Cannot remove Aurora SvcProc & Nail problems

Question

Hi having mass problems with Aurora on the PC. Ran most spyware removal software which has removed alot of stuff, though Aurora still keeps on comming back again and again. Here is the Hijackthis file from the PC. Hope that someone can help me on this.   Cheers in advance. flibble.   Logfile of HijackThis v1.99.1Scan saved at 14:49:44, on 07/09/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Automatic Update\AutoUpdate.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\LDCLIENT\LOCALSCH.EXEC:\WINDOWS\system32\cba\pds.exeC:\LDCLIENT\QIPCLNT.EXEC:\LDClient	mcsvc.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\LDClient\wuser32.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\MsgSys.EXEC:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Network Associates\Common Framework\UpdaterUI.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exeC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\WIZZ\dazzler.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\System32\asriagl.exeC:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\aaae	nac.exeC:\Program Files\Cisco Systems\VPN Client\vpngui.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\NetMeeting\conf.exeC:\WINDOWS\System32undll32.exeC:\WINDOWS\System32svp.exeC:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exeC:\HJK\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.directsearchzone.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bussolaweb.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.directsearchzone.com/sp2.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shglhfs01/intranet/index.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bussolaweb.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bussolaweb.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SHG LonghaulR3 - Default URLSearchHook is missingF2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeO4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exeO4 - HKLM\..\Run: [ShStatEXE] 'C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE' /STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] 'C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe' /StartedFromRunKeyO4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] 'C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe' /iconO4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe'O4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe'O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe'O4 - HKLM\..\Run: [Apvxdwin] C:\WINDOWS\System32\APVXDWIN.EXE O4 - HKLM\..\Run: [IPSecMon] C:\Program Files\Common files\VPN Network\IPSecMon.exe /vpncheckO4 - HKLM\..\Run: [Windows Update AutoUpdate Client] C:\WINDOWS\System32\winupd\wuauclt.exe O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exeO4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\System32ealmon.exe /startO4 - HKLM\..\Run: [Recguard] C:\Program Files\HPecguard.exe O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exeO4 - HKLM\..\Run: [qvjqvv] C:\WINDOWS\System32\asriagl.exe rO4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] 'C:\WINDOWS\System32undll32.exe' msconf.dll,CleanupNetMeetingDispDriver 0O4 - HKCU\..\Run: [STManager] 'C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe' -bO4 - HKCU\..\Run: [Iiotmsd] C:\WINDOWS\System32\??curity\svchost.exeO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [Aeem] C:\Program Files\aaae	nac.exeO4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O15 - Trusted Zone: http://*.amadeus.com O15 - Trusted Zone: http://webconfig.amadeus.com O15 - Trusted Zone: http://*.amadeusproweb.com O15 - Trusted Zone: http://*.amadeusvista.com O15 - Trusted Zone: http://*.amadeus.com (HKLM)O15 - Trusted Zone: http://webconfig.amadeus.com (HKLM)O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://www.storage-tasp.com/gs/gsi0049.exe O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://amadeusvista.com/VWP/common/cabs/VistaPWComms.CAB O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/surfya/surfya.exe O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://amadeusvista.com/VWP/common/cabs/SP2Patch.CAB O16 - DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} (Amadeus DS Diagnostic Class) - http://webconfig.amadeus.com/diagnostic/cabs/DS_Diagnostic.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124809217591 O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://amadeusvista.com/VWP/common/cabs/MSIInspect.CAB O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1111864.exe O16 - DPF: {E90EF4C9-1476-4C49-B926-97C7D9D30A06} (Certificates_Info Class) - http://pilot.certificates.amadeusvista.com/certificateinfo/CCCert_Info.CAB O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista.com/VWP/common/cabs/AmadeusInit.CAB O16 - DPF: {FBFF6F10-A2FC-9544-745F-A1F75A0501AE} - http://www.italian-toplist.com/cart/gs/gsa0097.exe O16 - DPF: {FD6F39AA-9D17-4E06-850F-FF222D490A10} (PNRServicing.PNRServicingCls) - http://www.vistascript.amadeus.com/UK/PnrSERV/PnrServicing.CAB O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn283.exe O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.energyfactor.com/dialer/it/activex_571_it.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SHG.CORPO17 - HKLM\Software\..\Telephony: DomainName = SHG.CORPO17 - HKLM\System\CCS\Services\Tcpip\..\{07C63E82-1056-4EB0-888C-7295CA039F85}: NameServer = 194.72.0.98 194.74.65.68O17 - HKLM\System\CCS\Services\Tcpip\..\{56F57CAC-CEEE-4E57-9B26-BB7418036D69}: Domain = shg.corpO17 - HKLM\System\CCS\Services\Tcpip\..\{56F57CAC-CEEE-4E57-9B26-BB7418036D69}: NameServer = 10.39.0.20,10.39.0.181O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SHG.CORPO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = shg.corp,SHG.CORPO17 - HKLM\System\CS1\Services\Tcpip\..\{07C63E82-1056-4EB0-888C-7295CA039F85}: NameServer = 194.72.0.98 194.74.65.68O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = shg.corp,SHG.CORPO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXEO23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exeO23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\LDCLIENT\QIPCLNT.EXEO23 - Service: Intel Targeted Multicast - LANDesk Software Ltd. - C:\LDClient	mcsvc.exeO23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exeO23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exeO23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Intel Remote Control Service (Wuser32) - LANDesk Software Ltd. - C:\LDClient\wuser32.exe

RKinner · Answer

Download the Hoster from:

www.funkytoad.com/

Unpack to your desktop and run it. If you have green print at the top then just press Restore Original Hosts then OK.
IF you have red print then press make Hosts Writeable first.

Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.

You will need ABIRemover from

http://forum.hijackthis.de/attachment.php?attachmentid=177

unpack (extract) it to your desktop but don't run it yet.

Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the System Startup Service. Double click on it and and then set the Start Type
to Disabled. Then OK.

Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Check then Fix
Checked the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.directsearchzone.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.directsearchzone.com/sp2.php
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [IPSecMon] C:\Program Files\Common files\VPN Network\IPSecMon.exe /vpncheck
O4 - HKLM\..\Run: [Windows Update AutoUpdate Client] C:\WINDOWS\System32\winupd\wuauclt.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exe
O4 - HKLM\..\Run: [qvjqvv] C:\WINDOWS\System32\asriagl.exe r
O4 - HKCU\..\Run: [Iiotmsd] C:\WINDOWS\System32\??curity\svchost.exe
O4 - HKCU\..\Run: [Aeem] C:\Program Files\aaae\tnac.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/surfya/surfya.exe
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1111864.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn283.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)

Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.

Now run ABIRemover. It will reboot when done. You must catch the PC and make it boot into Safe Mode as before by tapping the F8 key.

Then run HijackThis again and check/Fix Checked anything that was in the above list plus anything new that shows up that was not in your original list.

Reboot into normal mode and run another HijackThis log and post it as a reply. Let's
see how we did.

Ron

flibble · Answer

Hi Ron.

Thanks for the info and your help.

I've ran through everything you have said and initially it looks to be a lot cleaner though i did get an advert pop up. Here is the latest HiJackThis report. I would appreciate it if you could take a look and see if there are any other checks / alterations to make. Cheers Flibble

Logfile of HijackThis v1.99.1
Scan saved at 11:48:36, on 13/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\LDCLIENT\QIPCLNT.EXE
C:\LDClient\tmcsvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\LDClient\wuser32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\APVXDWIN.EXE
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\??curity\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aaae\tnac.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rsvp.exe
C:\HJK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.directsearchzone.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bussolaweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.directsearchzone.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shglhfs01/intranet/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bussolaweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SHG Longhaul
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Apvxdwin] C:\WINDOWS\System32\APVXDWIN.EXE
O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\System32\realmon.exe /start
O4 - HKLM\..\Run: [Recguard] C:\Program Files\HP\recguard.exe
O4 - HKLM\..\Run: [IPSecMon] C:\Program Files\Common files\VPN Network\IPSecMon.exe /vpncheck
O4 - HKLM\..\Run: [Windows Update AutoUpdate Client] C:\WINDOWS\System32\winupd\wuauclt.exe
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Iiotmsd] C:\WINDOWS\System32\??curity\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aeem] C:\Program Files\aaae\tnac.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.amadeus.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://webconfig.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://www.storage-tasp.com/gs/gsi0049.exe
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://amadeusvista.com/VWP/common/cabs/VistaPWComms.CAB
O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://amadeusvista.com/VWP/common/cabs/SP2Patch.CAB
O16 - DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} (Amadeus DS Diagnostic Class) - http://webconfig.amadeus.com/diagnostic/cabs/DS_Diagnostic.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124809217591
O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://amadeusvista.com/VWP/common/cabs/MSIInspect.CAB
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {E90EF4C9-1476-4C49-B926-97C7D9D30A06} (Certificates_Info Class) - http://pilot.certificates.amadeusvista.com/certificateinfo/CCCert_Info.CAB
O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista.com/VWP/common/cabs/AmadeusInit.CAB
O16 - DPF: {FBFF6F10-A2FC-9544-745F-A1F75A0501AE} - http://www.italian-toplist.com/cart/gs/gsa0097.exe
O16 - DPF: {FD6F39AA-9D17-4E06-850F-FF222D490A10} (PNRServicing.PNRServicingCls) - http://www.vistascript.amadeus.com/UK/PnrSERV/PnrServicing.CAB
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.energyfactor.com/dialer/it/activex_571_it.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SHG.CORP
O17 - HKLM\Software\..\Telephony: DomainName = SHG.CORP
O17 - HKLM\System\CCS\Services\Tcpip\..\{07C63E82-1056-4EB0-888C-7295CA039F85}: NameServer = 194.72.0.98 194.74.65.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{56F57CAC-CEEE-4E57-9B26-BB7418036D69}: Domain = shg.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{56F57CAC-CEEE-4E57-9B26-BB7418036D69}: NameServer = 10.39.0.20,10.39.0.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SHG.CORP
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = shg.corp,SHG.CORP
O17 - HKLM\System\CS1\Services\Tcpip\..\{07C63E82-1056-4EB0-888C-7295CA039F85}: NameServer = 194.72.0.98 194.74.65.68
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = shg.corp,SHG.CORP
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\LDCLIENT\QIPCLNT.EXE
O23 - Service: Intel Targeted Multicast - LANDesk Software Ltd. - C:\LDClient\tmcsvc.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Intel Remote Control Service (Wuser32) - LANDesk Software Ltd. - C:\LDClient\wuser32.exe

RKinner · Answer

We got rid of Aurora but still have:

O4 - HKLM\..\Run: [Windows Update AutoUpdate Client] C:\WINDOWS\System32\winupd\wuauclt.exe
O4 - HKCU\..\Run: [Iiotmsd] C:\WINDOWS\System32\??curity\svchost.exe
O4 - HKCU\..\Run: [Aeem] C:\Program Files\aaae\tnac.exe

Also this line should have vanished after a reboot:

O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

Check them all in HijackThis and Fix Checked.

Let's try Killbox.

Download the killbox:

http://www.bleepingcomputer.com/files/killbox.php
and extract it to your desktop.
run killbox.exe.

Where it says Full Path of File to Delete, type or paste:

C:\WINDOWS\System32\winupd

then check Deltree and Delete on Reboot buttons and press the red button,
agree that you want to delete on reboot but don't let it reboot yet.

Now repeat for:
C:\WINDOWS\System32\??curity
C:\Program Files\aaae\

If you get a message saying an external process has canceled the renaming then try it from Safe Mode as before.

Reboot and run a new scan. Hopefully they will say File Missing or no File now if they still show up. Post a new log as a reply.

Ron

flibble · Answer

Hi Ron,

I followed your details and though everything else was removed wuauclt.exe kept on coming back in the HiJackThis scan. After running some of the previous applications to clean the temp files etc, I think that it has finally been removed. If you could just check through the scan for me. Again thanks for your help. Flibble.

Posted latest HiJackThis report.

Logfile of HijackThis v1.99.1
Scan saved at 11:12:31, on 15/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\LDCLIENT\QIPCLNT.EXE
C:\LDClient\tmcsvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\LDClient\wuser32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shglhfs01/intranet/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SHG Longhaul
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Apvxdwin] C:\WINDOWS\System32\APVXDWIN.EXE
O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\System32\realmon.exe /start
O4 - HKLM\..\Run: [Recguard] C:\Program Files\HP\recguard.exe
O4 - HKLM\..\Run: [IPSecMon] C:\Program Files\Common files\VPN Network\IPSecMon.exe /vpncheck
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BT Business Broadband.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.amadeus.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://webconfig.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://www.storage-tasp.com/gs/gsi0049.exe
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://amadeusvista.com/VWP/common/cabs/VistaPWComms.CAB
O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://amadeusvista.com/VWP/common/cabs/SP2Patch.CAB
O16 - DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} (Amadeus DS Diagnostic Class) - http://webconfig.amadeus.com/diagnostic/cabs/DS_Diagnostic.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124809217591
O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://amadeusvista.com/VWP/common/cabs/MSIInspect.CAB
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {E90EF4C9-1476-4C49-B926-97C7D9D30A06} (Certificates_Info Class) - http://pilot.certificates.amadeusvista.com/certificateinfo/CCCert_Info.CAB
O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista.com/VWP/common/cabs/AmadeusInit.CAB
O16 - DPF: {FBFF6F10-A2FC-9544-745F-A1F75A0501AE} - http://www.italian-toplist.com/cart/gs/gsa0097.exe
O16 - DPF: {FD6F39AA-9D17-4E06-850F-FF222D490A10} (PNRServicing.PNRServicingCls) - http://www.vistascript.amadeus.com/UK/PnrSERV/PnrServicing.CAB
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.energyfactor.com/dialer/it/activex_571_it.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SHG.CORP
O17 - HKLM\Software\..\Telephony: DomainName = SHG.CORP
O17 - HKLM\System\CCS\Services\Tcpip\..\{07C63E82-1056-4EB0-888C-7295CA039F85}: NameServer = 194.72.0.98 194.74.65.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{56F57CAC-CEEE-4E57-9B26-BB7418036D69}: Domain = shg.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{56F57CAC-CEEE-4E57-9B26-BB7418036D69}: NameServer = 10.39.0.20,10.39.0.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SHG.CORP
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = shg.corp,SHG.CORP
O17 - HKLM\System\CS1\Services\Tcpip\..\{07C63E82-1056-4EB0-888C-7295CA039F85}: NameServer = 194.72.0.98 194.74.65.68
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = shg.corp,SHG.CORP
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\LDCLIENT\QIPCLNT.EXE
O23 - Service: Intel Targeted Multicast - LANDesk Software Ltd. - C:\LDClient\tmcsvc.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: Intel Remote Control Service (Wuser32) - LANDesk Software Ltd. - C:\LDClient\wuser32.exe

RKinner · Answer

Looking a lot better. A few remnants in the registry:

O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)

Above should be checked and Fix Checked but if they don't go away it's not a big deal.

This one should have gone away after the last reboot unless you had another net meeting.

O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

The next two are a remote control program. IF you use it it may need repair/reinstall. If you didn't put it on there then you need to check/Fix Checked

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

Is it working OK otherwise?

Ron

Message Edited by RKinner on 09-15-2005 10:34 AM

flibble · Answer

Hi Ron,

Yes thanks for your help everything seems to be working okay.

I have been using netmeeting to resolve this problem on the PC and had VNC installed as another means, but didn't use it. So that accounts for your notes above.

Cheers for your help

Flibble.

Virus & Spyware

Was this post helpful?