J
Jeff
How do I get rid of this? I have Microsoft AntiSpyware
and have done a scan but it is still there.
and have done a scan but it is still there.
P
plun
Hi Jeff
Spybot has Aurora removal within latest definitions
http://www.safer-networking.org/en/index.html
Please report back if it works !
Spybot has Aurora removal within latest definitions
http://www.safer-networking.org/en/index.html
Please report back if it works !
A
AndyManchesta
Hi Jeff
Aurora's a pain due to all the files it drops in
different area's (scvproc.exe. nail.exe. drpmon.dll) Then
the hard part is a random named file that gets left in
the system32 area. But this is where the problems come
from everytime you reboot the pc it deletes itself and
creates a new random named file so its very difficult to
fully remove this, The random name file is 6 or 7 letters
long with .exe such as qrrqqqs.exe or yzuwzw.exe that
type of entry. If this isnt removed with the other files
then it will do a fresh install when you reboot the
machine and put the rest back,Ewido will find this file
and remove it in safe mode.
Heres a fix for Aurora but it needs to be run in safe
mode:
Open a notepad document (click on start, all programs,
accessessories, notepad) copy the following text into a
new file :
ECHO OFF
cd %windir%
Nail.exe /fullremove
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Save the file to the desktop as remove.bat and make sure
the "Save as type" field says "All files".
Next Download these :
Ewido Security Suite :
----------------------
Please download, install, and update the free version of
Ewido trojan scanner:
http://www.ewido.net/en/download/
When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
From the main ewido screen, click on update in the left
menu, then click the Start update button.
After the update finishes (the status bar at the bottom
will display "Update successful")
Exit Ewido. DO NOT scan yet.
Download Ccleaner
------------------
http://www.ccleaner.com/ccdownload.asp
Download and install, but do not run it yet.
Next Step is to boot into safe mode :
------------------------------------
Reboot into Safe Mode.
Restart your computer and keep tapping the F8 key on your
keyboard.
When you see the option screen, then choose safe mode
from the list-This is required some files cannot be
removed unless your in safe mode
Once in Safe Mode,
please double-click on remove.bat and a window should
open and close very quickly --- this is normal.
Next, Run Ewido.
Click on the Scanner button in the left menu, then click
on Complete System Scan. This scan can take quite a while
to run.
If ewido finds anything, it will pop up a notification.
If its clearly described as malware(Trojan,Spyware etc..)
have ewido remove the entry,
When the scan finishes, click on "Save Report". This will
create a text file. Save to desktop incase its needed
later.
When ewido has finished, next clear the prefetch folder
goto start menu then run and type :
prefetch
delete the contents of this folder (left click and
highlight the files by holding the left mouse button and
covering all the files,then right click and choose delete)
Next run Ccleaner and choose 'Run Cleaner' run it twice
to make sure its clear,then use the 'issues' button and
scan for errors,Fix any that are detected.
Reboot and see hows things look if you are clean you will
need to clear the system restore incase any restore
points have been made since you were infected,Post back
if you need help on that.
If the problems is still there then we can use Nailfix to
remove the entries but try the above first and let us
know if you have any problems
Regards
Andy
Aurora's a pain due to all the files it drops in
different area's (scvproc.exe. nail.exe. drpmon.dll) Then
the hard part is a random named file that gets left in
the system32 area. But this is where the problems come
from everytime you reboot the pc it deletes itself and
creates a new random named file so its very difficult to
fully remove this, The random name file is 6 or 7 letters
long with .exe such as qrrqqqs.exe or yzuwzw.exe that
type of entry. If this isnt removed with the other files
then it will do a fresh install when you reboot the
machine and put the rest back,Ewido will find this file
and remove it in safe mode.
Heres a fix for Aurora but it needs to be run in safe
mode:
Open a notepad document (click on start, all programs,
accessessories, notepad) copy the following text into a
new file :
ECHO OFF
cd %windir%
Nail.exe /fullremove
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Save the file to the desktop as remove.bat and make sure
the "Save as type" field says "All files".
Next Download these :
Ewido Security Suite :
----------------------
Please download, install, and update the free version of
Ewido trojan scanner:
http://www.ewido.net/en/download/
When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
From the main ewido screen, click on update in the left
menu, then click the Start update button.
After the update finishes (the status bar at the bottom
will display "Update successful")
Exit Ewido. DO NOT scan yet.
Download Ccleaner
------------------
http://www.ccleaner.com/ccdownload.asp
Download and install, but do not run it yet.
Next Step is to boot into safe mode :
------------------------------------
Reboot into Safe Mode.
Restart your computer and keep tapping the F8 key on your
keyboard.
When you see the option screen, then choose safe mode
from the list-This is required some files cannot be
removed unless your in safe mode
Once in Safe Mode,
please double-click on remove.bat and a window should
open and close very quickly --- this is normal.
Next, Run Ewido.
Click on the Scanner button in the left menu, then click
on Complete System Scan. This scan can take quite a while
to run.
If ewido finds anything, it will pop up a notification.
If its clearly described as malware(Trojan,Spyware etc..)
have ewido remove the entry,
When the scan finishes, click on "Save Report". This will
create a text file. Save to desktop incase its needed
later.
When ewido has finished, next clear the prefetch folder
goto start menu then run and type :
prefetch
delete the contents of this folder (left click and
highlight the files by holding the left mouse button and
covering all the files,then right click and choose delete)
Next run Ccleaner and choose 'Run Cleaner' run it twice
to make sure its clear,then use the 'issues' button and
scan for errors,Fix any that are detected.
Reboot and see hows things look if you are clean you will
need to clear the system restore incase any restore
points have been made since you were infected,Post back
if you need help on that.
If the problems is still there then we can use Nailfix to
remove the entries but try the above first and let us
know if you have any problems
Regards
Andy
P
plun
Andy !
I want to know if Spybot removes Aurora !
2005-08-05
Hijacker
+ Network Essentials.Search-Exe + CoolWWWSearch.HomeSearch
Malware
+ Trek Blue Error Nuker ++ DDE Control ++ ShowMyBar +
*AbetterInternet.Aurora* ++ RealDownloadExpress ++ Zippy +
CoolWWWSearch (8)
Spyware
+ 180Solutions.SearchAssistant (6)
Trojan
++ Hookdump ++ Qoologic (7)
Total: 258460 fingerprints in 27694 rules for 1636 products.
--
plun
AndyManchesta pretended :
I want to know if Spybot removes Aurora !
2005-08-05
Hijacker
+ Network Essentials.Search-Exe + CoolWWWSearch.HomeSearch
Malware
+ Trek Blue Error Nuker ++ DDE Control ++ ShowMyBar +
*AbetterInternet.Aurora* ++ RealDownloadExpress ++ Zippy +
CoolWWWSearch (8)
Spyware
+ 180Solutions.SearchAssistant (6)
Trojan
++ Hookdump ++ Qoologic (7)
Total: 258460 fingerprints in 27694 rules for 1636 products.
--
plun
AndyManchesta pretended :
A
AndyManchesta
Hey Plun
I noticed your post sorry mate Id already sent mine by
then , Ive just infected a unpatched pc with Aurora and
its now bundled with loads of other stuff I saw some
options to choose yes or no to install chose yes for
BetterInternet then it hung and said Internet explorer
has encountered a problem and needs to close then the
system froze and explorer dissapeared which meant I had
no controls so had to reboot, now have all this:
(Aurora, Hotbar, Huntbar, Aproposmedia, VirtualBouncer,
Cashbackbuddy,CrystalPalace,NaviSearch,TheBullseyesNetwork
, SurfSidekick,SideSearch , Winfixer2005, Windows AFA
Internet Enhancment, Websearch,Reg Cleaner and Ad
Destroyer,Virus Hunter & KAS-KillAllSpyware )
The system is just having a hard time keeping up with
them,Its taking forever to do anything so will just try
the scanners soon as it looks like the downloads are
finished. Im getting low virtual memory warnings which I
think are bogus
If you dont hear back from the other
user I will test spybot first and see how it does but it
will take me a while as I want to upload some of the
files at jotti's site and make a note of whats the file's
are but I'll post back later
Here's my Hijack This log up to now (**NOTE There's only
about 15 genuine entries there
Logfile of HijackThis v1.99.1
Scan saved at 17:25:46, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\windows\system32\kojqjy.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\7u0lnr4s.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
C:\WINDOWS\System32\jaobao.exe
C:\Program Files\WinFixer 2005\wfx5.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\dxmwave.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system\nmgfdbgl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\dpvui.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\HbTools\Bin\4.6.4.0\HbtWeatherOnTray.exe
C:\PROGRA~1\REGIST~1\Regclean.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andy
Manchesta\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32
\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1
\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE
C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [7u0lnr4s] C:\WINDOWS\System32
\7u0lnr4s.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program
Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program
Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [HbTools] C:\Program
Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [nctvkfoj] C:\WINDOWS\System32
\ibehhwgx.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program
Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [System service62]
C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ss9h3tP] dxmwave.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [czcipqg] c:\windows\system32
\kojqjy.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32
\jaobao.exe reg_run
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program
Files\HbTools\Bin\4.6.4.0\HbtWeatherOnTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [dBqnRjj5Q] dpvui.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program
Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O4 - Startup: AdDestroyer.lnk = C:\Program
Files\AdDestroyer\AdDestroyer.exe
O9 - Extra button: ShopperReports - Compare travel rates -
{946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program
Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll
O9 - Extra button: ShopperReports - Compare product
prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} -
C:\Program Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-
EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: ewido security suite control - ewido
networks - C:\Program Files\ewido\security
suite\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service
(TBPSSvc) - Unknown owner - C:\PROGRA~1
\Toolbar\TBPSSvc.exe
Andy
I noticed your post sorry mate Id already sent mine by
then , Ive just infected a unpatched pc with Aurora and
its now bundled with loads of other stuff I saw some
options to choose yes or no to install chose yes for
BetterInternet then it hung and said Internet explorer
has encountered a problem and needs to close then the
system froze and explorer dissapeared which meant I had
no controls so had to reboot, now have all this:
(Aurora, Hotbar, Huntbar, Aproposmedia, VirtualBouncer,
Cashbackbuddy,CrystalPalace,NaviSearch,TheBullseyesNetwork
, SurfSidekick,SideSearch , Winfixer2005, Windows AFA
Internet Enhancment, Websearch,Reg Cleaner and Ad
Destroyer,Virus Hunter & KAS-KillAllSpyware )
The system is just having a hard time keeping up with
them,Its taking forever to do anything so will just try
the scanners soon as it looks like the downloads are
finished. Im getting low virtual memory warnings which I
think are bogus
If you dont hear back from the otheruser I will test spybot first and see how it does but it
will take me a while as I want to upload some of the
files at jotti's site and make a note of whats the file's
are but I'll post back later
Here's my Hijack This log up to now (**NOTE There's only
about 15 genuine entries there
Logfile of HijackThis v1.99.1
Scan saved at 17:25:46, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\windows\system32\kojqjy.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\7u0lnr4s.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
C:\WINDOWS\System32\jaobao.exe
C:\Program Files\WinFixer 2005\wfx5.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\dxmwave.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system\nmgfdbgl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\dpvui.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\HbTools\Bin\4.6.4.0\HbtWeatherOnTray.exe
C:\PROGRA~1\REGIST~1\Regclean.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andy
Manchesta\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32
\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1
\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE
C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [7u0lnr4s] C:\WINDOWS\System32
\7u0lnr4s.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program
Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program
Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [HbTools] C:\Program
Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [nctvkfoj] C:\WINDOWS\System32
\ibehhwgx.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program
Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [System service62]
C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ss9h3tP] dxmwave.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [czcipqg] c:\windows\system32
\kojqjy.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32
\jaobao.exe reg_run
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program
Files\HbTools\Bin\4.6.4.0\HbtWeatherOnTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [dBqnRjj5Q] dpvui.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program
Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O4 - Startup: AdDestroyer.lnk = C:\Program
Files\AdDestroyer\AdDestroyer.exe
O9 - Extra button: ShopperReports - Compare travel rates -
{946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program
Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll
O9 - Extra button: ShopperReports - Compare product
prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} -
C:\Program Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-
EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: ewido security suite control - ewido
networks - C:\Program Files\ewido\security
suite\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service
(TBPSSvc) - Unknown owner - C:\PROGRA~1
\Toolbar\TBPSSvc.exe
Andy
P
plun
Great Andy !
Best luck
--
plun
AndyManchesta has brought this to us :
Best luck
--
plun
AndyManchesta has brought this to us :
Hey Plun
I noticed your post sorry mate Id already sent mine by
then , Ive just infected a unpatched pc with Aurora and
its now bundled with loads of other stuff I saw some
options to choose yes or no to install chose yes for
BetterInternet then it hung and said Internet explorer
has encountered a problem and needs to close then the
system froze and explorer dissapeared which meant I had
no controls so had to reboot, now have all this:
(Aurora, Hotbar, Huntbar, Aproposmedia, VirtualBouncer,
Cashbackbuddy,CrystalPalace,NaviSearch,TheBullseyesNetwork
, SurfSidekick,SideSearch , Winfixer2005, Windows AFA
Internet Enhancment, Websearch,Reg Cleaner and Ad
Destroyer,Virus Hunter & KAS-KillAllSpyware )
The system is just having a hard time keeping up with
them,Its taking forever to do anything so will just try
the scanners soon as it looks like the downloads are
finished. Im getting low virtual memory warnings which I
think are bogus
user I will test spybot first and see how it does but it
will take me a while as I want to upload some of the
files at jotti's site and make a note of whats the file's
are but I'll post back later
Here's my Hijack This log up to now (**NOTE There's only
about 15 genuine entries there
Logfile of HijackThis v1.99.1
Scan saved at 17:25:46, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\windows\system32\kojqjy.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\7u0lnr4s.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
C:\WINDOWS\System32\jaobao.exe
C:\Program Files\WinFixer 2005\wfx5.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\dxmwave.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system\nmgfdbgl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\dpvui.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\HbTools\Bin\4.6.4.0\HbtWeatherOnTray.exe
C:\PROGRA~1\REGIST~1\Regclean.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andy
Manchesta\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32
\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1
\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE
C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [7u0lnr4s] C:\WINDOWS\System32
\7u0lnr4s.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program
Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program
Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [HbTools] C:\Program
Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [nctvkfoj] C:\WINDOWS\System32
\ibehhwgx.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program
Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [System service62]
C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ss9h3tP] dxmwave.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [czcipqg] c:\windows\system32
\kojqjy.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32
\jaobao.exe reg_run
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program
Files\HbTools\Bin\4.6.4.0\HbtWeatherOnTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [dBqnRjj5Q] dpvui.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program
Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O4 - Startup: AdDestroyer.lnk = C:\Program
Files\AdDestroyer\AdDestroyer.exe
O9 - Extra button: ShopperReports - Compare travel rates -
{946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program
Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll
O9 - Extra button: ShopperReports - Compare product
prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} -
C:\Program Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-
EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: ewido security suite control - ewido
networks - C:\Program Files\ewido\security
suite\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service
(TBPSSvc) - Unknown owner - C:\PROGRA~1
\Toolbar\TBPSSvc.exe
Andy
A
AndyManchesta
Hi Again Plun
Sorry for the delay, Things got out of hand and I had to
pull the network connection for awhile then took a break
for the night and went out with friends.
Spybot failed and didnt do much to Aurora in normal mode,
It removed the registry entries for svcproc and said it
fixed the folder Aurora in the registry and the shell
explorer=nail.exe entry but it didnt delete any of the
files svcproc.exe,nail.exe or the random named file so
within 10 minutes it had registered back as a service and
was running again
Here's the results but it will take alot of space.
First removed all these with MS Antispy but left Aurora
in place then removed the network connection once it
showed Navidad but it was maybe something else using the
same filenames as it went very easily by MSAS and there
was no traces left this morning when I came back to the
pc and reconnected it to the network.
Memory threats detected: 7\1161
Threat files detected: 204\9086
Registry threats detected: 1257\9387
Cookie threats detected: 0\0
Threats
ShopAtHome Spyware (removed)
SafeSurfing Dialer (removed)
AproposMedia Browser Modifier (removed)
Unclassified.Spyware.61 Spyware (removed)
BookedSpace Browser Plug-in (removed)
IST.ISTbar Browser Modifier (removed)
Navidad Worm (removed)
ABetterInternet.Stop Popup Ads Now Adware
Transponder.ABetterInternet Adware
eXact.CashBack Adware (removed)
eXact.NaviSearch Adware (removed)
eXact.BullseyeNetwork Adware (removed)
Begin2Search Browser Plug-in (removed)
eXact.Downloader Trojan Downloader (removed)
SurfSideKick Settings Modifier (removed)
PacerDMedia.Installer Trojan Downloader (removed)
Transponder.ABetterInternet.Aurora Adware
Transponder.ABetterInternet.DrPMon Adware
Trojan.Downloader.KavSvc Trojan Downloader (removed)
ShopAtHome.Downloader Trojan Downloader (removed)
AFA Internet Enhancement Browser Modifier (removed)
Trojan.Startup.NameShifter.Zwq Trojan (removed)
Begin2Search.BigTrafficNet Adware (removed)
Trojan.Downloader.Qoologic Trojan Downloader (removed)
Trojan.Startup.NameShifter.BT Trojan (removed)
DSrch Spyware (removed)
Trojan.Dinst Trojan (removed)
Trojan.BHO.NameShifter.FP Trojan (removed)
Trojan.pokapoka62 Trojan (removed)
AdDestroyer Adware (removed)
eXact.BargainBuddy Adware (removed)
IBIS Toolbar Adware (removed)
PeopleOnPage Browser Modifier (removed)
ICanNews Adware (removed)
eXact.SearchBar Browser Plug-in (removed)
Virtual Bouncer Adware (removed)
Hotbar.ShoppingReports Adware (removed)
Hotbar Adware (removed)
Total scan time: 8 mins 40 secs
When I returned and put the pc back on the network I Then
used spybot which found these, I will leave off the files
& reg entries to save space except for Aurora's :
All-In-One Telcom:
CoolWWWSearch.Aboutblank:
HotsearchBar:
AproposMedia:
Alexa Related:
HuntBar:
IE Plugin:
ErrorGuard:
VBouncer:
AbetterInternet: Settings (Registry key, fixed)
-------------------------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc
AbetterInternet: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcPr
oc
AbetterInternet: Web page (File, fixed)
C:\WINDOWS\abiuninst.htm
AbetterInternet: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\abi-1
AbetterInternet: Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{BF56BE6A-0AEA-45F3-8B10-
7312876584A8}
AbetterInternet: Data (File, fixed)
C:\WINDOWS\ISSM0064.DAT
AbetterInternet: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1606980848-1229272821-725345543-1004
\Software\aurora
AbetterInternet: Installer (File, fixed)
C:\WINDOWS\inf\banner.inf
AbetterInternet.Aurora: Temporary folder (Directory,
fixed)
C:\Documents and Settings\Andy Manchesta\Local
Settings\Application Data\..\Temp\DrTemp\
AbetterInternet.Aurora: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell=...C:\WINDOWS\nail.exe...
----------------------------------------------------------
Maybe they would of done better if they had all be run in
safe mode,I still had IE Hijacks and Trojan entries plus
Aurora was back running and showing pop ups after about
10 mins on the pc
Heres the malicious entries left in the Hijack log after
running the above scanners in normal mode :
C:\PROGRA~1\REGIST~1\Regclean.exe
c:\windows\system32\hxjedjl.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\FreePhone\FreePhone.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-
AD86688403AE} - C:\WINDOWS\System32\yeeltnvj.dll
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [jaoydw] c:\windows\system32
\hxjedjl.exe r
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - (no file)
Notice the random named file for Aurora is still there,
you can see it easily as it always has .exe r even though
the file changes the name each time I boot & the nail
entry still there but Svcproc entry wasnt showing as a
service anymore (023 entry) but while I was scanning with
MSAS it returned.
Then back to MSAS and that found these:
Memory threats detected: 0\780
Threat files detected: 95\9049
Registry threats detected: 45\9387
Cookie threats detected: 0\0
Threats
ShopAtHome Spyware (removed)
Transponder.ABetterInternet Adware (removed)
SearchMiracle.EliteBar Browser Plug-in (removed)
Transponder.ABetterInternet.Aurora Adware (removed)
DSrch Spyware (removed)
Trojan.BHO.NameShifter.FP Trojan (removed)
Total scan time: 3 mins 26 secs
New Hijack log after using MSAS only bad entries listed
here:
Logfile of HijackThis v1.99.1
Scan saved at 08:05:19, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\PROGRA~1\REGIST~1\Regclean.exe
c:\windows\system32\knjtxo.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [xcgive]c:\windows\system32\knjtxo.exe r
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - (no file)
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe
Then Ewido Security Suite:
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11
407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned
with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMo
n -> Spyware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Andy Manchesta\Local
Settings\Temp\delwbi.tmp -> Dialer.Generic : Cleaned with
backup
C:\Documents and Settings\Andy Manchesta\Local
Settings\Temp\labpengs.tmp -> Spyware.SafeSurfing :
Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp ->
Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded
Installations\banner.cab/banner.dll -> Spyware.Banex :
Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with
backup
C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar :
Cleaned with backup
C:\WINDOWS\etb\xud_62.dll -> Spyware.EliteBar : Cleaned
with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned
with backup
C:\WINDOWS\rramcx.exe -> Adware.BetterInternet : Cleaned
with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet :
Cleaned with backup
C:\WINDOWS\system32\knjtxo.exe -> Adware.BetterInternet :
Cleaned with backup
C:\WINDOWS\system32\lanbrup.exe -> Spyware.SafeSurfing :
Cleaned with backup
The problems still existed in the hijack log so then
rebooted into safe mode and ran the batch file from my
last post, MSAS & Ewido
MSAS:
Spyware Scan Details
Start Date: 07/08/2005 08:42:28
End Date: 07/08/2005 08:45:43
Total Time: 3 mins 15 secs
Detected Threats
Transponder.ABetterInternet.Aurora
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUs3t5icky4S 1-
119035:2:218.497-25168:2:218.031-6466:2:218.476-
8081:1:219.037-7985:2:218.017-8082:1:219.038-
6542:2:219.071-8080:1:219.099
HKEY_CURRENT_USER\Software\aurora AUE3v5nt 0
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSBath 10000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSysSInf 2000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSCheckSIn 45
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSMots 100
HKEY_CURRENT_USER\Software\aurora AUL3n5Title 60
HKEY_CURRENT_USER\Software\aurora AU3N5a7tionSCode UK
HKEY_CURRENT_USER\Software\aurora AUD3s5tSSEnd '>-
,ÀÀÍZ^ÌZ^"~Á-Àfݾ?Üo>o
HKEY_CURRENT_USER\Software\aurora AUC3u5rrentSMode 1
HKEY_CURRENT_USER\Software\aurora AUC3n5trMsgSDisp 48
HKEY_CURRENT_USER\Software\aurora AUC3n5tFyl 0
HKEY_CURRENT_USER\Software\aurora AUM3o5deSSync 9
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUL3a5stSSChckin 1088
HKEY_CURRENT_USER\Software\aurora AUL3a5stMotsSDay 7
HKEY_CURRENT_USER\Software\aurora AUP3D5om .?"-
^?'?",<^YÌ'Y
HKEY_CURRENT_USER\Software\aurora AUB3D5om >??ZS>">??"S-
ÜT?ZTf<T?Á?.
HKEY_CURRENT_USER\Software\aurora AUs3t5icky1S lflshdt%
3D1123398489%26capdatedy%3D0807%26capdate%3D073%
26lstlogdt%3D20050807%26capcntdy%3D0%26cntp%3D%26capcnt%
3D0%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky2S fstcidt%
3D1123398489169%26
HKEY_CURRENT_USER\Software\aurora
Ewido:
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 08:40:38, 07/08/2005
C:\WINDOWS\system32\snwtgyy.exe ->
Adware.BetterInternet : Cleaned with backup
The Hijack Log didnt look much better so then fixed the
remaining entries using Hijack This, The IE address lines
and the F2 shell entry for nail.exe as i was getting
error's that nail couldnt be found when I started the
pc.Finally cleared the prefetch folder,temp folders and
cookies and Its fixed
Maybe they have changed Aurora, Im not sure why I had so
many problems with it this time or where all the other
Trojans and other programs came from it kept crashing IE
and Explorer which meant I had to keep rebooting and it
just seemed to keep downloading more and more malware. It
shows all the fixes for Aurora need to be run in safe
mode to fully remove it and the most important thing ive
learnt out of this is how important SP2 and the security
patches are,
I dont want to repeat that anytime soon but its good to
see the problems some people face with this junk if they
dont have a fully patched system, My main pc is well
protected so Ive never seen this amount of problems come
from one place before they must be affiliated to all this
other junk in some way now,
Dont you just love DirectRevenue
Andy
Sorry for the delay, Things got out of hand and I had to
pull the network connection for awhile then took a break
for the night and went out with friends.
Spybot failed and didnt do much to Aurora in normal mode,
It removed the registry entries for svcproc and said it
fixed the folder Aurora in the registry and the shell
explorer=nail.exe entry but it didnt delete any of the
files svcproc.exe,nail.exe or the random named file so
within 10 minutes it had registered back as a service and
was running again
Here's the results but it will take alot of space.
First removed all these with MS Antispy but left Aurora
in place then removed the network connection once it
showed Navidad but it was maybe something else using the
same filenames as it went very easily by MSAS and there
was no traces left this morning when I came back to the
pc and reconnected it to the network.
Memory threats detected: 7\1161
Threat files detected: 204\9086
Registry threats detected: 1257\9387
Cookie threats detected: 0\0
Threats
ShopAtHome Spyware (removed)
SafeSurfing Dialer (removed)
AproposMedia Browser Modifier (removed)
Unclassified.Spyware.61 Spyware (removed)
BookedSpace Browser Plug-in (removed)
IST.ISTbar Browser Modifier (removed)
Navidad Worm (removed)
ABetterInternet.Stop Popup Ads Now Adware
Transponder.ABetterInternet Adware
eXact.CashBack Adware (removed)
eXact.NaviSearch Adware (removed)
eXact.BullseyeNetwork Adware (removed)
Begin2Search Browser Plug-in (removed)
eXact.Downloader Trojan Downloader (removed)
SurfSideKick Settings Modifier (removed)
PacerDMedia.Installer Trojan Downloader (removed)
Transponder.ABetterInternet.Aurora Adware
Transponder.ABetterInternet.DrPMon Adware
Trojan.Downloader.KavSvc Trojan Downloader (removed)
ShopAtHome.Downloader Trojan Downloader (removed)
AFA Internet Enhancement Browser Modifier (removed)
Trojan.Startup.NameShifter.Zwq Trojan (removed)
Begin2Search.BigTrafficNet Adware (removed)
Trojan.Downloader.Qoologic Trojan Downloader (removed)
Trojan.Startup.NameShifter.BT Trojan (removed)
DSrch Spyware (removed)
Trojan.Dinst Trojan (removed)
Trojan.BHO.NameShifter.FP Trojan (removed)
Trojan.pokapoka62 Trojan (removed)
AdDestroyer Adware (removed)
eXact.BargainBuddy Adware (removed)
IBIS Toolbar Adware (removed)
PeopleOnPage Browser Modifier (removed)
ICanNews Adware (removed)
eXact.SearchBar Browser Plug-in (removed)
Virtual Bouncer Adware (removed)
Hotbar.ShoppingReports Adware (removed)
Hotbar Adware (removed)
Total scan time: 8 mins 40 secs
When I returned and put the pc back on the network I Then
used spybot which found these, I will leave off the files
& reg entries to save space except for Aurora's :
All-In-One Telcom:
CoolWWWSearch.Aboutblank:
HotsearchBar:
AproposMedia:
Alexa Related:
HuntBar:
IE Plugin:
ErrorGuard:
VBouncer:
AbetterInternet: Settings (Registry key, fixed)
-------------------------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc
AbetterInternet: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcPr
oc
AbetterInternet: Web page (File, fixed)
C:\WINDOWS\abiuninst.htm
AbetterInternet: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\abi-1
AbetterInternet: Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{BF56BE6A-0AEA-45F3-8B10-
7312876584A8}
AbetterInternet: Data (File, fixed)
C:\WINDOWS\ISSM0064.DAT
AbetterInternet: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1606980848-1229272821-725345543-1004
\Software\aurora
AbetterInternet: Installer (File, fixed)
C:\WINDOWS\inf\banner.inf
AbetterInternet.Aurora: Temporary folder (Directory,
fixed)
C:\Documents and Settings\Andy Manchesta\Local
Settings\Application Data\..\Temp\DrTemp\
AbetterInternet.Aurora: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell=...C:\WINDOWS\nail.exe...
----------------------------------------------------------
Maybe they would of done better if they had all be run in
safe mode,I still had IE Hijacks and Trojan entries plus
Aurora was back running and showing pop ups after about
10 mins on the pc
Heres the malicious entries left in the Hijack log after
running the above scanners in normal mode :
C:\PROGRA~1\REGIST~1\Regclean.exe
c:\windows\system32\hxjedjl.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\FreePhone\FreePhone.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-
AD86688403AE} - C:\WINDOWS\System32\yeeltnvj.dll
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [jaoydw] c:\windows\system32
\hxjedjl.exe r
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - (no file)
Notice the random named file for Aurora is still there,
you can see it easily as it always has .exe r even though
the file changes the name each time I boot & the nail
entry still there but Svcproc entry wasnt showing as a
service anymore (023 entry) but while I was scanning with
MSAS it returned.
Then back to MSAS and that found these:
Memory threats detected: 0\780
Threat files detected: 95\9049
Registry threats detected: 45\9387
Cookie threats detected: 0\0
Threats
ShopAtHome Spyware (removed)
Transponder.ABetterInternet Adware (removed)
SearchMiracle.EliteBar Browser Plug-in (removed)
Transponder.ABetterInternet.Aurora Adware (removed)
DSrch Spyware (removed)
Trojan.BHO.NameShifter.FP Trojan (removed)
Total scan time: 3 mins 26 secs
New Hijack log after using MSAS only bad entries listed
here:
Logfile of HijackThis v1.99.1
Scan saved at 08:05:19, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\PROGRA~1\REGIST~1\Regclean.exe
c:\windows\system32\knjtxo.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [xcgive]c:\windows\system32\knjtxo.exe r
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - (no file)
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe
Then Ewido Security Suite:
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11
407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned
with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMo
n -> Spyware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Andy Manchesta\Local
Settings\Temp\delwbi.tmp -> Dialer.Generic : Cleaned with
backup
C:\Documents and Settings\Andy Manchesta\Local
Settings\Temp\labpengs.tmp -> Spyware.SafeSurfing :
Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp ->
Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded
Installations\banner.cab/banner.dll -> Spyware.Banex :
Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with
backup
C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar :
Cleaned with backup
C:\WINDOWS\etb\xud_62.dll -> Spyware.EliteBar : Cleaned
with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned
with backup
C:\WINDOWS\rramcx.exe -> Adware.BetterInternet : Cleaned
with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet :
Cleaned with backup
C:\WINDOWS\system32\knjtxo.exe -> Adware.BetterInternet :
Cleaned with backup
C:\WINDOWS\system32\lanbrup.exe -> Spyware.SafeSurfing :
Cleaned with backup
The problems still existed in the hijack log so then
rebooted into safe mode and ran the batch file from my
last post, MSAS & Ewido
MSAS:
Spyware Scan Details
Start Date: 07/08/2005 08:42:28
End Date: 07/08/2005 08:45:43
Total Time: 3 mins 15 secs
Detected Threats
Transponder.ABetterInternet.Aurora
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUs3t5icky4S 1-
119035:2:218.497-25168:2:218.031-6466:2:218.476-
8081:1:219.037-7985:2:218.017-8082:1:219.038-
6542:2:219.071-8080:1:219.099
HKEY_CURRENT_USER\Software\aurora AUE3v5nt 0
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSBath 10000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSysSInf 2000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSCheckSIn 45
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSMots 100
HKEY_CURRENT_USER\Software\aurora AUL3n5Title 60
HKEY_CURRENT_USER\Software\aurora AU3N5a7tionSCode UK
HKEY_CURRENT_USER\Software\aurora AUD3s5tSSEnd '>-
,ÀÀÍZ^ÌZ^"~Á-Àfݾ?Üo>o
HKEY_CURRENT_USER\Software\aurora AUC3u5rrentSMode 1
HKEY_CURRENT_USER\Software\aurora AUC3n5trMsgSDisp 48
HKEY_CURRENT_USER\Software\aurora AUC3n5tFyl 0
HKEY_CURRENT_USER\Software\aurora AUM3o5deSSync 9
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUL3a5stSSChckin 1088
HKEY_CURRENT_USER\Software\aurora AUL3a5stMotsSDay 7
HKEY_CURRENT_USER\Software\aurora AUP3D5om .?"-
^?'?",<^YÌ'Y
HKEY_CURRENT_USER\Software\aurora AUB3D5om >??ZS>">??"S-
ÜT?ZTf<T?Á?.
HKEY_CURRENT_USER\Software\aurora AUs3t5icky1S lflshdt%
3D1123398489%26capdatedy%3D0807%26capdate%3D073%
26lstlogdt%3D20050807%26capcntdy%3D0%26cntp%3D%26capcnt%
3D0%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky2S fstcidt%
3D1123398489169%26
HKEY_CURRENT_USER\Software\aurora
Ewido:
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 08:40:38, 07/08/2005
C:\WINDOWS\system32\snwtgyy.exe ->
Adware.BetterInternet : Cleaned with backup
The Hijack Log didnt look much better so then fixed the
remaining entries using Hijack This, The IE address lines
and the F2 shell entry for nail.exe as i was getting
error's that nail couldnt be found when I started the
pc.Finally cleared the prefetch folder,temp folders and
cookies and Its fixed
Maybe they have changed Aurora, Im not sure why I had so
many problems with it this time or where all the other
Trojans and other programs came from it kept crashing IE
and Explorer which meant I had to keep rebooting and it
just seemed to keep downloading more and more malware. It
shows all the fixes for Aurora need to be run in safe
mode to fully remove it and the most important thing ive
learnt out of this is how important SP2 and the security
patches are,
I dont want to repeat that anytime soon but its good to
see the problems some people face with this junk if they
dont have a fully patched system, My main pc is well
protected so Ive never seen this amount of problems come
from one place before they must be affiliated to all this
other junk in some way now,
Dont you just love DirectRevenue
Andy
P
plun
Thank you Andy for a (as usual) perfect test !
Back to basic and your standard reciept.
:')
--
plun
After serious thinking AndyManchesta wrote :
Back to basic and your standard reciept.
:')
--
plun
After serious thinking AndyManchesta wrote :
Hi Again Plun
Sorry for the delay, Things got out of hand and I had to
pull the network connection for awhile then took a break
for the night and went out with friends.
Spybot failed and didnt do much to Aurora in normal mode,
It removed the registry entries for svcproc and said it
fixed the folder Aurora in the registry and the shell
explorer=nail.exe entry but it didnt delete any of the
files svcproc.exe,nail.exe or the random named file so
within 10 minutes it had registered back as a service and
was running again
Here's the results but it will take alot of space.
First removed all these with MS Antispy but left Aurora
in place then removed the network connection once it
showed Navidad but it was maybe something else using the
same filenames as it went very easily by MSAS and there
was no traces left this morning when I came back to the
pc and reconnected it to the network.
Memory threats detected: 7\1161
Threat files detected: 204\9086
Registry threats detected: 1257\9387
Cookie threats detected: 0\0
Threats
ShopAtHome Spyware (removed)
SafeSurfing Dialer (removed)
AproposMedia Browser Modifier (removed)
Unclassified.Spyware.61 Spyware (removed)
BookedSpace Browser Plug-in (removed)
IST.ISTbar Browser Modifier (removed)
Navidad Worm (removed)
ABetterInternet.Stop Popup Ads Now Adware
Transponder.ABetterInternet Adware
eXact.CashBack Adware (removed)
eXact.NaviSearch Adware (removed)
eXact.BullseyeNetwork Adware (removed)
Begin2Search Browser Plug-in (removed)
eXact.Downloader Trojan Downloader (removed)
SurfSideKick Settings Modifier (removed)
PacerDMedia.Installer Trojan Downloader (removed)
Transponder.ABetterInternet.Aurora Adware
Transponder.ABetterInternet.DrPMon Adware
Trojan.Downloader.KavSvc Trojan Downloader (removed)
ShopAtHome.Downloader Trojan Downloader (removed)
AFA Internet Enhancement Browser Modifier (removed)
Trojan.Startup.NameShifter.Zwq Trojan (removed)
Begin2Search.BigTrafficNet Adware (removed)
Trojan.Downloader.Qoologic Trojan Downloader (removed)
Trojan.Startup.NameShifter.BT Trojan (removed)
DSrch Spyware (removed)
Trojan.Dinst Trojan (removed)
Trojan.BHO.NameShifter.FP Trojan (removed)
Trojan.pokapoka62 Trojan (removed)
AdDestroyer Adware (removed)
eXact.BargainBuddy Adware (removed)
IBIS Toolbar Adware (removed)
PeopleOnPage Browser Modifier (removed)
ICanNews Adware (removed)
eXact.SearchBar Browser Plug-in (removed)
Virtual Bouncer Adware (removed)
Hotbar.ShoppingReports Adware (removed)
Hotbar Adware (removed)
Total scan time: 8 mins 40 secs
When I returned and put the pc back on the network I Then
used spybot which found these, I will leave off the files
& reg entries to save space except for Aurora's :
All-In-One Telcom:
CoolWWWSearch.Aboutblank:
HotsearchBar:
AproposMedia:
Alexa Related:
HuntBar:
IE Plugin:
ErrorGuard:
VBouncer:
AbetterInternet: Settings (Registry key, fixed)
-------------------------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc
AbetterInternet: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcPr
oc
AbetterInternet: Web page (File, fixed)
C:\WINDOWS\abiuninst.htm
AbetterInternet: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\abi-1
AbetterInternet: Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{BF56BE6A-0AEA-45F3-8B10-
7312876584A8}
AbetterInternet: Data (File, fixed)
C:\WINDOWS\ISSM0064.DAT
AbetterInternet: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1606980848-1229272821-725345543-1004
\Software\aurora
AbetterInternet: Installer (File, fixed)
C:\WINDOWS\inf\banner.inf
AbetterInternet.Aurora: Temporary folder (Directory,
fixed)
C:\Documents and Settings\Andy Manchesta\Local
Settings\Application Data\..\Temp\DrTemp\
AbetterInternet.Aurora: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell=...C:\WINDOWS\nail.exe...
----------------------------------------------------------
Maybe they would of done better if they had all be run in
safe mode,I still had IE Hijacks and Trojan entries plus
Aurora was back running and showing pop ups after about
10 mins on the pc
Heres the malicious entries left in the Hijack log after
running the above scanners in normal mode :
C:\PROGRA~1\REGIST~1\Regclean.exe
c:\windows\system32\hxjedjl.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\FreePhone\FreePhone.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-
AD86688403AE} - C:\WINDOWS\System32\yeeltnvj.dll
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [jaoydw] c:\windows\system32
\hxjedjl.exe r
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - (no file)
Notice the random named file for Aurora is still there,
you can see it easily as it always has .exe r even though
the file changes the name each time I boot & the nail
entry still there but Svcproc entry wasnt showing as a
service anymore (023 entry) but while I was scanning with
MSAS it returned.
Then back to MSAS and that found these:
Memory threats detected: 0\780
Threat files detected: 95\9049
Registry threats detected: 45\9387
Cookie threats detected: 0\0
Threats
ShopAtHome Spyware (removed)
Transponder.ABetterInternet Adware (removed)
SearchMiracle.EliteBar Browser Plug-in (removed)
Transponder.ABetterInternet.Aurora Adware (removed)
DSrch Spyware (removed)
Trojan.BHO.NameShifter.FP Trojan (removed)
Total scan time: 3 mins 26 secs
New Hijack log after using MSAS only bad entries listed
here:
Logfile of HijackThis v1.99.1
Scan saved at 08:05:19, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\PROGRA~1\REGIST~1\Regclean.exe
c:\windows\system32\knjtxo.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-
A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32
\lanbrup.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [xcgive]c:\windows\system32\knjtxo.exe r
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1
\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertAjWxSzNn] rundll32
shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1
\soproc.exe -pack RegSoAlertAjWxSzNn
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-
F1817EDFA5FC} - (no file)
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe
Then Ewido Security Suite:
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11
407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned
with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMo
n -> Spyware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Andy Manchesta\Local
Settings\Temp\delwbi.tmp -> Dialer.Generic : Cleaned with
backup
C:\Documents and Settings\Andy Manchesta\Local
Settings\Temp\labpengs.tmp -> Spyware.SafeSurfing :
Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp ->
Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded
Installations\banner.cab/banner.dll -> Spyware.Banex :
Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with
backup
C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar :
Cleaned with backup
C:\WINDOWS\etb\xud_62.dll -> Spyware.EliteBar : Cleaned
with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned
with backup
C:\WINDOWS\rramcx.exe -> Adware.BetterInternet : Cleaned
with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet :
Cleaned with backup
C:\WINDOWS\system32\knjtxo.exe -> Adware.BetterInternet :
Cleaned with backup
C:\WINDOWS\system32\lanbrup.exe -> Spyware.SafeSurfing :
Cleaned with backup
The problems still existed in the hijack log so then
rebooted into safe mode and ran the batch file from my
last post, MSAS & Ewido
MSAS:
Spyware Scan Details
Start Date: 07/08/2005 08:42:28
End Date: 07/08/2005 08:45:43
Total Time: 3 mins 15 secs
Detected Threats
Transponder.ABetterInternet.Aurora
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUs3t5icky4S 1-
119035:2:218.497-25168:2:218.031-6466:2:218.476-
8081:1:219.037-7985:2:218.017-8082:1:219.038-
6542:2:219.071-8080:1:219.099
HKEY_CURRENT_USER\Software\aurora AUE3v5nt 0
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSBath 10000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSysSInf 2000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSCheckSIn 45
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSMots 100
HKEY_CURRENT_USER\Software\aurora AUL3n5Title 60
HKEY_CURRENT_USER\Software\aurora AU3N5a7tionSCode UK
HKEY_CURRENT_USER\Software\aurora AUD3s5tSSEnd '>-
,ÀÀÍZ^ÌZ^"~Á-Àfݾ?Üo>o
HKEY_CURRENT_USER\Software\aurora AUC3u5rrentSMode 1
HKEY_CURRENT_USER\Software\aurora AUC3n5trMsgSDisp 48
HKEY_CURRENT_USER\Software\aurora AUC3n5tFyl 0
HKEY_CURRENT_USER\Software\aurora AUM3o5deSSync 9
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUL3a5stSSChckin 1088
HKEY_CURRENT_USER\Software\aurora AUL3a5stMotsSDay 7
HKEY_CURRENT_USER\Software\aurora AUP3D5om .?"-
^?'?",<^YÌ'Y
HKEY_CURRENT_USER\Software\aurora AUB3D5om >??ZS>">??"S-
ÜT?ZTf<T?Á?.
HKEY_CURRENT_USER\Software\aurora AUs3t5icky1S lflshdt%
3D1123398489%26capdatedy%3D0807%26capdate%3D073%
26lstlogdt%3D20050807%26capcntdy%3D0%26cntp%3D%26capcnt%
3D0%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky2S fstcidt%
3D1123398489169%26
HKEY_CURRENT_USER\Software\aurora
Ewido:
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 08:40:38, 07/08/2005
C:\WINDOWS\system32\snwtgyy.exe ->
Adware.BetterInternet : Cleaned with backup
The Hijack Log didnt look much better so then fixed the
remaining entries using Hijack This, The IE address lines
and the F2 shell entry for nail.exe as i was getting
error's that nail couldnt be found when I started the
pc.Finally cleared the prefetch folder,temp folders and
cookies and Its fixed
Maybe they have changed Aurora, Im not sure why I had so
many problems with it this time or where all the other
Trojans and other programs came from it kept crashing IE
and Explorer which meant I had to keep rebooting and it
just seemed to keep downloading more and more malware. It
shows all the fixes for Aurora need to be run in safe
mode to fully remove it and the most important thing ive
learnt out of this is how important SP2 and the security
patches are,
I dont want to repeat that anytime soon but its good to
see the problems some people face with this junk if they
dont have a fully patched system, My main pc is well
protected so Ive never seen this amount of problems come
from one place before they must be affiliated to all this
other junk in some way now,
Dont you just love DirectRevenue
Andy
A
AndyManchesta
No Problem Plun ,
It wasnt as much use as I intended it to be, because of
all the other problems Aurora wasnt my main concern and
Im not sure now if my usual fix is fully working for this
Hijack this may be needed to repair the Winlogon\
Shell=... C:\WINDOWS\nail.exe entry as it kept giving
errors when it rebooted saying it couldnt find nail even
after all the cleaning so it means it wasnt repaired.
I will try write a batch file or a reg fix for this part
then the usual script would be fine, Safe mode then the
batchfile I posted in the first reply or nailfix, Ewido &
Ccleaner, Now the system's clean and Ive had abit of a
break from it Im eager to get Aurora again and find a
easy way to kill it, Spybots release that they included
Aurora is very deceiving as it doesnt even attempt to
remove any of the files and MSAS missed nail.exe,
drpmon.dll,svcproc.exe and the random file this time but
they used to remove some so maybe Aurora has changed abit.
There must be a easy way to kill this in the same way
mypctuneup does but I believe there's is just based on
the nail.exe /fullremove batch file except for them
logging the ISP,IP and leaving the web bug or "Marker" as
they say and cookies.
I'll keep working on it for now
It wasnt as much use as I intended it to be, because of
all the other problems Aurora wasnt my main concern and
Im not sure now if my usual fix is fully working for this
Hijack this may be needed to repair the Winlogon\
Shell=... C:\WINDOWS\nail.exe entry as it kept giving
errors when it rebooted saying it couldnt find nail even
after all the cleaning so it means it wasnt repaired.
I will try write a batch file or a reg fix for this part
then the usual script would be fine, Safe mode then the
batchfile I posted in the first reply or nailfix, Ewido &
Ccleaner, Now the system's clean and Ive had abit of a
break from it Im eager to get Aurora again and find a
easy way to kill it, Spybots release that they included
Aurora is very deceiving as it doesnt even attempt to
remove any of the files and MSAS missed nail.exe,
drpmon.dll,svcproc.exe and the random file this time but
they used to remove some so maybe Aurora has changed abit.
There must be a easy way to kill this in the same way
mypctuneup does but I believe there's is just based on
the nail.exe /fullremove batch file except for them
logging the ISP,IP and leaving the web bug or "Marker" as
they say and cookies.
I'll keep working on it for now
P
plun
Hi Andy
Your tests gives more then to visit a lot of forums !
So this is great !
But I really hope that MS can go around this EULA problem
with Direct Revenue with "Maybe a not wished program" detection
to a user. And then its up to the user to deside if he/she breaks the
EULA for abetterinternet
Your tests gives more then to visit a lot of forums !
So this is great !
But I really hope that MS can go around this EULA problem
with Direct Revenue with "Maybe a not wished program" detection
to a user. And then its up to the user to deside if he/she breaks the
EULA for abetterinternet
W
wingnut
I downloaded & ran Spybot with most current definitions
this morning, but it didn't faze Aurora.
this morning, but it didn't faze Aurora.
P
plun
Well, Andy confirmed that if you check the whole thread
G
Guest
The manufacturers of Aurora distribute a removal tool
that can remove their software-tech support at UW told me
about it, and I tried it just now after hours of putzing
with MS AntiSpyware, SpyBot, Symantec products, etc. This
appears to have done the trick.
http://mypctuneup.com/evaluate.php?b=aurora
that can remove their software-tech support at UW told me
about it, and I tried it just now after hours of putzing
with MS AntiSpyware, SpyBot, Symantec products, etc. This
appears to have done the trick.
http://mypctuneup.com/evaluate.php?b=aurora
P
plun
Well they do but not all is removed ;(
http://www.webhelper4u.com/tnewswritigs/mypctuneup5252005.html
I you read the whole thread you can see how Andy explains
how this Hijack works.
http://www.webhelper4u.com/tnewswritigs/mypctuneup5252005.html
I you read the whole thread you can see how Andy explains
how this Hijack works.
X
x
I suggest a good virusscanner!
P
plun
For Aurora ?
A
AndyManchesta
Hi Again Plun,
Ive tried this a few times today and its like a lottery
First download got all that I posted originally then
second was better IE didnt crash but explorer.exe did a
few times, but got pop ups that time for exact,
websearch/IBIS,Hotbar and PacerDmedia which Id just
closed so they didnt get downloaded but all the rest
still did without consent, Still showing Navidad which is
strange but Im sure its not the worm as it goes far to
easy using MSAS and causes no damage but its the same
filenames,
The spybot detection for Coolwebsearch I also think was
false, IBIS websearch was removed which may of set
everything to about:blank and thats maybe what was
detected, there was no obvious signs of a CWS infection.
The problem with the fix is Ewido it now cannot clean the
infection even in safe mode unless its run a few times
but to be fair no other remover can either.The batch file
I posted also is no use now as it doesnt stop explorer so
the files do not get removed.
The only fix ive got up to now is to download Nailfix,
Ewido & Ccleaner as usual
Nailfix:
--------
http://www.noidea.us/easyfile/file.php?
download=20050711214630636
or
http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3719.0;id=310
Ewido-Install & update in normal mode and use in safe mode
------
http://www.ewido.net/en/
Ccleaner:
---------
http://www.ccleaner.com/ccdownload.asp
Then goto start menu and to run and type:
services.msc
When this opens press name to sort them in order and find:
System Startup Service
Right click and view properties then press 'Stop' and
change the startup type from 'Automatic' to 'Disabled'and
click apply - this is svcproc.exe
Next boot into safe mode (Reboot and keep tapping F8 then
choose safe mode from the list)
Once you are in safe mode double click Nailfix.exe and
then follow the instructions-explorer.exe will be stopped
for a few seconds then your desktop icons and taskbar
will come back.
Next run Ewido on a complete scan as many times as it
takes to remove the files, It took me 3 full scans.
Also use MS Antispy as that does better at detecting some
of the junk that is now being bundled with Aurora.
Finally use Ccleaner twice on both settings 'Run Cleaner'
and 'Issues' and clear all problems
Clear the prefetch folder
goto start and run and type
prefetch
delete the contents of this folder
Then Reboot back to normal mode and thats it,
If there is any error's about not being able to find
nail.exe it means its still hooked to explorer even
though the file is missing but I made a quick regfix to
restore that line which I can post also spybot showed it
fixed that line so maybe run a scan with that
Andy
Ive tried this a few times today and its like a lottery
First download got all that I posted originally then
second was better IE didnt crash but explorer.exe did a
few times, but got pop ups that time for exact,
websearch/IBIS,Hotbar and PacerDmedia which Id just
closed so they didnt get downloaded but all the rest
still did without consent, Still showing Navidad which is
strange but Im sure its not the worm as it goes far to
easy using MSAS and causes no damage but its the same
filenames,
The spybot detection for Coolwebsearch I also think was
false, IBIS websearch was removed which may of set
everything to about:blank and thats maybe what was
detected, there was no obvious signs of a CWS infection.
The problem with the fix is Ewido it now cannot clean the
infection even in safe mode unless its run a few times
but to be fair no other remover can either.The batch file
I posted also is no use now as it doesnt stop explorer so
the files do not get removed.
The only fix ive got up to now is to download Nailfix,
Ewido & Ccleaner as usual
Nailfix:
--------
http://www.noidea.us/easyfile/file.php?
download=20050711214630636
or
http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3719.0;id=310
Ewido-Install & update in normal mode and use in safe mode
------
http://www.ewido.net/en/
Ccleaner:
---------
http://www.ccleaner.com/ccdownload.asp
Then goto start menu and to run and type:
services.msc
When this opens press name to sort them in order and find:
System Startup Service
Right click and view properties then press 'Stop' and
change the startup type from 'Automatic' to 'Disabled'and
click apply - this is svcproc.exe
Next boot into safe mode (Reboot and keep tapping F8 then
choose safe mode from the list)
Once you are in safe mode double click Nailfix.exe and
then follow the instructions-explorer.exe will be stopped
for a few seconds then your desktop icons and taskbar
will come back.
Next run Ewido on a complete scan as many times as it
takes to remove the files, It took me 3 full scans.
Also use MS Antispy as that does better at detecting some
of the junk that is now being bundled with Aurora.
Finally use Ccleaner twice on both settings 'Run Cleaner'
and 'Issues' and clear all problems
Clear the prefetch folder
goto start and run and type
prefetch
delete the contents of this folder
Then Reboot back to normal mode and thats it,
If there is any error's about not being able to find
nail.exe it means its still hooked to explorer even
though the file is missing but I made a quick regfix to
restore that line which I can post also spybot showed it
fixed that line so maybe run a scan with that
Andy
A
AndyManchesta
We are back to the usual fix again for this now maybe
worth including Spybot S&D to fix the shell=nail line,
Ewido have updated thier scanner today and Ive posted the
results to the Author of Nailfix so he will upgrade that
if needed, Ewido now addresses the problems and removes
Aurora without it needing to be run a few times when
combined with nailfix. Id posted on a site Ewido uses
yesterday about files that were being missed and they
have been included in todays updates which is great news,
Maybe they were already working on them though but either
way its good to see them included in the database.
Regarding all the other stuff that was downloaded on the
test its unlikely most users will face that Ive tested a
few download addresses and it was only a couple from
grandstreet and betterinternet that will attempt to
install all that, The Freephone is another one to avoid
the installer address Ive got brings Aurora,Epolvy trojan
& Freephone but the download from BetterInternets site
brings Ceres & Freephone so they just seem to be mixing
things up abit
While Im posting there's also another Adaware update in
the next couple of days for these:
New definitions:
Trojan.PGPcoder,ZangoMessenger,ZToolbar
Updated definitions:
DyFuCA,istbar+2,SahAgent,VX2+8 &Win32.TrojanDropper
Regards Andy
worth including Spybot S&D to fix the shell=nail line,
Ewido have updated thier scanner today and Ive posted the
results to the Author of Nailfix so he will upgrade that
if needed, Ewido now addresses the problems and removes
Aurora without it needing to be run a few times when
combined with nailfix. Id posted on a site Ewido uses
yesterday about files that were being missed and they
have been included in todays updates which is great news,
Maybe they were already working on them though but either
way its good to see them included in the database.
Regarding all the other stuff that was downloaded on the
test its unlikely most users will face that Ive tested a
few download addresses and it was only a couple from
grandstreet and betterinternet that will attempt to
install all that, The Freephone is another one to avoid
the installer address Ive got brings Aurora,Epolvy trojan
& Freephone but the download from BetterInternets site
brings Ceres & Freephone so they just seem to be mixing
things up abit
While Im posting there's also another Adaware update in
the next couple of days for these:
New definitions:
Trojan.PGPcoder,ZangoMessenger,ZToolbar
Updated definitions:
DyFuCA,istbar+2,SahAgent,VX2+8 &Win32.TrojanDropper
Regards Andy
R
Robert
Transponder.ABetterInternet.Aurora Adware and the
infected file c:\windows\nail.exe which it deletes.
However, c:\windows\nail.exe reappears with a creation
time that coincides with (just after) the end of the
Microsoft AntiSpyware scan and repair