Tech Support Forum - View Single Post - Please help me remove the aurora nail.exe spyware...logfile included.

mighty_mace · 08-24-2005, 01:34 PM

Ok here is what we got...

Trendware Antispyware
--------------------------------------------------------------------------
Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'advertising.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'bluestreak.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found 'servedby.advertising.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Found 'winmx 3.53 7.28.04.exe' in 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs'
Found 'Dc2.ico' in 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs\winmx 3.53 7.28.04.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs\winmx 3.53 7.28.04.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs\winmx 3.53 7.28.04.exe'
Checking for 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007\Dc2.ico' in shortcut areas.
Checking for 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007\Dc2.ico' in startup areas.
Cleaning 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007\Dc2.ico'
Finished Cleaning
--------------------------------------------------------------------------

Panda
--------------------------------------------------------------------------

Incident Status Location

Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\MIKE MACE\FAVORITES\1111\1111.url
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/bigtrafficnet No disinfected Windows Registry
--------------------------------------------------------------------------
Findit
--------------------------------------------------------------------------

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 08/24/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 43A6-36F4

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 43A6-36F4

Directory of C:\WINDOWS\system32

08/24/2005 07:45 AM 1,406 AddQuit.ico
08/24/2005 07:45 AM 9,470 Desktop.ico
08/24/2005 07:45 AM 1,406 Help.ico
08/24/2005 07:45 AM 5,350 IE.ico
08/24/2005 07:45 AM 1,718 Open.ico
08/24/2005 07:45 AM 1,718 Quick.ico
08/24/2005 07:45 AM 2,550 Uninstall.ico
7 File(s) 23,618 bytes
0 Dir(s) 47,217,856,512 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

Those .ico files in findit are all a little stethoscope icon, and the addquit.ico is a panda head. I didn't delete them in case they were dealing with the panda software.

08-24-2005, 01:34 PM	#5 (permalink)
mighty_mace Registered User Join Date: Aug 2005 Posts: 6 OS: xp	Ok here is what we got... Trendware Antispyware -------------------------------------------------------------------------- Started Scanning Internet Cookies Found 'tribalfusion.com' in 'Internet Explorer Cache' Found 'advertising.com' in 'Internet Explorer Cache' Found 'atdmt.com' in 'Internet Explorer Cache' Found 'doubleclick.net' in 'Internet Explorer Cache' Found 'bluestreak.com' in 'Internet Explorer Cache' Found 'mediaplex.com' in 'Internet Explorer Cache' Found 'servedby.advertising.com' in 'Internet Explorer Cache' Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Found 'winmx 3.53 7.28.04.exe' in 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs' Found 'Dc2.ico' in 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007' Finished Scanning Started Backup Finished Backup Started Cleaning Checking for 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs\winmx 3.53 7.28.04.exe' in shortcut areas. Checking for 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs\winmx 3.53 7.28.04.exe' in startup areas. Cleaning 'C:\Documents and Settings\Mike Mace\My Documents\DOWNLOADS\Full Programs\winmx 3.53 7.28.04.exe' Checking for 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007\Dc2.ico' in shortcut areas. Checking for 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007\Dc2.ico' in startup areas. Cleaning 'C:\RECYCLER\S-1-5-21-2909053652-3283365531-518239200-1007\Dc2.ico' Finished Cleaning -------------------------------------------------------------------------- Panda -------------------------------------------------------------------------- Incident Status Location Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\MIKE MACE\FAVORITES\1111\1111.url Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs Adware:adware/bigtrafficnet No disinfected Windows Registry -------------------------------------------------------------------------- Findit -------------------------------------------------------------------------- Microsoft Windows XP [Version 5.1.2600] The current date is: Wed 08/24/2005 PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Dont delete file's in the section without guidance If any doubt back them up first »»»»» lagitamate file's can/will show in this section. »»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. Volume in drive C has no label. Volume Serial Number is 43A6-36F4 Directory of C:\WINDOWS\SYSTEM32 »»»»» Checking for SAHAgent ico files. Volume in drive C has no label. Volume Serial Number is 43A6-36F4 Directory of C:\WINDOWS\system32 08/24/2005 07:45 AM 1,406 AddQuit.ico 08/24/2005 07:45 AM 9,470 Desktop.ico 08/24/2005 07:45 AM 1,406 Help.ico 08/24/2005 07:45 AM 5,350 IE.ico 08/24/2005 07:45 AM 1,718 Open.ico 08/24/2005 07:45 AM 1,718 Quick.ico 08/24/2005 07:45 AM 2,550 Uninstall.ico 7 File(s) 23,618 bytes 0 Dir(s) 47,217,856,512 bytes free »»»»»»»»»»»»»»»»»»»»»»»». Those .ico files in findit are all a little stethoscope icon, and the addquit.ico is a panda head. I didn't delete them in case they were dealing with the panda software. Last edited by mighty_mace; 08-24-2005 at 01:40 PM.