Spyware Found, Can't Fix

  • Thread starter Thread starter Sam
  • Start date Start date
S

Sam

The spyware Transponder.ABetterInternet.Aurora.DrPMon is
detected on a system, Microsoft AntiSpyware tries to
clean it out, but on system reboot the spyware is back.

I have attempted various options, including Norton
AntiVirus which also displays the spyware but is unable
to remove it, and I have tried manual removal but a
process with 6 random letters continues to reappear--I'm
unable to find the source process.

Please advise if there are any fixes! Thanks very much!
 
Following steps could help.

1. Start your windows in safe mode.

2-4 steps to remove manualy
or Run AntiSpyWare and do scaning.

2. Find known location of executable files and delete them.
3. Open regedit.
4. Delete records related to that virus from registry
carefully(!). Suggested to make back up of registry before
start to make any changes.

5. Restart windows in normal mode.

Good luck
 
Hi

From AndyManchesta, this method is used in a lot of forums.
--------------------------------------------------------------------------------------------
Aurora isnt easy to remove follow the fix below and email
me if you have any problems

Upon running Aurora.exe, the following items are created:

- Deletes Aurora.exe & creates C:\WINDOWS\Nail.exe,
then a chain reaction:

C:\WINDOWS\system32\Poller.exe, which creates
C:\WINDOWS\system32\magihjz.exe [random filename]
C:\WINDOWS\svcproc.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\qvbdnifharv.exe
C:\WINDOWS\dbwqis.exe
C:\WINDOWS\GGEEINPO.ini
C:\WINDOWS\system32\magihjz.exe
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\lu.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\kwv2Temp.dat
C:\WINDOWS\wupdt.exe
C:\WINDOWS\TMP_FILE_0.tmp
C:\WINDOWS\TMP_FILE_1.tmp
C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt

Populates Internet Explorer cache with ads and tracking
cookies, and populates the user's Temp folder.

Creates a Run entry in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run for wupdt.exe & magihjz.exe so that it runs when
the user restarts.


Nail.exe generates "exe" files in the System folder
with random names,they will be 74kb in size and have TODO
writen when you right click and view properties.svcproc
is running as a windows sevice,bolger.dll installs as a
BHO


Looking at ABetterInternet's EULA :

----------------------------------------------------------
Uninstall and Remove Software - You may uninstall the
Software at any time by visiting www.mypctuneup.com.

Visiting www.mypctuneup.com is the primary method to
properly remove the Software. MyPCTuneUp will leave
behind a unique identifier on your computer for the sole
purpose of notifying ABI that you no longer want the
Software to operate on your computer.

This comes from BetterInternet though (makers of Aurora)

"The MyPCTuneUp uninstaller program will never collect
any personally identifiable information, it will not
install any additional programs, and it will delete
itself once it finishes the uninstall process."

Yet the EULA says

"Visiting www.mypctuneup.com is the primary method to
properly remove the Software. MyPCTuneUp will leave
behind a unique identifier on your computer for the sole
purpose of notifying ABI that you no longer want the
Software to operate on your computer."

Contradicts big time but if your infected you dont have
much to lose it could fix it fast for you.

To go for this manually heres the best way:

I know this involves alot of programs but i dont think any of the
scanners alone
will remove this yet.

For Aurora Use This Fix
----------------------------------------------------------
For Xp Download Nailfix

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3261.0;id=294

Download the Remover to your desktop

windows 2000 download nailfix2k

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3261.0;id=295

----------------------------------------------------------
Download The ABI remover (Better Internet Remover)

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop
----------------------------------------------------------

Download latest Hijackthis and unpack it in its own folder
(either desktop or c/drive)

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

----------------------------------------------------------

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

----------------------------------------------------------
Download Ccleaner

http://download.ccleaner.com/download119bin.asp

----------------------------------------------------------


Reboot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list)


start the ABIRemover.exe, press install, wait (explorer
window will disapear)

in Safe Mode, please double-click on nailfix.bat (or
nailfix2k.bat if you have Windows 2000). Your desktop and
icons will disappear and reappear, and a window should
open and close very quickly.

Next run a full scan in Ewido

Hopefully this will kill this but you can check for
entries in hijack this,Reboot and run hijack this,choose
to run a scan and save the logfile,The entries related to
this are these:

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-
1645A0B08410} - C:\WINDOWS\Bolger.dll

O4 - HKLM\..\Run: [hjnyDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe


If you find them put a tick beside them in hijack this
close all windows and choose fix checked



run a online virus scan to check for any other malware


Trend Micro http://housecall.antivirus.com/

Panda
http://www.pandasoftware.com/activescan/co...n_principal.h
tm


If you are clean again you can delete nailfix,ewido and
ABI remover if not post the hijack this log either on
here or to my email


Andy

--
plun



Sam wrote on 2005-06-22 :
 
Unfortunately this spyware is even active in Safe Mode--
when I stop/delete the spyware it manifests itself in a
different form (different random 6-character process).
 
Thanks plun but the Nailfix i used to have has been
dropped and replaced with a new version from Robert
Cooper .The links i had to nailfix have been deleted as
its now out of date but here's a updated version of the
same post with the new links and Ad-aware included





You can use the uninstaller from mypctuneup.com to stop
Aurora but it doesnt remove all the files and is owned by
direct revenue who make Aurora so they are not really to
be trusted in my view.Here the easiest way i know of
removing Aurora without using the uninstaller :




For Aurora Use This Fix (Copy it to notepad so you can
still view it in safe mode )

----------------------------------------------------------
Download Nailfix to your desktop


http://www.noidea.us/easyfile/file.php?
download=20050515010747824

mirror:

http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix

----------------------------------------------------------
Download The ABI remover (Better Internet Remover)

http://andymanchesta.com/Downloads/ABIremover.zip


Download the Remover to your desktop
----------------------------------------------------------

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

install and get all updates while in normal mode & run in
safe mode

----------------------------------------------------------
Download AD-Aware SE

http://www.download.com/3000-2144-10045910.html

install and get all updates while in normal mode & run in
safe mode

----------------------------------------------------------
Download Ccleaner

http://download.ccleaner.com/download120bin.asp

----------------------------------------------------------

You may need to empty your system restore points,Drpmon &
Bolger.dll is sometimes left in the restore area.To turn
off system restore goto start then right click my
computer then goto properties then system restore.
Check the box 'Turn off system restore' then press apply
and exit


Reboot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list)


start the ABIRemover.exe, press install, wait (explorer
window will disapear)


in Safe Mode, double-click on nailfix.bat. Your desktop
and icons will disappear and reappear, and a window
should open and close very quickly.


Next run a full scan with Ewido & Ad-aware SE (Ewido will
find the random named files in the system folder and
windows/last good folder if they exist.Ad-aware will
detect and remove DrPmon and Bolger.dll )


Goto start then run and type

prefetch

delete the contents of this folder


Run Ccleaner and remove anything found,also use
the 'issues' button and fix any problems that are
detected.

Reboot & Re-Enable System Restore (Goto start again,then
right click my computer,then choose properties & goto
system restore) Un-check the box 'turn off system
restore' and press apply


Your done !


Its alot of work but safer than using the uninstaller
from mypctuneup as that still leaves files on your pc
even after uninstalling(It leaves bolger.dll.the random
files & loads of files in the prefetch folder)



Let me know if you have any problems but ive tested this
myself and although it takes a while to get through it
does work well


Regards Andy
 
Sam,

Run a Full system scan with all 3 options checked first. When MWAS is
finished, reboot the system to Safe Mode :
http://snipurl.com/dmbp
then scan with MWAS once more. If/when the 6 random letter file appears
again after the first scan in Safe Mode, close MWAS, and use Windows
Explorer to navigate to the location of the random letter file that was
detected and delete it manually.
Then do another scan with MWAS followed by a scan with Norton.

You could try running Nailfix before running MWAS in Safe Mode. Haven't
used this yet, but it's recommended at CastleCops.
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Download Nailfix.zip to the Desktop. Extract it there.
Boot to Safe Mode.
Open the Nailfix folder and double click Nailfix.cmd. Your Desktop and
icons will disappear and reappear, and a window should open and close
very quickly.
Then run MWAS and have it removed detected objects. If it's still
detected, manually delete the detected random letter file and then scan
once more with MWAS to ensure that it's gone. Then do a final scan with
Norton in Safe Mode prior to booting back to normal Windows mode.


Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005
===============
*-343-* FDNY
Never Forgotten
===============
 
AndyManchesta explained on 2005-06-22 :
Thanks plun but the Nailfix i used to have has been
dropped and replaced with a new version from Robert
Cooper .The links i had to nailfix have been deleted as
its now out of date but here's a updated version of the
same post with the new links and Ad-aware included
Click to expand...

Thanks Andy.

Totally insane that this piece of software can be permitted
to exist, hopefully Lavasoft have the courage to stand up
against this and include removal within next definition.

I have lost hope that MS will do it...........
 
I emailed "(e-mail address removed)" they gave me a
download to uninstall their software. It doesn't work
either. reboot and it's back... I need help also.
 
Back
Top