Hi I've removed this a few times using reg fixes and
Different removers but tested the mypctuneup unistaller
last week and its really speeds things up when used with
a couple of other programs.
Stop svcproc by going to start then run and type :
services.msc
then press enter,press name on the services list to sort
them into order then find svcproc and right click and
choose properties,on this screen press 'stop' then change
the start up type from 'Automatic' to 'Disabled' , press
apply then exit .
The unistaller from mypctuneup helps but didnt remove
bolger.dll,DrPMon.dll as these were in the system restore
area(Not sure how as i never set a restore point) The
unistaller also didnt remove the random file in the
system folder,it also left a entry in windows >Lastgood
Ran aurora.exe(aurora dissapears) which created the
random names and the svcproc,nail and bolger entries in
hijack this.
These are the entries :
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-
1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [Smtmiz] C:\WINDOWS\miahzo.exe (this
file changes it's name each time you boot - but it will
be in the same place in the log)
O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
Every time i reboot the random filename in the windows
folder changes Plus get error messages saying cannot find
c/documents each time i reboot
Once i opened a internet window i started getting the pop-
ups for ringtones & top 30 chart tones,
Most of the scanners i used found the adware
(Spysweeper,spybot & adaware) but i left it all in place
to check the unistaller from mypctuneup
Downloaded the unistaller from
www.mypctuneup.com and
saved it to desktop .
Ran the unistaller in normal mode as it needs to connect
to the internet,got the message saying it was now
uninstalled and i needed to reboot to finish the removal.
Rebooted and checked hijack This(random files and bolger
still exist Plus a new R0 search assistant line now
showing in Hijack this but no address at the end)
Nail.Svcproc & the run command for the random file have
been removed)
Next i ran Ewido on a full scan in safe mode (reboot and
keep tapping F8 then choose safe mode)and it found two
random files
C:\WINDOWS\LastGood\vhnxhlfnlqa.exe
C:\WINDOWS\system32\miahzo.exe
Spyware.BetterInternet -> Cleaned without backup
Ran Adaware SE on a full system scan which found the
remaining Aurora files which were in the system restore
area:
Heres some of the results page:
Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2 Object Recognized!
Type : File
Data : A0000484.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume
Information\_restore{8FE56BBB-AC57-40EE-9F8C-616AA6F0D4ED}
\RP12\
FileVersion : 0, 12, 4, 96
ProductVersion : 0, 12, 4, 96
ProductName : bolger
CompanyName : Bolger
FileDescription :
www.abetterinternet.com
InternalName : bolger
LegalCopyright : Copyright © 2005
OriginalFilename : bolger.dll
Comments :
www.abetterinternet.com
VX2 Object Recognized!
Type : File
Data : A0000486.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume
Information\_restore{8FE56BBB-AC57-40EE-9F8C-616AA6F0D4ED}
\RP12\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright (C) 2005
OriginalFilename : DrPMon.dll
VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet
explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-
00AA005B4383}
VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\main\featurecontrol\feature_window_restrictions
Value : iexplore.exe
As it was showing 2 being in the system restore i removed
them anyway using Adaware to clear the reg entries Then
cleared the system restore and rebooted.
(To turn off system restore goto start > right click my
computer and choose properties >then system restore >
check the box that says ' turn off system restore ) then
apply and exit.This is required and it can be re-enabled
once you are clean by following the same as above but
unchecking the box turn off system restore .
I ran Hijack this and there was no traces left except the
new R0 search asssistant line so closed all
windows,checked that entry and pressed 'Fix Checked'
I also used Ccleaner on all 3 settings
(windows,applications and issues ) to remove any other
traces in the temp files then reset web settings (open a
internet window > goto tools on the top bar > then
internet options > then programs > and press 'Reset Web
Settings' then rebooted .
After running the unistaller from mypctuneup and both
Ewido and Adaware in safe mode and Ccleaner its now
cleared Aurora.
No scanners are showing any problems
(Ewido,Spysweeper,Spybot,Adaware etc..) plus the hijack
this log is clear
And no ringtone pop-ups
Regards Andy
Download These :
Ad-Aware SE
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022_4-10399602.html?tag=sptlt_s
Ewido Security Suite :
http://download.ewido.net/ewido-setup.exe
Ccleaner :
http://download.ccleaner.com/download119bin.asp
While im posting Here's results from Jordi Bosveld's site
for the main files of Aurora so you know what scanners
target them .
Aurora.exe
INFECTED/MALWARE
MD5 1f5cb7887de415347034735cc05480be
Packers detected: PE_PATCH
Scanner results
AntiVir Found nothing
Avast Found Win32:Trojano-1373
AVG Antivirus Found nothing
BitDefender Found Trojan.Spybi
ClamAV Found Trojan.W32.Spybi
Dr.Web Found Trojan.Spybi
F-Prot Antivirus Found nothing
Fortinet Found Adware/Abetterintrnt
Kaspersky Anti-Virus Found not-a-
virus:AdWare.BetterInternet.c
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found Sandbox: W32/Malware; [
General information ]
* File length: 217088 bytes.
[ Changes to filesystem ]
* Deletes file C:\WINDOWS\dvrszibcpua.exe.
* Creates file C:\WINDOWS\jwfbcd.exe.
[ Process/window information ]
* Creates a mutex amanlcprhxjgmhnuuyfbkxhmp.
* Enumerates running processes.
* Enumerates running processes several parses....
* Modifies other process memory.
* Creates a remote thread.
VBA32 Found AdWare.BetterInternet.c
Bolger.dll
Status: INFECTED/MALWARE
MD5 67da1e869864f3b17dbd66e58a3d29c5
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found Win32:Bolger
AVG Antivirus Found nothing
BitDefender Found Trojan.BettInet.172032.DLL
ClamAV Found nothing
Dr.Web Found not a virus Adware.BetterInternet
F-Prot Antivirus Found nothing
Fortinet Found Adware/Abetterintrnt
Kaspersky Anti-Virus Found not-a-
virus:AdWare.BetterInternet
mks_vir Found .Betterinternet.J
NOD32 Found nothing
Norman Virus Control Found W32/BetterInternet
VBA32 Found AdWare.BetterInternet
DrPMon.dll
Status: INFECTED/MALWARE
MD5 6f9c45b6886d1ba6df97914a78b48bf3
Packers detected: -
Scanner results
AntiVir Found TR/Click.Age.DB.Dll
Avast Found Win32:Trojano-1375
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Drpmon
F-Prot Antivirus Found nothing
Fortinet Found W32/Agent.DB-tr
Kaspersky Anti-Virus Found Trojan.Win32.Agent.db
mks_vir Found Trojan.Agent.Db
NOD32 Found Win32/Agent.DB
Norman Virus Control Found W32/Agent.CSZ
VBA32 Found Trojan.Win32.Agent.db
Nail.exe
Status: INFECTED/MALWARE
MD5 d959377938f29d91ca1cd533fea2efbb
Packers detected: ASPACK
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Adware.Nail.A
ClamAV Found nothing
Dr.Web Found Trojan.Nail
F-Prot Antivirus Found nothing
Fortinet Found W32/Nailed.A-tr
Kaspersky Anti-Virus Found not-a-
virus:AdWare.BetterInternet.b
mks_vir Found Trojan.Nail.B3
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found Trojan.Nail
svcproc.exe
Status: INFECTED/MALWARE
MD5 be4b9d69e562409d621a8bd4cf74a646
Packers detected: PE_PATCH, UPX
Scanner results
AntiVir Found TR/Stervice.C
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Stervis.C
ClamAV Found nothing
Dr.Web Found Trojan.Stervis
F-Prot Antivirus Found W32/Agent.NN
Fortinet Found W32/Agent.NN
Kaspersky Anti-Virus Found Trojan.Win32.Stervis.c
mks_vir Found Trojan.Stervis.C
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found Trojan.Win32.Stervis.c
yuldnyt.exe (random filename)
Status: INFECTED/MALWARE
MD5 2173316d0b1da50219daf85545e85add
Packers detected: PE_PATCH
Scanner results
AntiVir Found nothing
Avast Found Win32:Trojano-1373
AVG Antivirus Found nothing
BitDefender Found Trojan.Spybi
ClamAV Found Trojan.W32.Spybi
Dr.Web Found Trojan.Spybi
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-
virus:AdWare.BetterInternet.c
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found Sandbox: W32/Malware; [
General information ]
* File length: 217088 bytes.
[ Changes to filesystem ]
* Deletes file C:\WINDOWS\dvrszibcpua.exe.
* Creates file C:\WINDOWS\jwfbcd.exe.
[ Process/window information ]
* Creates a mutex amanlcprhxjgmhnuuyfbkxhmp.
* Enumerates running processes.
* Enumerates running processes several parses....
* Modifies other process memory.
* Creates a remote thread.
VBA32 Found AdWare.BetterInternet.c
MyPCUninstaller.exe
Status:
(Sandbox emulation took a long time and/or runtime
packers were found, this is suspicious. Normally programs
aren't packed and don't force the sandbox into
lengthy emulation. Do realize no scanner issued any
warning, the file can very well
be harmless. Caution is advised, however.)
MD5 6fb6a7e947b13bdddddbf5f57b30c0ca
..
