Acmlm's Board - I2 Archive - Hardware/Software - auroeco.exe - popups and crap
| User | Post |
Xeolord
Posts: 3019/3418 |
I think it's bad, when scans in safe mode didn't seem to do much. 
So, my other alternatives? Guess I should refer to that thread neo posted. |
HyperLamer
Posts: 6278/8210 |
Also, when you edit system.ini make sure you leave it as "Shell=Explorer.exe". Don't delete the entire entry, if you like having a GUI that is.  |
neotransotaku
Posts: 3756/4016 |
try to following something similar that was suggested in this thread:
http://board.acmlm.org/thread.php?id=16301 |
Xeolord
Posts: 3008/3418 |
Colin: Yeah, I've attempted deleting all of those R# programs before, but those seem to be one of the things that keeps on coming back, so obviously something about them isn't getting deleted. 
I guess I'll just have to do a few scans in Safe Mode here soon, I'll post my results in a bit (I'll probably do this tommorow).
It sucks having a 4-5 year old computer, and a parent who doesn't believe in reformatting. So yeah, all of this has just kind of built up over time ... ugh.  |
Colin
Posts: 9673/11302 |
Oh boy... This is messy. Really messy.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - Default URLSearchHook is missing
(That IE site doesn't look like a "proper" search engine at all.)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
(F0 programs are ALWAYS things you don't want. Always.)
O2 - BHO: (no name) - {3BFF6319-30E8-89C3-94E4-1EE045666A74} - C:\WINDOWS\system32\fqszitsr.dll
(You can probably delete the other O2's as well to be on the safe side but that seems like the only fishy one. Random DLL names aren't good.)
O4 - HKLM\..\Run: [5BGB87A2Y5ZCER] C:\WINDOWS\System32\Nzc2.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [jiclzmrq] C:\WINDOWS\zziukxge.exe
O4 - HKLM\..\Run: [oemncib] C:\WINDOWS\wfpvtkntg.exe
O4 - HKLM\..\Run: [soxolvfe] C:\WINDOWS\system32\soxolvfe.exe
O4 - HKLM\..\Run: [doyehvln] C:\WINDOWS\system32\doyehvln.exe
O4 - HKLM\..\Run: [ewajtcd] c:\windows\system32\ewajtcd.exe
O4 - HKLM\..\Run: [yuclvmhi] C:\WINDOWS\system32\yuclvmhi.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [bejjjdtz] C:\WINDOWS\system32\bejjjdtz.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [fcdndt] c:\windows\system32\ntsjrf.exe r
O4 - HKCU\..\Run: [YFHYFMW] C:\WINDOWS\YFHYFMW.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
Make sure you close any of those programs that are running before you delete them, or do the job in Safe Mode. Then do a restart and a rescan to see if anything new pops up or if everything's gone. |
Ailure
Posts: 10677/11162 |
O2 - BHO: (no name) - {3BFF6319-30E8-89C3-94E4-1EE045666A74} - C:\WINDOWS\system32\fqszitsr.dll
Gives no result on google... move it in safe mode or something.
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
I would remove nail if I was you. From system.ini and the file itself. It seems to be some sort of spyware.
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [jiclzmrq] C:\WINDOWS\zziukxge.exe
Safe to say that both are spyware.
O4 - HKLM\..\Run: [oemncib] C:\WINDOWS\wfpvtkntg.exe
O4 - HKLM\..\Run: [soxolvfe] C:\WINDOWS\system32\soxolvfe.exe
Thoose too.
I can't go through all of them due to time constraints, but a simple hint is... use google. Google for the filenames and see what uses them. If you get no results, then it's one of thoose spyware programs who names themself a random name.
And you should also delete them in safe mode, otherwise they are just running behind the scenes and recreate themself... |
Xeolord
Posts: 3007/3418 |
Here it is:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {136FDA8D-FB30-9427-A07A-C52057B1E763} - (no file)
O2 - BHO: (no name) - {17C7B2F5-EB9A-B726-0D65-0133797FC583} - (no file)
O2 - BHO: (no name) - {3BFF6319-30E8-89C3-94E4-1EE045666A74} - C:\WINDOWS\system32\fqszitsr.dll
O2 - BHO: (no name) - {D9146009-9CE2-5601-3858-9EABB4E96F6F} - (no file)
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Documents and Settings\Steven\Desktop\SnesJukebox\Jukebox 2\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [5BGB87A2Y5ZCER] C:\WINDOWS\System32\Nzc2.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [jiclzmrq] C:\WINDOWS\zziukxge.exe
O4 - HKLM\..\Run: [YPC] C:\Program Files\Yahoo!\Parental Controls\YPC.EXE
O4 - HKLM\..\Run: [oemncib] C:\WINDOWS\wfpvtkntg.exe
O4 - HKLM\..\Run: [soxolvfe] C:\WINDOWS\system32\soxolvfe.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [doyehvln] C:\WINDOWS\system32\doyehvln.exe
O4 - HKLM\..\Run: [ewajtcd] c:\windows\system32\ewajtcd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [yuclvmhi] C:\WINDOWS\system32\yuclvmhi.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe"
O4 - HKLM\..\Run: [0c13e9jl] C:\WINDOWS\system32\0c13e9jl.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [bejjjdtz] C:\WINDOWS\system32\bejjjdtz.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [fcdndt] c:\windows\system32\ntsjrf.exe r
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [YFHYFMW] C:\WINDOWS\YFHYFMW.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA\VIA Sound Player\mixer\AudioDeck_bmp.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4A3257E-2DA1-440A-9853-A2B9E6A3756F}: NameServer = 151.164.11.201 151.164.1.8
seeve.exe, is the same thing as the pop64 program that starts up at the beginning, but doesn't appear or anything. And a lot of other things on that list are just crap also ...
I've deleted a lot of these things repeatedly in HiJack This, like those plugins, but yeah, they just seem to keep on coming back, or they're never really deleted. |
Colin
Posts: 9672/11302 |
The whole log from the software? Sure. It shouldn't be THAT large. |
Xeolord
Posts: 3006/3418 |
So, it would be safe to post a full log here? ...
Just being cautious. 
And yeah, I'm using Win XP, Office Edition (no clue how my dad got Office instead of Home).
Any kind of reinstall is out of the question though, my dad won't even allow me to reformat this computer, so yeah (he just won't allow that kind of stuff). |
Colin
Posts: 9668/11302 |
Some spyware files end up using random names/etc. in an attempt to sneak by any scanners/make them harder to identify, I suppose.
I'd do a Hijack log since odds are your problem can be identified through that. Helped me out bigtime with a similar problem a few months ago. |
Ailure
Posts: 10672/11162 |
I had viruses that didn't go away until I did a scan in safe mode, and safe mode with command line is the best choiche if you want to be really really safe.
That's it, if you can use the command line in Win XP. :/
And from personal experience, I had viruses that didn't go away until I did get into safe mode. Thought I honestly hadn't much computer problems since I started to use Firefox here. :/
And oh, Hi-Jack This! logs might be useful for us to look through at least...
And don't be scared if Safe mode takes quite some time to start and have a odd start-up, that's normal.
If Safe mode is even more fucked up, then only a reinstall can save your computer. :/ |
Xeolord
Posts: 3003/3418 |
What is this crap?
I mean hell, this auroeco.exe crap pops up about every 10 minutes I'm on the net. It's basically ie popup windows that have no top toolbar of any kind, so all I can really do is close them.
It's really gotten old. I've done Spybot, Adaware, Hi-Jack This!, and Driver scans of all kinds, and I still can't seem to get this crap off my computer.
ie has gotten annoying also. I never go into it, and never start it up, but eventually it'll be running without any notice, and sometimes it makes things freeze (maybe a folder, Script popups of some kind, Firefox, etc), so I have to go into the Task Manager and End It, quite often.
I also have this issue with "Popuppers". Whenever my computer starts up, and I go into a user, pop64 will automatically start running, along with other completely uselsess junk.
Thing is, I still haven't scanned in Safe Mode ... just remember, I do have an issue with getting into Safe Mode, but I'm positve Xk answered my question about that, and I can probably easily do that if I want.
Think Scanning in Safe Mode will get rid of this stuff?
Edit: there's also a lot of other random things, like bejjjdlz.exe, whenever I end things like this, other suspicious things take it's place.
|
|
