\pllklf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mnmdv.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\windows\system32\gskaggo.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\zkfucpoxifk.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\6ZJEQP2L\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CamMonitor] c:\Program
Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program
files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft (C) HTML Application host] MCHTA.EXE
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAgentExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee
AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [s7nV32g] mpgfg32.exe
O4 - HKLM\..\Run: [zcbncl] C:\WINDOWS\System32\zcbncl.exe
O4 - HKLM\..\RunServices: [Microsoft (C) HTML Application host] MCHTA.EXE
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program
Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Microsoft (C) HTML Application host] MCHTA.EXE
O4 - HKCU\..\Run: [dw49RSMte] mnmdv.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\REGION\customizeIe.wsf
O4 - Global Startup: Exif Launcher.lnk = C:\Program
Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp
center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp
center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MsnFixer.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116447917437
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector
Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX
Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD0BB71-5583-46B2-AFC3-E88682011CA1}:
NameServer = 208.202.125.34 208.202.125.33
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner
(McAfeeAntiSpyware) - McAfee, Inc. -
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe

Thank you,
Cliff Nanney

Request for Question Clarification by livioflores-ga on 30 May 2005 17:17 PDT

Hi!!

Please visit the following page and download the Aurora uninstaller,
do not run it yet:
http://www.mypctuneup.com/evaluate.php?b=aurora


Download and install EWIDO (trial version):
http://www.ewido.net/en/download/


Close the browser (all opened instances) and run the Aurora
uninstaller, then scan your PC with EWIDO and let it fix anything that
it finds.

Reboot, check your computer behavior and post a new HJT log in order
to see if your computer is clean.

Regards.
livioflores-ga

Clarification of Question by cliffnanney-ga on 31 May 2005 20:44 PDT

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:40 PM, on 05/31/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\WINDOWS\system\pllklf.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\D3NF59GE\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 66.180.173.39 google.ae
O1 - Hosts: 66.180.173.39 google.am
O1 - Hosts: 66.180.173.39 google.as
O1 - Hosts: 66.180.173.39 google.at
O1 - Hosts: 66.180.173.39 google.az
O1 - Hosts: 66.180.173.39 google.be
O1 - Hosts: 66.180.173.39 google.bi
O1 - Hosts: 66.180.173.39 google.ca
O1 - Hosts: 66.180.173.39 google.cd
O1 - Hosts: 66.180.173.39 google.cg
O1 - Hosts: 66.180.173.39 google.ch
O1 - Hosts: 66.180.173.39 google.ci
O1 - Hosts: 66.180.173.39 google.cl
O1 - Hosts: 66.180.173.39 google.co.cr
O1 - Hosts: 66.180.173.39 google.co.hu
O1 - Hosts: 66.180.173.39 google.co.il
O1 - Hosts: 66.180.173.39 google.co.in
O1 - Hosts: 66.180.173.39 google.co.je
O1 - Hosts: 66.180.173.39 google.co.jp
O1 - Hosts: 66.180.173.39 google.co.ke
O1 - Hosts: 66.180.173.39 google.co.kr
O1 - Hosts: 66.180.173.39 google.co.ls
O1 - Hosts: 66.180.173.39 google.co.nz
O1 - Hosts: 66.180.173.39 google.co.th
O1 - Hosts: 66.180.173.39 google.co.ug
O1 - Hosts: 66.180.173.39 google.co.uk
O1 - Hosts: 66.180.173.39 google.co.ve
O1 - Hosts: 66.180.173.39 google.com
O1 - Hosts: 66.180.173.39 google.com.ag
O1 - Hosts: 66.180.173.39 google.com.ar
O1 - Hosts: 66.180.173.39 google.com.au
O1 - Hosts: 66.180.173.39 google.com.br
O1 - Hosts: 66.180.173.39 google.com.co
O1 - Hosts: 66.180.173.39 google.com.cu
O1 - Hosts: 66.180.173.39 google.com.do
O1 - Hosts: 66.180.173.39 google.com.ec
O1 - Hosts: 66.180.173.39 google.com.fj
O1 - Hosts: 66.180.173.39 google.com.gi
O1 - Hosts: 66.180.173.39 google.com.gr
O1 - Hosts: 66.180.173.39 google.com.gt
O1 - Hosts: 66.180.173.39 google.com.hk
O1 - Hosts: 66.180.173.39 google.com.ly
O1 - Hosts: 66.180.173.39 google.com.mt
O1 - Hosts: 66.180.173.39 google.com.mx
O1 - Hosts: 66.180.173.39 google.com.my
O1 - Hosts: 66.180.173.39 google.com.na
O1 - Hosts: 66.180.173.39 google.com.nf
O1 - Hosts: 66.180.173.39 google.com.ni
O1 - Hosts: 66.180.173.39 google.com.np
O1 - Hosts: 66.180.173.39 google.com.pa
O1 - Hosts: 66.180.173.39 google.com.pe
O1 - Hosts: 66.180.173.39 google.com.ph
O1 - Hosts: 66.180.173.39 google.com.pk
O1 - Hosts: 66.180.173.39 google.com.pr
O1 - Hosts: 66.180.173.39 google.com.py
O1 - Hosts: 66.180.173.39 google.com.sa
O1 - Hosts: 66.180.173.39 google.com.sg
O1 - Hosts: 66.180.173.39 google.com.sv
O1 - Hosts: 66.180.173.39 google.com.tr
O1 - Hosts: 66.180.173.39 google.com.tw
O1 - Hosts: 66.180.173.39 google.com.ua
O1 - Hosts: 66.180.173.39 google.com.uy
O1 - Hosts: 66.180.173.39 google.com.vc
O1 - Hosts: 66.180.173.39 google.com.vn
O1 - Hosts: 66.180.173.39 google.de
O1 - Hosts: 66.180.173.39 google.dj
O1 - Hosts: 66.180.173.39 google.dk
O1 - Hosts: 66.180.173.39 google.es
O1 - Hosts: 66.180.173.39 google.fi
O1 - Hosts: 66.180.173.39 google.fm
O1 - Hosts: 66.180.173.39 google.fr
O1 - Hosts: 66.180.173.39 google.gg
O1 - Hosts: 66.180.173.39 google.gl
O1 - Hosts: 66.180.173.39 google.gm
O1 - Hosts: 66.180.173.39 google.hn
O1 - Hosts: 66.180.173.39 google.ie
O1 - Hosts: 66.180.173.39 google.it
O1 - Hosts: 66.180.173.39 google.kz
O1 - Hosts: 66.180.173.39 google.li
O1 - Hosts: 66.180.173.39 google.lt
O1 - Hosts: 66.180.173.39 google.lu
O1 - Hosts: 66.180.173.39 google.lv
O1 - Hosts: 66.180.173.39 google.mn
O1 - Hosts: 66.180.173.39 google.ms
O1 - Hosts: 66.180.173.39 google.mu
O1 - Hosts: 66.180.173.39 google.mw
O1 - Hosts: 66.180.173.39 google.nl
O1 - Hosts: 66.180.173.39 google.no
O1 - Hosts: 66.180.173.39 google.off.ai
O1 - Hosts: 66.180.173.39 google.pl
O1 - Hosts: 66.180.173.39 google.pn
O1 - Hosts: 66.180.173.39 google.pt
O1 - Hosts: 66.180.173.39 google.ro
O1 - Hosts: 66.180.173.39 google.ru
O1 - Hosts: 66.180.173.39 google.rw
O1 - Hosts: 66.180.173.39 google.se
O1 - Hosts: 66.180.173.39 google.sh
O1 - Hosts: 66.180.173.39 google.sk
O1 - Hosts: 66.180.173.39 google.sm
O1 - Hosts: 66.180.173.39 google.td
O1 - Hosts: 66.180.173.39 google.tm
O2 - BHO: SDWin32 Class - {A73AEEE8-147F-4FBE-BC74-CAA5D42B07E7} -
C:\WINDOWS\System32\euxkq.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CamMonitor] c:\Program
Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program
files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft (C) HTML Application host] MCHTA.EXE
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAgentExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [Microsoft (C) HTML Application host] MCHTA.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Microsoft (C) HTML Application host] MCHTA.EXE
O4 - HKCU\..\Run: [dw49RSMte] iphsl.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\REGION\customizeIe.wsf
O4 - Global Startup: Exif Launcher.lnk = C:\Program
Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp
center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp
center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MsnFixer.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD0BB71-5583-46B2-AFC3-E88682011CA1}:
NameServer = 208.202.125.34 208.202.125.33
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -
C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner
(McAfeeAntiSpyware) - McAfee, Inc. -
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe

Thanks!

Answer

There is no answer at this time.

Comments

Subject: Re: Aurora Spyware
From: hobbes828-ga on 30 May 2005 20:56 PDT

I have seen this question all over the internet, a simple search for
aurora spyware and clicking on the geeks website forum guides a user
through a very long process to remove everything. According to another
google answer ( ) you should try this before anything else
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
It is Microsoft's anti-spyware removal tool (new), and it seems to
have worked for some people. Do not follow the instructions that
aurora gives you to go to the website it tells you to remove it.  If
the microsoft tool does not work, plz refer to this Google Answers
question: http://answers.google.com/answers/threadview?id=513076
Good Luck!

Subject: Re: Aurora Spyware
From: cliffnanney-ga on 31 May 2005 20:46 PDT

Thanks for the suggestion.  Unfortunately we have tried the MIcrosoft
Anti-Spyware Beta program as well as the McAfee Anti-Spyware, but to
no avail.

Subject: Re: Aurora Spyware
From: bozzy-ga on 08 Jun 2005 19:35 PDT

www.securemywindows.com

After weeks of trying this and that, and not being computer savvy
enough to try to get in the gut of my computer - Garbagclean finally
did the trick for both my computer & my husband's laptop. It was the
only one I ran that even found Nail & Aurora. I was really about to
format my HD I was so fed up!!!!

Run the program right from the above website 2x & then reboot
immediately. It's free & a web-based program. Good luck. I know how
you feel.

Subject: Re: Aurora Spyware
From: bizarromelt-ga on 09 Jun 2005 14:23 PDT

Try this Spyware removal tool called SpyBot: Search and Destroy:

http://www.safer-networking.org/en/download/index.html

As you install it, do not select 'make reggistry backup' but DO slect
'download and install updates.'

This program gets 98% of the spyware off the machines I use.

-melt

Subject: Re: Aurora Spyware
From: momike-ga on 24 Jun 2005 09:55 PDT

First of all, one problem I see is that you are running two virus
programs, Norton and McAfee. This does not afford you extra
protection, and in fact leaves you naked to whatever is out there on
the web, because they basically conflict to the point that neither on
works. Two anti-spyware programs may or may not be advisable, but I
find the Microsoft Anti-Spyware does an awesome job as long as you
keep the defaults on setup. Secondly, neither antivirus program you
have is very good. I suggest going to
http://free.grisoft.com/doc/2/lng/us/tpl/v5 and downloading the AVG
antivirus program that is rated #1 by PC Magazine and countless
computing professionals. WARNING!!!! Uninstall both Norton and all
Symantec entries, as well as all McAfee entries before installing AVG.
If you can....sometimes when you do as you did, the only way to get
them off your machine is to format and reload.

My daughter got Aurora,which will be Nail.exe on your machine. AVG
and/or the Microsoft Anti-spyware got rid of it, except for a
reference in the registry, which is easily removed. Nail.exe is a
browser hijacker that is actually a Trojan Horse.

Subject: Re: Aurora Spyware
From: myhelpdeskorg-ga on 01 Jul 2005 06:39 PDT

I have seen several PC's with the Aurora or Nail.exe spyware. It is
very nasty to remove. So far I have found that if you use the
www.securemywindows.com scan tool, it WILL remove the Aurora/Nail
spyware. You still need to run the other programs to make sure you do
not have other spyware. I recommend the microsoft anti-spyware tool
mentioned in this tread. I would run that and Ad-aware and Spybot S&D
as well. Run them in safe mode.

Sincerely,
-Derek @ www.myhelpdesk.org

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy