Aroura spyware problem
Results 1 to 4 of 4

Thread: Aroura spyware problem

  1. #1
    Member
    Join Date
    Nov 2002
    Posts
    36

    Aroura spyware problem

    OK some how i got this crappy aruora spyware on my computer it cant be taken off by my normal method of just running my spyware removal programs. So i have my hijackthis log can somone give me some tips so i can remove this stuff from my computer. Any help will be appriciated.





    Logfile of HijackThis v1.99.1
    Scan saved at 1:48:13 AM, on 5/25/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    c:\windows\system32\qlvgvw.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\O3J3Q8L9\HijackThis[2].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.ev1.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.ev1.net
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AdPopup] C:\WINDOWS\dcf5678.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
    O4 - HKLM\..\Run: [nkcrrbb] c:\windows\system32\qlvgvw.exe
    O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.boxsearch.net
    O15 - Trusted Zone: *.brdatahost.com
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116401914760
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

  2. #2
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    http://www.antionline.com/showthread...hreadid=268212

    Some info there.

    I didn't take it to conclusion I'm afraid.

  3. #3
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    Here's the current wisdom on this one....

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    Please download Nailfix from here:
    http://users.pandora.be/bluepatchy/nailfix.zip
    Unzip it to the desktop but please do NOT run it yet.

    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml


    Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

    Then please run Ewido, and run a full scan. Post the log from the scan here for me.

    Then please run HijackThis, click Scan, and check:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    Close all open windows except for HijackThis and click Fix Checked.

    Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.


  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: Aroura spyware problem

    After a quick look, these look like they don't belong on your system..
    c:\windows\system32\qlvgvw.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [AdPopup] C:\WINDOWS\dcf5678.exe
    O4 - HKLM\..\Run: [nkcrrbb] c:\windows\system32\qlvgvw.exe
    O15 - Trusted Zone: *.boxsearch.net
    O15 - Trusted Zone: *.brdatahost.com
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •