AURORA

Bet this is a popular category.  I have tried adware away and xoftspy
- nothing removes this aurora popup.  Adware away tech support got so
frustrated with the aurora in my pc that he refunded my money, he gave
up.  Then I paid more money to purchase xoftspy which claims to remove
aurora - no such thing.  They can't remove aurora and their tech
support response time is slow too.  Ran it in safe mode and still
getting the popup.  This aurora popup I have seems to keep changing
its file name too.

Now I am spending more money here in google to get my help - please
help me remove aurora.

I heard that mypctuneup.com will remove aurora, but I don't want to
use them.  Too many bad news / rumors i hear about mypctuneup.

So what should I do now?

Thanks

Hi may88!!


Before start answering this question I want to clarify two things:
- First: I was sucesfully helped other costumers to clean Aurora from
their computers by using the mypctuneup's uninstaller and some
HijackThis fixes after that. You can see these answers by a simple
quering for "livioflores aurora" at the Google Answers search box
(without quotes).

- Second: Since you do not trust in the mypctuneup tool (this is
reasonable because they are a dubious website) we will use other
procedure that is well known as a succesful way. But not all systems
are equal and there is a little probability that your computer cannot
be clean using this method, so I call it the FIRST ATTEMP. If this
fails, using the clarification feature we will perform other
procedures (probably more advanced ones) until you get rid from the
Aurora pest. So this answer is not considered ended until the complete
removal of Aurora from your computer.


Now the answer:

PREPARATION:
First, download and install CleanUp! but do not run it yet.
Note that Cleanup! deletes EVERYTHING out of temp/temporary folders
and does not make backups.
http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

Then download and install the Nialfix by running nailfix.exe:
http://users.pandora.be/bluepatchy/nailfix.exe

Download and install HijackThis:
http://www.thespykiller.co.uk/files/hijackthis_sfx.exe


Download and Install the trial version (it works like a full featured
version for 14 days!) of EWIDO:
http://download.ewido.net/ewido-setup.exe
or
http://downloads-zdnet.com.com/Ewido-Security-Suite/3000-8022_2-10326287.html

·Install ewido security suite
·Launch ewido, there should be a big E icon on your desktop, double-click it.
·The program will prompt you to update click the OK button 
·The program will now go to the main screen
You will need to update ewido to the latest definition files.
·On the left hand side of the main screen click update
·Click on Start
The update will start and a progress bar will show the updates being installed.
·After the updates are installed, exit Ewido.
ALTERNATIVE METHOD FOR UPDATE:
Download the last signature installer and run it:
http://download.ewido.net/ewido-signatures-full-20050710.exe


Reboot into Safe Mode. You can do this by restarting your computer and
continually tapping the F8 key until a menu appears. Use your up arrow
key to highlight Safe Mode, then hit enter.

Once in Safe Mode, Open Cleanup! by double-clicking the icon on your
desktop (or from the Start > All Programs menu). Set the program up as
follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
   -Empty Recycle Bins
   -Delete Cookies
   -Delete Prefetch files
   -Scan local drives for temporary files
   -Cleanup! All Users
*Click OK
*Press the CleanUp! button to start the program.

After you finish with Cleanup!:
·Run the Nailfix (double-click on nailfix.cmd)
·Run Ewido.
   -Click on scanner
   -Make sure the following boxes are checked before scanning:
            º Binder
            º Crypter
            º Archives
   -Click on Start Scan
Let the program scan the machine. While the scan is in progress you
will be prompted to clean the first infected file it finds. Choose
"clean", then put a check next to "Perform action on all infections"
in the left corner of the box so you don't have to sit and watch Ewido
the whole time. Click OK.

Once the scan has completed, there will be a button located on the
bottom of the screen named Save report:
·Click Save report
·Save the report to your desktop
·Exit Ewido

Run HjackThis, click Scan, and place a checkmark ONLY to the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
ANY O2 - BHO: that has (file missing) 
ANY O2 - BHO: that has (no name) AND (no file)
ANY O3 - Toolbar: that has (no name) AND (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe
OR
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe (file missing).

Press the Fix Checked button.

For instructions on the use of HijackThis see:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

See this section first:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse


·Reboot into normal mode (that is normally).
Once in normal mode run HijackThis, scan your computer and generate a
log (you must not fix anything, after an analisys of the log I will
tell you if there are remanents to be fixed with this tool), this log
must be posted here as a request of a clarification.



Hope that this procedure works in your system as worked in others and
you can get rid of Aurora pestware.

Remember that this question is not ended until you feel satisfied with
it, so please do not hesitate to request for further assistance on
this topic if you need it, I will gladly respond your requests.

Best regards.
livoflores-ga

---

Request for Answer Clarification by may88-ga on 12 Jul 2005 12:03 PDT

livioflores-ga

Here is the Hijack this log file in normal mode - done everything you
told me to in safe mode.  I noticed the 2 files below looks familiar -
might still be the aurora forever changing name file.

C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\uwdirko.exe

****************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 12:58:22 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\uwdirko.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Maylee Lieu\Application
Data\Mozilla\Profiles\default\83emdr7j.slt\prefs.js)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [wmxknr] c:\windows\system32\uwdirko.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax
Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax
Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) -
http://www.worldwinner.com/games/v46/skillgam/skillgam.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) -
http://www.worldwinner.com/games/v46/brickout/brickout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) -
http://www.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active
Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius
Control) - http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) -
http://www.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control)
- http://www.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control)
- http://www.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117377358093
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -
http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) -
http://www.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) -
http://www.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) -
http://www.worldwinner.com/games/v49/haunted/haunted.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) -
http://www.worldwinner.com/games/v61/swapit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) -
http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) -
http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control)
- http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer
ActiveX Control) - http://download.toontown.com/sv1.0.15.25/ttinst.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) -
http://www.worldwinner.com/games/v42/paint/paint.cab
O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) -
http://www.worldwinner.com/games/v43/solotriv/solotriv.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec
Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -
C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) -
Symantec Corporation - C:\Program Files\Norton Internet
Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix -
C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
O23 - Service: VAIO Media Music Server
(VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe"
/Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO
Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP)
(VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony
Corporation\VAIO Media Platform\2.0"
/RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP)
(VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server
(VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation -
C:\Program Files\Sony\VAIO Media Integrated
Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP)
(VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony
Corporation\VAIO Media Platform\2.0"
/RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP)
(VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server
(VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe"
/Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO
Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP)
(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony
Corporation\VAIO Media Platform\2.0"
/RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP)
(VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

****************************************************************

---

Clarification of Answer by livioflores-ga on 12 Jul 2005 15:02 PDT

Hi!!

After a quick view of your HJT log I did not find an Aurora trace, so
probably it is gone (to confirm that tell me if your computer is still
showing such Aurora's popups).

Regarding to the two files that you listed one
(C:\WINDOWS\System32\wuauclt.exe) is a legitimate part of Windows
related to the Windows Update feature:
http://www.liutilities.com/products/wintaskspro/processlibrary/wuauclt/

The other one (c:\windows\system32\uwdirko.exe) is unknown, and
probably a malware.

There is a file that you do not noticed that is related to the
Trojan.Win32.Imiserv, it is C:\WINDOWS\wupdt.exe .
See info related at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FIMISERV%2EA&VSect=Sn

Please do the following, first perform an online antivirus scan at TrenMicro:
http://housecall.trendmicro.com/

Let this tool fix anything it finds.
 
Then reboot in safe mode, run HJT and check to fix the following items
(if still present):
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [wmxknr] c:\windows\system32\uwdirko.exe r
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) -
http://www.worldwinner.com/games/v46/skillgam/skillgam.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) -
http://www.worldwinner.com/games/v46/brickout/brickout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) -
http://www.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active
Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius
Control) - http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) -
http://www.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control)
- http://www.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control)
- http://www.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117377358093
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -
http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) -
http://www.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) -
http://www.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) -
http://www.worldwinner.com/games/v49/haunted/haunted.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) -
http://www.worldwinner.com/games/v61/swapit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) -
http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) -
http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control)
- http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer
ActiveX Control) - http://download.toontown.com/sv1.0.15.25/ttinst.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) -
http://www.worldwinner.com/games/v42/paint/paint.cab
O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) -
http://www.worldwinner.com/games/v43/solotriv/solotriv.cab


Reboot normally and post a fresh HJT log.

Good Luck!!
Sincerely,
livioflores-ga

---

Request for Answer Clarification by may88-ga on 12 Jul 2005 20:29 PDT

Hello-

So far I haven't seen any aurora popups yet, been online for couple
hours.  I'm aurora free, yeah!

Here is the new HJT log.

*********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 9:24:06 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Maylee Lieu\Application
Data\Mozilla\Profiles\default\83emdr7j.slt\prefs.js)
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax
Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax
Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec
Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -
C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) -
Symantec Corporation - C:\Program Files\Norton Internet
Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix -
C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
O23 - Service: VAIO Media Music Server
(VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe"
/Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO
Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP)
(VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony
Corporation\VAIO Media Platform\2.0"
/RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP)
(VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server
(VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation -
C:\Program Files\Sony\VAIO Media Integrated
Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP)
(VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony
Corporation\VAIO Media Platform\2.0"
/RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP)
(VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server
(VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe"
/Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO
Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP)
(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony
Corporation\VAIO Media Platform\2.0"
/RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP)
(VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program
Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe


Thanks
May

---

Clarification of Answer by livioflores-ga on 12 Jul 2005 22:33 PDT

Hi!!

Mission accomplished!! your log file looks clean.
To end this answer I suggest you to "vaccinate" your computer using
SpywareBlaster, to be effective this tool must be kept updated. You
can download it from here:
http://ct7support.com/downloads/javacool/z341a/spywareblastersetup34.exe

For a tutorial on how to use it see:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=49


Best regards,
livioflores-ga

---

Clarification of Answer by livioflores-ga on 12 Jul 2005 22:42 PDT

One more thing, according to your HJT logs you have not installed yet
the SP2 for Windows XP. I suggest you to install it. It enhances the
system security, remove vulnerabilities and provide other major fixes
like popup blocker, etc. Keeping updated the system is another good
bahavior that prevents pestware and viruses infections, remember that
most of the malwares exploit the uncovered vulnerabilities of the
Windows operative system.

Excellent!

Thank you for the good rating, comments and the generous tip.