I have been trying ot clean out this popup for ever now, the title bar title
is Aurora. I have tried adware and microsoft spyware beta, in both normal
windows and safe mode. I still havent had any luck yet. I did searches in
the registry and system drives for the word aur and aurora and still no luck
at all. it stops for a few hours then its back again after i run the
removers in safe mode. Any comments or help would be appriciated, since i
cant find any real help through googles nor the forum search. here is my
hijack log..

Heres a print screen:
http://www.nguyenweb.net/pest/aurora.JPG

Logfile of HijackThis v1.99.1
Scan saved at 6:43:03 PM, on 04/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\guyqso.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: RAID Tool.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/F...ansferCtrl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec
Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe

no need to post your Logfile of HijackThis because this is a ng for MSAS

--

D@nnyBoy
Have you tried posting your problems
not related to MS AntiSpyware to
news://msnews.microsoft.com

and please don't bother to send me private mail
because I don't check my mailbox regularly


"Anti spyware" <(E-Mail Removed)> wrote in message
news:%23mw$(E-Mail Removed)...
>I have been trying ot clean out this popup for ever now, the title bar
>title is Aurora. I have tried adware and microsoft spyware beta, in both
>normal windows and safe mode. I still havent had any luck yet. I did
>searches in the registry and system drives for the word aur and aurora and
>still no luck at all. it stops for a few hours then its back again after i
>run the removers in safe mode. Any comments or help would be appriciated,
>since i cant find any real help through googles nor the forum search. here
>is my hijack log..
>
> Heres a print screen:
> http://www.nguyenweb.net/pest/aurora.JPG
>
> Logfile of HijackThis v1.99.1
> Scan saved at 6:43:03 PM, on 04/15/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
> C:\Program Files\NavNT\defwatch.exe
> C:\WINDOWS\system32\gearsec.exe
> C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\Program Files\NavNT\rtvscan.exe
> C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\Explorer.exe
> C:\WINDOWS\system32\MsgSys.EXE
> C:\Program Files\NavNT\vptray.exe
> C:\Program Files\Microsoft IntelliPoint\point32.exe
> C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
> C:\Program Files\ASUS\Probe\AsusProb.exe
> C:\Program Files\QuickTime\qttask.exe
> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\VIA\RAID\raid_tool.exe
> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
> C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
> C:\Program Files\Internet Explorer\iexplore.exe
> c:\windows\system32\guyqso.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://cnet.com/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://cnet.com/
> R3 - Default URLSearchHook is missing
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
> c:\program files\google\googletoolbar1.dll
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> c:\program files\google\googletoolbar1.dll
> O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
> O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
> IntelliPoint\point32.exe"
> O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
> Hardware\Keyboard\type32.exe"
> O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
> Panel\atiptaxx.exe
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
> AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
> Files\Adobe\Calibration\Adobe Gamma Loader.exe
> O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
> Technologies\ATI.ACE\CLI.exe
> O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
> Systems\VPN Client\vpngui.exe
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Global Startup: RAID Tool.lnk = C:\Program
> Files\VIA\RAID\raid_tool.exe
> O8 - Extra context menu item: &Google Search - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsearch.html
> O8 - Extra context menu item: &Translate English Word - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmwordtrans.html
> O8 - Extra context menu item: Backward Links - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
> O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmcache.html
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Similar Pages - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsimilar.html
> O8 - Extra context menu item: Translate Page into English -
> res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
> C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
> Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
> C:\Program Files\AIM\aim.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
> http://transfers.one.microsoft.com/F...ansferCtrl.cab
> O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
> O23 - Service: Ati HotKey Poller - Unknown owner -
> C:\WINDOWS\system32\Ati2evxx.exe
> O23 - Service: ATI Smart - Unknown owner -
> C:\WINDOWS\system32\ati2sgag.exe
> O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
> C:\Program Files\Symantec\pcAnywhere\awhost32.exe
> O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
> Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
> O23 - Service: DefWatch - Symantec Corporation - C:\Program
> Files\NavNT\defwatch.exe
> O23 - Service: GEARSecurity - GEAR Software -
> C:\WINDOWS\system32\gearsec.exe
> O23 - Service: GhostStartService - Symantec Corporation - C:\Program
> Files\Symantec\Norton Ghost 2003\GhostStartService.exe
> O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
> Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
> O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
> Analog Devices, Inc. - C:\Program Files\Analog
> Devices\SoundMAX\SMAgent.exe
> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
> C:\WINDOWS\svcproc.exe
>

I cleaned this one today--it was not easy. I believe this is CoolWebSearch.


"Anti spyware" <(E-Mail Removed)> wrote in message
news:%23mw$(E-Mail Removed)...

This one is the randomly named piece of the code. You can kill the process
using the system explorers process tool, but it is immediately recreated
with a different name. Also look for
(on the system I cleaned) nail.exe - I believe in c:\windows.

Check the registry for the shell line:
HKLM\software\microsoft\windows nt\currentversion\winlogon

shell reg_sz explorer.exe

If you see more besided explorer.exe, remove that, find the executable, and
kill it.

> c:\windows\system32\guyqso.exe

OK - so now you have two of the three parts of this critter--the random
part, the shell part (find it in the registry and note the name and
location--it may be different from mine)

Now for the third part. I couldn't find this with any standard
tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it was
Trend Micro's online virus scan:

http://housecall.trendmicro.com

It ID'd an executable in Windows as a trojan, but couldn't do anything to
it--so that's how I found the third piece.

This piece was active in safe mode, safe mode command prompt, etc. Others
here will probably be able to suggest an app designed to kill such things,
but what I did was boot (in my case Windows 2000) via the CD to the Recovery
Console.

I was able to delete the main viral component using the recovery console,
and also nail.exe.

I then searched out the current name for the random-named component and
deleted it.

That seemed to take care of it. I suspect I also booted to safe mode and
did some fairly careful checking by date to look at new stuff in the last
day or two that didn't look kosher--who knows what innocent data files I
blew away!

> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://cnet.com/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://cnet.com/
> R3 - Default URLSearchHook is missing
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
> c:\program files\google\googletoolbar1.dll
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> c:\program files\google\googletoolbar1.dll
> O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
> O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
> IntelliPoint\point32.exe"
> O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
> Hardware\Keyboard\type32.exe"
> O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
> Panel\atiptaxx.exe
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
> AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
> Files\Adobe\Calibration\Adobe Gamma Loader.exe
> O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
> Technologies\ATI.ACE\CLI.exe
> O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco
> Systems\VPN Client\vpngui.exe
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Global Startup: RAID Tool.lnk = C:\Program
> Files\VIA\RAID\raid_tool.exe
> O8 - Extra context menu item: &Google Search - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsearch.html
> O8 - Extra context menu item: &Translate English Word - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmwordtrans.html
> O8 - Extra context menu item: Backward Links - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
> O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmcache.html
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Similar Pages - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsimilar.html
> O8 - Extra context menu item: Translate Page into English -
> res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
> C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
> Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
> C:\Program Files\AIM\aim.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
> http://transfers.one.microsoft.com/F...ansferCtrl.cab
> O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
> O23 - Service: Ati HotKey Poller - Unknown owner -
> C:\WINDOWS\system32\Ati2evxx.exe
> O23 - Service: ATI Smart - Unknown owner -
> C:\WINDOWS\system32\ati2sgag.exe
> O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
> C:\Program Files\Symantec\pcAnywhere\awhost32.exe
> O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
> Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
> O23 - Service: DefWatch - Symantec Corporation - C:\Program
> Files\NavNT\defwatch.exe
> O23 - Service: GEARSecurity - GEAR Software -
> C:\WINDOWS\system32\gearsec.exe
> O23 - Service: GhostStartService - Symantec Corporation - C:\Program
> Files\Symantec\Norton Ghost 2003\GhostStartService.exe
> O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
> Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
> O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
> Analog Devices, Inc. - C:\Program Files\Analog
> Devices\SoundMAX\SMAgent.exe
> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
> C:\WINDOWS\svcproc.exe
>

From Chuck:
CoolWebSearch is a constantly mutating major nuisance. The best tool to
diagnose it is HijackThis, and expert advice. HijackThis shows all possible
traces of software, anything that MIGHT be malware, and lets an expert
identify the bad stuff manually.

HijackThis http://www.tomcoyote.com/hjt/

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save
the HJT Log.

http://forums.spywareinfo.com/index.php?showtopic=227

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts,
here):

Aumha: http://forum.aumha.org/index.php

Net-Integration: http://forums.net-integration.net/

Spyware Info: http://forums.spywareinfo.com/

Spyware Warrior: http://spywarewarrior.com/index.php

Tom Coyote: http://forums.tomcoyote.org/
--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm


"Bill Sanderson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I cleaned this one today--it was not easy. I believe this is
>CoolWebSearch.
>
>
> "Anti spyware" <(E-Mail Removed)> wrote in message
> news:%23mw$(E-Mail Removed)...
>
> This one is the randomly named piece of the code. You can kill the
> process using the system explorers process tool, but it is immediately
> recreated with a different name. Also look for
> (on the system I cleaned) nail.exe - I believe in c:\windows.
>
> Check the registry for the shell line:
> HKLM\software\microsoft\windows nt\currentversion\winlogon
>
> shell reg_sz explorer.exe
>
> If you see more besided explorer.exe, remove that, find the executable,
> and kill it.
>
>> c:\windows\system32\guyqso.exe
>
> OK - so now you have two of the three parts of this critter--the random
> part, the shell part (find it in the registry and note the name and
> location--it may be different from mine)
>
> Now for the third part. I couldn't find this with any standard
> tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it was
> Trend Micro's online virus scan:
>
> http://housecall.trendmicro.com
>
> It ID'd an executable in Windows as a trojan, but couldn't do anything to
> it--so that's how I found the third piece.
>
> This piece was active in safe mode, safe mode command prompt, etc. Others
> here will probably be able to suggest an app designed to kill such things,
> but what I did was boot (in my case Windows 2000) via the CD to the
> Recovery Console.
>
> I was able to delete the main viral component using the recovery console,
> and also nail.exe.
>
> I then searched out the current name for the random-named component and
> deleted it.
>
> That seemed to take care of it. I suspect I also booted to safe mode and
> did some fairly careful checking by date to look at new stuff in the last
> day or two that didn't look kosher--who knows what innocent data files I
> blew away!
>
>> C:\Program Files\Internet Explorer\iexplore.exe
>> C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>>
>> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>> http://cnet.com/
>> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
>> http://cnet.com/
>> R3 - Default URLSearchHook is missing
>> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
>> O2 - BHO: Google Toolbar Helper -
>> {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
>> files\google\googletoolbar1.dll
>> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
>> c:\program files\google\googletoolbar1.dll
>> O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
>> O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
>> IntelliPoint\point32.exe"
>> O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
>> Hardware\Keyboard\type32.exe"
>> O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
>> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
>> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
>> Panel\atiptaxx.exe
>> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>> Files\QuickTime\qttask.exe" -atboottime
>> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
>> AntiSpyware\gcasServ.exe"
>> O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
>> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
>> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
>> Files\Adobe\Calibration\Adobe Gamma Loader.exe
>> O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
>> Technologies\ATI.ACE\CLI.exe
>> O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program
>> Files\Cisco Systems\VPN Client\vpngui.exe
>> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>> Office\Office10\OSA.EXE
>> O4 - Global Startup: RAID Tool.lnk = C:\Program
>> Files\VIA\RAID\raid_tool.exe
>> O8 - Extra context menu item: &Google Search - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmsearch.html
>> O8 - Extra context menu item: &Translate English Word - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmwordtrans.html
>> O8 - Extra context menu item: Backward Links - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
>> O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmcache.html
>> O8 - Extra context menu item: E&xport to Microsoft Excel -
>> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
>> O8 - Extra context menu item: Similar Pages - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmsimilar.html
>> O8 - Extra context menu item: Translate Page into English -
>> res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
>> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
>> C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>> O9 - Extra 'Tools' menuitem: Sun Java Console -
>> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
>> Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
>> C:\Program Files\AIM\aim.exe
>> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
>> C:\Program Files\Messenger\msmsgs.exe
>> O9 - Extra 'Tools' menuitem: Windows Messenger -
>> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
>> Files\Messenger\msmsgs.exe
>> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
>> http://transfers.one.microsoft.com/F...ansferCtrl.cab
>> O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
>> O23 - Service: Ati HotKey Poller - Unknown owner -
>> C:\WINDOWS\system32\Ati2evxx.exe
>> O23 - Service: ATI Smart - Unknown owner -
>> C:\WINDOWS\system32\ati2sgag.exe
>> O23 - Service: pcAnywhere Host Service (awhost32) - Symantec
>> Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
>> O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
>> Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
>> O23 - Service: DefWatch - Symantec Corporation - C:\Program
>> Files\NavNT\defwatch.exe
>> O23 - Service: GEARSecurity - GEAR Software -
>> C:\WINDOWS\system32\gearsec.exe
>> O23 - Service: GhostStartService - Symantec Corporation - C:\Program
>> Files\Symantec\Norton Ghost 2003\GhostStartService.exe
>> O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
>> Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
>> O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
>> (default)) - Analog Devices, Inc. - C:\Program Files\Analog
>> Devices\SoundMAX\SMAgent.exe
>> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
>> C:\WINDOWS\svcproc.exe
>>
>
>

Whoops - I see nail.exe there in the hijackthis log as well.

Same critter. Get an ID on the third piece from a competent antivirus. NAV
2005 was installed on the machine I was working with, and had current
definitions, but I'm not sure when the last full scan had been.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Bill Sanderson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I cleaned this one today--it was not easy. I believe this is
>CoolWebSearch.
>
>
> "Anti spyware" <(E-Mail Removed)> wrote in message
> news:%23mw$(E-Mail Removed)...
>
> This one is the randomly named piece of the code. You can kill the
> process using the system explorers process tool, but it is immediately
> recreated with a different name. Also look for
> (on the system I cleaned) nail.exe - I believe in c:\windows.
>
> Check the registry for the shell line:
> HKLM\software\microsoft\windows nt\currentversion\winlogon
>
> shell reg_sz explorer.exe
>
> If you see more besided explorer.exe, remove that, find the executable,
> and kill it.
>
>> c:\windows\system32\guyqso.exe
>
> OK - so now you have two of the three parts of this critter--the random
> part, the shell part (find it in the registry and note the name and
> location--it may be different from mine)
>
> Now for the third part. I couldn't find this with any standard
> tools--msconfig, sysinfo32, Microsoft Antispyware. What did find it was
> Trend Micro's online virus scan:
>
> http://housecall.trendmicro.com
>
> It ID'd an executable in Windows as a trojan, but couldn't do anything to
> it--so that's how I found the third piece.
>
> This piece was active in safe mode, safe mode command prompt, etc. Others
> here will probably be able to suggest an app designed to kill such things,
> but what I did was boot (in my case Windows 2000) via the CD to the
> Recovery Console.
>
> I was able to delete the main viral component using the recovery console,
> and also nail.exe.
>
> I then searched out the current name for the random-named component and
> deleted it.
>
> That seemed to take care of it. I suspect I also booted to safe mode and
> did some fairly careful checking by date to look at new stuff in the last
> day or two that didn't look kosher--who knows what innocent data files I
> blew away!
>
>> C:\Program Files\Internet Explorer\iexplore.exe
>> C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>>
>> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>> http://cnet.com/
>> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
>> http://cnet.com/
>> R3 - Default URLSearchHook is missing
>> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
>> O2 - BHO: Google Toolbar Helper -
>> {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
>> files\google\googletoolbar1.dll
>> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
>> c:\program files\google\googletoolbar1.dll
>> O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
>> O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
>> IntelliPoint\point32.exe"
>> O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
>> Hardware\Keyboard\type32.exe"
>> O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
>> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
>> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
>> Panel\atiptaxx.exe
>> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>> Files\QuickTime\qttask.exe" -atboottime
>> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
>> AntiSpyware\gcasServ.exe"
>> O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
>> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
>> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
>> Files\Adobe\Calibration\Adobe Gamma Loader.exe
>> O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
>> Technologies\ATI.ACE\CLI.exe
>> O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program
>> Files\Cisco Systems\VPN Client\vpngui.exe
>> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>> Office\Office10\OSA.EXE
>> O4 - Global Startup: RAID Tool.lnk = C:\Program
>> Files\VIA\RAID\raid_tool.exe
>> O8 - Extra context menu item: &Google Search - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmsearch.html
>> O8 - Extra context menu item: &Translate English Word - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmwordtrans.html
>> O8 - Extra context menu item: Backward Links - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
>> O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmcache.html
>> O8 - Extra context menu item: E&xport to Microsoft Excel -
>> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
>> O8 - Extra context menu item: Similar Pages - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmsimilar.html
>> O8 - Extra context menu item: Translate Page into English -
>> res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
>> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
>> C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>> O9 - Extra 'Tools' menuitem: Sun Java Console -
>> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
>> Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
>> C:\Program Files\AIM\aim.exe
>> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
>> C:\Program Files\Messenger\msmsgs.exe
>> O9 - Extra 'Tools' menuitem: Windows Messenger -
>> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
>> Files\Messenger\msmsgs.exe
>> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
>> http://transfers.one.microsoft.com/F...ansferCtrl.cab
>> O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
>> O23 - Service: Ati HotKey Poller - Unknown owner -
>> C:\WINDOWS\system32\Ati2evxx.exe
>> O23 - Service: ATI Smart - Unknown owner -
>> C:\WINDOWS\system32\ati2sgag.exe
>> O23 - Service: pcAnywhere Host Service (awhost32) - Symantec
>> Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
>> O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
>> Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
>> O23 - Service: DefWatch - Symantec Corporation - C:\Program
>> Files\NavNT\defwatch.exe
>> O23 - Service: GEARSecurity - GEAR Software -
>> C:\WINDOWS\system32\gearsec.exe
>> O23 - Service: GhostStartService - Symantec Corporation - C:\Program
>> Files\Symantec\Norton Ghost 2003\GhostStartService.exe
>> O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
>> Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
>> O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
>> (default)) - Analog Devices, Inc. - C:\Program Files\Analog
>> Devices\SoundMAX\SMAgent.exe
>> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
>> C:\WINDOWS\svcproc.exe
>>
>
>

Patric; I have the same thing. Let me know if you come
across a fix.TNX
>-----Original Message-----
>I have been trying ot clean out this popup for ever now,
the title bar title
>is Aurora. I have tried adware and microsoft spyware
beta, in both normal
>windows and safe mode. I still havent had any luck yet.
I did searches in
>the registry and system drives for the word aur and
aurora and still no luck
>at all. it stops for a few hours then its back again
after i run the
>removers in safe mode. Any comments or help would be
appriciated, since i
>cant find any real help through googles nor the forum
search. here is my
>hijack log..
>
>Heres a print screen:
>http://www.nguyenweb.net/pest/aurora.JPG
>
>Logfile of HijackThis v1.99.1
>Scan saved at 6:43:03 PM, on 04/15/2005
>Platform: Windows XP SP2 (WinNT 5.01.2600)
>MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
>Running processes:
>C:\WINDOWS\System32\smss.exe
>C:\WINDOWS\system32\winlogon.exe
>C:\WINDOWS\system32\services.exe
>C:\WINDOWS\system32\lsass.exe
>C:\WINDOWS\system32\Ati2evxx.exe
>C:\WINDOWS\system32\svchost.exe
>C:\WINDOWS\System32\svchost.exe
>C:\WINDOWS\system32\spoolsv.exe
>C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
>C:\Program Files\NavNT\defwatch.exe
>C:\WINDOWS\system32\gearsec.exe
>C:\Program Files\Symantec\Norton Ghost 2003
\GhostStartService.exe
>C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
>C:\Program Files\NavNT\rtvscan.exe
>C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
>C:\WINDOWS\system32\Ati2evxx.exe
>C:\WINDOWS\Explorer.exe
>C:\WINDOWS\system32\MsgSys.EXE
>C:\Program Files\NavNT\vptray.exe
>C:\Program Files\Microsoft IntelliPoint\point32.exe
>C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
>C:\Program Files\ASUS\Probe\AsusProb.exe
>C:\Program Files\QuickTime\qttask.exe
>C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
>C:\WINDOWS\system32\ctfmon.exe
>C:\Program Files\VIA\RAID\raid_tool.exe
>C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
>C:\WINDOWS\System32\svchost.exe
>C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
>C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
>C:\Program Files\Internet Explorer\iexplore.exe
>c:\windows\system32\guyqso.exe
>C:\Program Files\Internet Explorer\iexplore.exe
>C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page =
>http://cnet.com/
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page =
>http://cnet.com/
>R3 - Default URLSearchHook is missing
>F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
>O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-
8333-CF10577473F7} -
>c:\program files\google\googletoolbar1.dll
>O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\program
>files\google\googletoolbar1.dll
>O4 - HKLM\..\Run: [vptray] C:\Program
Files\NavNT\vptray.exe
>O4 - HKLM\..\Run: [IntelliPoint] "C:\Program
Files\Microsoft
>IntelliPoint\point32.exe"
>O4 - HKLM\..\Run: [IntelliType] "C:\Program
Files\Microsoft
>Hardware\Keyboard\type32.exe"
>O4 - HKLM\..\Run: [ASUS Probe] C:\Program
Files\ASUS\Probe\AsusProb.exe
>O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
>O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI
Technologies\ATI Control
>Panel\atiptaxx.exe
>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>Files\QuickTime\qttask.exe" -atboottime
>O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
>AntiSpyware\gcasServ.exe"
>O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
>O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
>O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program
Files\Common
>Files\Adobe\Calibration\Adobe Gamma Loader.exe
>O4 - Global Startup: ATI CATALYST System Tray.lnk =
C:\Program Files\ATI
>Technologies\ATI.ACE\CLI.exe
>O4 - Global Startup: Cisco Systems VPN Client.lnk =
C:\Program Files\Cisco
>Systems\VPN Client\vpngui.exe
>O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft
>Office\Office10\OSA.EXE
>O4 - Global Startup: RAID Tool.lnk = C:\Program
Files\VIA\RAID\raid_tool.exe
>O8 - Extra context menu item: &Google Search -
res://C:\Program
>Files\Google\GoogleToolbar1.dll/cmsearch.html
>O8 - Extra context menu item: &Translate English Word -
res://C:\Program
>Files\Google\GoogleToolbar1.dll/cmwordtrans.html
>O8 - Extra context menu item: Backward Links -
res://C:\Program
>Files\Google\GoogleToolbar1.dll/cmbacklinks.html
>O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program
>Files\Google\GoogleToolbar1.dll/cmcache.html
>O8 - Extra context menu item: E&xport to Microsoft Excel -

>res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
>O8 - Extra context menu item: Similar Pages -
res://C:\Program
>Files\Google\GoogleToolbar1.dll/cmsimilar.html
>O8 - Extra context menu item: Translate Page into
English - res://C:\Program
>Files\Google\GoogleToolbar1.dll/cmtrans.html
>O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} -
>C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>O9 - Extra 'Tools' menuitem: Sun Java Console -
>{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
>Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-
00B0D0A1DE45} - C:\Program
>Files\AIM\aim.exe
>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} -
>C:\Program Files\Messenger\msmsgs.exe
>O9 - Extra 'Tools' menuitem: Windows Messenger -
>{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
>Files\Messenger\msmsgs.exe
>O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC
Class) -
>http://transfers.one.microsoft.com/F...ferSource/grTr
ansferCtrl.cab
>O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32
\NavLogon.dll
>O23 - Service: Ati HotKey Poller - Unknown owner -
>C:\WINDOWS\system32\Ati2evxx.exe
>O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
>O23 - Service: pcAnywhere Host Service (awhost32) -
Symantec Corporation -
>C:\Program Files\Symantec\pcAnywhere\awhost32.exe
>O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) -
Cisco Systems,
>Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
>O23 - Service: DefWatch - Symantec Corporation -
C:\Program
>Files\NavNT\defwatch.exe
>O23 - Service: GEARSecurity - GEAR Software -
>C:\WINDOWS\system32\gearsec.exe
>O23 - Service: GhostStartService - Symantec Corporation -
C:\Program
>Files\Symantec\Norton Ghost 2003\GhostStartService.exe
>O23 - Service: Norton AntiVirus Client (Norton AntiVirus
Server) - Symantec
>Corporation - C:\Program Files\NavNT\rtvscan.exe
>O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) -
>Analog Devices, Inc. - C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
>O23 - Service: System Startup Service (SvcProc) -
Unknown owner -
>C:\WINDOWS\svcproc.exe
>
>
>.
>

I've been fighting this one as well the fix that worked for
me was adtapted from the thread at this url>
http://forums.maddoktor2.com/index.p...=0&#entry19146
I had Nail, SvcProc, and some others but the aroura was'nt
fixed until I used the "find_it.bat" listed on that page to
correctly ID the real exe which was by the way a totally
different name from the one on the thread. good luck
>-----Original Message-----
>Whoops - I see nail.exe there in the hijackthis log as well.
>
>Same critter. Get an ID on the third piece from a
competent antivirus. NAV
>2005 was installed on the machine I was working with, and
had current
>definitions, but I'm not sure when the last full scan had
been.
>--
>FAQ for Microsoft Antispyware:
>http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
>
>"Bill Sanderson" <(E-Mail Removed)> wrote
in message
>news:(E-Mail Removed)...
>>I cleaned this one today--it was not easy. I believe
this is
>>CoolWebSearch.
>>
>>
>> "Anti spyware" <(E-Mail Removed)> wrote in message
>>
news:%23mw$(E-Mail Removed)...
>>
>> This one is the randomly named piece of the code. You
can kill the
>> process using the system explorers process tool, but it
is immediately
>> recreated with a different name. Also look for
>> (on the system I cleaned) nail.exe - I believe in
c:\windows.
>>
>> Check the registry for the shell line:
>> HKLM\software\microsoft\windows nt\currentversion\winlogon
>>
>> shell reg_sz explorer.exe
>>
>> If you see more besided explorer.exe, remove that, find
the executable,
>> and kill it.
>>
>>> c:\windows\system32\guyqso.exe
>>
>> OK - so now you have two of the three parts of this
critter--the random
>> part, the shell part (find it in the registry and note
the name and
>> location--it may be different from mine)
>>
>> Now for the third part. I couldn't find this with any
standard
>> tools--msconfig, sysinfo32, Microsoft Antispyware. What
did find it was
>> Trend Micro's online virus scan:
>>
>> http://housecall.trendmicro.com
>>
>> It ID'd an executable in Windows as a trojan, but
couldn't do anything to
>> it--so that's how I found the third piece.
>>
>> This piece was active in safe mode, safe mode command
prompt, etc. Others
>> here will probably be able to suggest an app designed to
kill such things,
>> but what I did was boot (in my case Windows 2000) via
the CD to the
>> Recovery Console.
>>
>> I was able to delete the main viral component using the
recovery console,
>> and also nail.exe.
>>
>> I then searched out the current name for the
random-named component and
>> deleted it.
>>
>> That seemed to take care of it. I suspect I also booted
to safe mode and
>> did some fairly careful checking by date to look at new
stuff in the last
>> day or two that didn't look kosher--who knows what
innocent data files I
>> blew away!
>>
>>> C:\Program Files\Internet Explorer\iexplore.exe
>>> C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>>>
>>> R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
>>> http://cnet.com/
>>> R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
>>> http://cnet.com/
>>> R3 - Default URLSearchHook is missing
>>> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
>>> O2 - BHO: Google Toolbar Helper -
>>> {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
>>> files\google\googletoolbar1.dll
>>> O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} -
>>> c:\program files\google\googletoolbar1.dll
>>> O4 - HKLM\..\Run: [vptray] C:\Program
Files\NavNT\vptray.exe
>>> O4 - HKLM\..\Run: [IntelliPoint] "C:\Program
Files\Microsoft
>>> IntelliPoint\point32.exe"
>>> O4 - HKLM\..\Run: [IntelliType] "C:\Program
Files\Microsoft
>>> Hardware\Keyboard\type32.exe"
>>> O4 - HKLM\..\Run: [ASUS Probe] C:\Program
Files\ASUS\Probe\AsusProb.exe
>>> O4 - HKLM\..\Run: [NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
>>> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI
Technologies\ATI Control
>>> Panel\atiptaxx.exe
>>> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>>> Files\QuickTime\qttask.exe" -atboottime
>>> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
>>> AntiSpyware\gcasServ.exe"
>>> O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
>>> O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
>>> O4 - Global Startup: Adobe Gamma Loader.lnk =
C:\Program Files\Common
>>> Files\Adobe\Calibration\Adobe Gamma Loader.exe
>>> O4 - Global Startup: ATI CATALYST System Tray.lnk =
C:\Program Files\ATI
>>> Technologies\ATI.ACE\CLI.exe
>>> O4 - Global Startup: Cisco Systems VPN Client.lnk =
C:\Program
>>> Files\Cisco Systems\VPN Client\vpngui.exe
>>> O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft
>>> Office\Office10\OSA.EXE
>>> O4 - Global Startup: RAID Tool.lnk = C:\Program
>>> Files\VIA\RAID\raid_tool.exe
>>> O8 - Extra context menu item: &Google Search -
res://C:\Program
>>> Files\Google\GoogleToolbar1.dll/cmsearch.html
>>> O8 - Extra context menu item: &Translate English Word -
res://C:\Program
>>> Files\Google\GoogleToolbar1.dll/cmwordtrans.html
>>> O8 - Extra context menu item: Backward Links -
res://C:\Program
>>> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
>>> O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program
>>> Files\Google\GoogleToolbar1.dll/cmcache.html
>>> O8 - Extra context menu item: E&xport to Microsoft Excel -
>>> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
>>> O8 - Extra context menu item: Similar Pages -
res://C:\Program
>>> Files\Google\GoogleToolbar1.dll/cmsimilar.html
>>> O8 - Extra context menu item: Translate Page into
English -
>>> res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
>>> O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
>>> C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>>> O9 - Extra 'Tools' menuitem: Sun Java Console -
>>> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
>>> Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>>> O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
>>> C:\Program Files\AIM\aim.exe
>>> O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
>>> C:\Program Files\Messenger\msmsgs.exe
>>> O9 - Extra 'Tools' menuitem: Windows Messenger -
>>> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
>>> Files\Messenger\msmsgs.exe
>>> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC
Class) -
>>>
http://transfers.one.microsoft.com/F...ansferCtrl.cab
>>> O20 - Winlogon Notify: NavLogon -
C:\WINDOWS\System32\NavLogon.dll
>>> O23 - Service: Ati HotKey Poller - Unknown owner -
>>> C:\WINDOWS\system32\Ati2evxx.exe
>>> O23 - Service: ATI Smart - Unknown owner -
>>> C:\WINDOWS\system32\ati2sgag.exe
>>> O23 - Service: pcAnywhere Host Service (awhost32) -
Symantec
>>> Corporation - C:\Program
Files\Symantec\pcAnywhere\awhost32.exe
>>> O23 - Service: Cisco Systems, Inc. VPN Service (CVPND)
- Cisco Systems,
>>> Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
>>> O23 - Service: DefWatch - Symantec Corporation -
C:\Program
>>> Files\NavNT\defwatch.exe
>>> O23 - Service: GEARSecurity - GEAR Software -
>>> C:\WINDOWS\system32\gearsec.exe
>>> O23 - Service: GhostStartService - Symantec Corporation
- C:\Program
>>> Files\Symantec\Norton Ghost 2003\GhostStartService.exe
>>> O23 - Service: Norton AntiVirus Client (Norton
AntiVirus Server) -
>>> Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
>>> O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service
>>> (default)) - Analog Devices, Inc. - C:\Program
Files\Analog
>>> Devices\SoundMAX\SMAgent.exe
>>> O23 - Service: System Startup Service (SvcProc) -
Unknown owner -
>>> C:\WINDOWS\svcproc.exe
>>>
>>
>>
>
>
>.
>

Sorry for posting the log file, wont do that again.

Patrick

"D@annyBoy" <origin@ld@(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> no need to post your Logfile of HijackThis because this is a ng for MSAS
>
> --
>
> D@nnyBoy
> Have you tried posting your problems
> not related to MS AntiSpyware to
> news://msnews.microsoft.com
>
> and please don't bother to send me private mail
> because I don't check my mailbox regularly
>
>
> "Anti spyware" <(E-Mail Removed)> wrote in message
> news:%23mw$(E-Mail Removed)...
>>I have been trying ot clean out this popup for ever now, the title bar
>>title is Aurora. I have tried adware and microsoft spyware beta, in both
>>normal windows and safe mode. I still havent had any luck yet. I did
>>searches in the registry and system drives for the word aur and aurora and
>>still no luck at all. it stops for a few hours then its back again after
>>i run the removers in safe mode. Any comments or help would be
>>appriciated, since i cant find any real help through googles nor the forum
>>search. here is my hijack log..
>>
>> Heres a print screen:
>> http://www.nguyenweb.net/pest/aurora.JPG
>>
>> Logfile of HijackThis v1.99.1
>> Scan saved at 6:43:03 PM, on 04/15/2005
>> Platform: Windows XP SP2 (WinNT 5.01.2600)
>> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>>
>> Running processes:
>> C:\WINDOWS\System32\smss.exe
>> C:\WINDOWS\system32\winlogon.exe
>> C:\WINDOWS\system32\services.exe
>> C:\WINDOWS\system32\lsass.exe
>> C:\WINDOWS\system32\Ati2evxx.exe
>> C:\WINDOWS\system32\svchost.exe
>> C:\WINDOWS\System32\svchost.exe
>> C:\WINDOWS\system32\spoolsv.exe
>> C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
>> C:\Program Files\NavNT\defwatch.exe
>> C:\WINDOWS\system32\gearsec.exe
>> C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
>> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
>> C:\Program Files\NavNT\rtvscan.exe
>> C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
>> C:\WINDOWS\system32\Ati2evxx.exe
>> C:\WINDOWS\Explorer.exe
>> C:\WINDOWS\system32\MsgSys.EXE
>> C:\Program Files\NavNT\vptray.exe
>> C:\Program Files\Microsoft IntelliPoint\point32.exe
>> C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
>> C:\Program Files\ASUS\Probe\AsusProb.exe
>> C:\Program Files\QuickTime\qttask.exe
>> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
>> C:\WINDOWS\system32\ctfmon.exe
>> C:\Program Files\VIA\RAID\raid_tool.exe
>> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
>> C:\WINDOWS\System32\svchost.exe
>> C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
>> C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
>> C:\Program Files\Internet Explorer\iexplore.exe
>> c:\windows\system32\guyqso.exe
>> C:\Program Files\Internet Explorer\iexplore.exe
>> C:\Documents and Settings\Admin\Desktop\HijackThis.exe
>>
>> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>> http://cnet.com/
>> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
>> http://cnet.com/
>> R3 - Default URLSearchHook is missing
>> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
>> O2 - BHO: Google Toolbar Helper -
>> {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
>> files\google\googletoolbar1.dll
>> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
>> c:\program files\google\googletoolbar1.dll
>> O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
>> O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
>> IntelliPoint\point32.exe"
>> O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
>> Hardware\Keyboard\type32.exe"
>> O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
>> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
>> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
>> Panel\atiptaxx.exe
>> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>> Files\QuickTime\qttask.exe" -atboottime
>> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
>> AntiSpyware\gcasServ.exe"
>> O4 - HKLM\..\Run: [vkopnnr] c:\windows\system32\guyqso.exe
>> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
>> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
>> Files\Adobe\Calibration\Adobe Gamma Loader.exe
>> O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI
>> Technologies\ATI.ACE\CLI.exe
>> O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program
>> Files\Cisco Systems\VPN Client\vpngui.exe
>> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>> Office\Office10\OSA.EXE
>> O4 - Global Startup: RAID Tool.lnk = C:\Program
>> Files\VIA\RAID\raid_tool.exe
>> O8 - Extra context menu item: &Google Search - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmsearch.html
>> O8 - Extra context menu item: &Translate English Word - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmwordtrans.html
>> O8 - Extra context menu item: Backward Links - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
>> O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmcache.html
>> O8 - Extra context menu item: E&xport to Microsoft Excel -
>> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
>> O8 - Extra context menu item: Similar Pages - res://C:\Program
>> Files\Google\GoogleToolbar1.dll/cmsimilar.html
>> O8 - Extra context menu item: Translate Page into English -
>> res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
>> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
>> C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>> O9 - Extra 'Tools' menuitem: Sun Java Console -
>> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
>> Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
>> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
>> C:\Program Files\AIM\aim.exe
>> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
>> C:\Program Files\Messenger\msmsgs.exe
>> O9 - Extra 'Tools' menuitem: Windows Messenger -
>> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
>> Files\Messenger\msmsgs.exe
>> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
>> http://transfers.one.microsoft.com/F...ansferCtrl.cab
>> O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
>> O23 - Service: Ati HotKey Poller - Unknown owner -
>> C:\WINDOWS\system32\Ati2evxx.exe
>> O23 - Service: ATI Smart - Unknown owner -
>> C:\WINDOWS\system32\ati2sgag.exe
>> O23 - Service: pcAnywhere Host Service (awhost32) - Symantec
>> Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
>> O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
>> Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
>> O23 - Service: DefWatch - Symantec Corporation - C:\Program
>> Files\NavNT\defwatch.exe
>> O23 - Service: GEARSecurity - GEAR Software -
>> C:\WINDOWS\system32\gearsec.exe
>> O23 - Service: GhostStartService - Symantec Corporation - C:\Program
>> Files\Symantec\Norton Ghost 2003\GhostStartService.exe
>> O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
>> Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
>> O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
>> (default)) - Analog Devices, Inc. - C:\Program Files\Analog
>> Devices\SoundMAX\SMAgent.exe
>> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
>> C:\WINDOWS\svcproc.exe
>>
>
>

Anti spyware wrote:
> Sorry for posting the log file, wont do that again.

Feel free to do that again

This Aurora is a troublemaker, if you search with google you
find several users with this problem.

- Please send a suspected spyware report to MS about this,
menu tools within MSAS.

I recommend you to follow this URL and at step 7 post your
HijackThis log if step 1-6 doesn´t help.

http://www.aumha.org/a/quickfix.htm

For step 2 use this tool, CCleaner, www.ccleaner.com

--
plun

"Anti spyware" <(E-Mail Removed)> wrote in
news:#mw$(E-Mail Removed):

> I have been trying ot clean out this popup for ever now, the title bar
> title is Aurora. I have tried adware and microsoft spyware beta, in
> both normal windows and safe mode. I still havent had any luck yet.
> I did searches in the registry and system drives for the word aur and
> aurora and still no luck at all. it stops for a few hours then its
> back again after i run the removers in safe mode. Any comments or
> help would be appriciated, since i cant find any real help through
> googles nor the forum search. here is my hijack log..
>
> Heres a print screen:
> http://www.nguyenweb.net/pest/aurora.JPG

Take a look at
http://hijackthis.de/logfiles/14f4c8...8b4bc0054.html
Don't take it for gospel though.... :-)
I saw a couple that I know I'd get rid of though.

--
--- A Freudian slip is when you say one thing but mean your mother. ---