Trojan.Startup.NameShifter.BK

[Sam]

Wow! This is one persistent hunk of code. Apparently,
whenever a "kill" command is issued (including during
shutdown), it renames itself, re-adds itself to the "Run"
section of the Registry and activates "Load Startup Items"
in the MSConfig.

Anybody know how to get rid of this thing (BTW, I don't
have the XP install CD's).

 

[AndyManchesta]

Hi Sam ,


Im not sure if this is going to be much help ,Im just
testing a fix on Aurora

(Note** its not the fix im posting here ,this one works
well but im trying a new fix which i will post when its
tested ) ,

Its downloaded a file called poller.exe in its setup and
this poller.exe when scanned by MSAS detects
Trojan.Startup.Nameshifter.BK

Ive always thought this was a different problem but it
may just mean you have Aurora on your system,



For Aurora Use This Fix (Copy it to notepad so you can
still view it in safe mode )

Once in Safe mode Its important you do not reboot untill
you finish all the steps or it will do as you say and
change its name and try do a fresh install !

----------------------------------------------------------
Download Nailfix to your desktop (I've gone back to my
download as the Author's links have gone down)

Nailfix

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3719.0;id=303



----------------------------------------------------------
Download The ABI remover (Better Internet Remover)

http://andymanchesta.com/Downloads/ABIremover.zip


Download the Remover to your desktop
----------------------------------------------------------

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

install and get all updates while in normal mode & run in
safe mode

----------------------------------------------------------
Download AD-Aware SE

http://www.download.com/3000-2144-10045910.html

install and get all updates while in normal mode & run in
safe mode

----------------------------------------------------------
Download Ccleaner

http://download.ccleaner.com/download121bino.asp

----------------------------------------------------------

You may need to empty your system restore points,Drpmon &
Bolger.dll is sometimes left in the restore area.To turn
off system restore goto start then right click my
computer then goto properties then system restore.
Check the box 'Turn off system restore' then press apply
and exit


Reboot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list)


start the ABIRemover.exe, press install, wait (explorer
window will disapear)


in Safe Mode, double-click on nailfix.bat. Your desktop
and icons will disappear and reappear, and a window
should open and close very quickly.


Next run a full scan with Ewido & Ad-aware SE (Ewido will
find the random named files in the system folder and
windows/last good folder if they exist.Ad-aware will
detect and remove DrPmon and Bolger.dll )


Goto start then run and type

prefetch

delete the contents of this folder


Run Ccleaner and remove anything found,also use
the 'issues' button and fix any problems that are
detected.

Reboot & Re-Enable System Restore (Goto start again,then
right click my computer,then choose properties & goto
system restore) Un-check the box 'turn off system
restore' and press apply


Your done !


Let me know if you have any problems


Regards

Andy

 

[Sam]

Before I do all this, I must mention that the spyware runs
in safe mode. It adds itself into the run list and
forces "Load Startup Items" at shutdown time. It is NEVER
not running. I have booted various flavors of safe mode
several times and it is always running, no matter what I
do to the run list or MSconfig.

 

[AndyManchesta]

Hi Sam

I really dont know about Name Shifter BK i never would of
related this to Aurora,Its only MSAS thats detecting
Nameshifter.BK in the file Poller.exe which is one of
Aurora's files

Ive scanned the file at alot of sites since i posted this
and the other scanners find

Trojan.Agent.Ay / Adware.CallingHome

so its hard to know if this if a false detection or if it
is related,Im emailing Robert Cooper who made Nailfix so
will mention this and see what he advises.

If you are unsure then just download Hijack This instead
and post the log that it produces ,If its Aurora related
this will be obvious by checking the log

Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

First create a folder,right click a empty space on
c:drive or desktop>then choose new>then new folder > name
it and save hijack this into it.This way it will create
backups of anything that is deleted.

Run Hijack this and choose to do a system scan and save
the logfile ,when its finished it will open the text in
notepad ,You can then post that
anywhere,SpywareInfo ,TomCoyote etc.. or even post it
here and i will check them over and see if it is Aurora
related.

Im abit busy at the moment with some malware issues i got
rid of Aurora now another user is having problems with
About:Blank so im trying to help them through emails but
I will check back here abit later

I dont want you to have to run the fix then find its
unrelated,Is it MSAS thats detecting this as
Nameshifter.BK or another remover ? Ive not commented on
Nameshifter topics before as i dont know much about this
trojan but i noticed the MSAS detection when i was
testing Aurora so wanted to post but i appreciate your
view that it may not be related.

I will repost if i get any news on this but Hijack this
will show you what the problem is,get as much advise as
you can though before deleting anything.With Aurora you
will see a F2 shell entry,A service called System Startup
Service(svcproc),the File Nail.exe and Bolger.dll plus
random names files in the system folder which get renamed
when you reboot they contain either 6 or 7 letters
complete random like vzauwu.exe or yweqrqx.exe that type
of thing but dont fix anything untill your sure what your
up against

I will check back soon

Andy

 

[AndyManchesta]

Hi Again ,

If you dont want to use Hijack This then i really cannot
comment as to whats causing you problems ,Whatever it is
can be fixed but I need to know what it is first or its
just guesswork which isnt the right way to do things.


Maybe try running some online virus scans or ewido
security suite and hopefully they will fix it for you .


Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/download/

Install ewido.
During the installation, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".

Launch ewido

It will prompt you to update click the OK button and it
will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.

Click on scanner
Select complete system scan
Click the Start Scan button to start the scan.
During the scan it will prompt you to clean files, click
OK
When the scan is finished, look at the bottom of the
screen and click the Save report button.
Save the report to your desktop incase you need it again.


Online Virus/Trojan Scanners


Trend Micro

http://housecall.antivirus.com/

E Trust

http://www3.ca.com/virusinfo/virusscan.aspx

Rav

http://www.ravantivirus.com/scan/

Panda

http://www.pandasoftware.com/activescan/

Bitdefender

http://www.bitdefender.com/scan8/ie.html

Symantecs Security Check & Virus scanner

http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym

Trojan Scanner

http://www.windowsecurity.com/trojanscan/trojanscan.asp

Spyware Scanner

http://www.trendmicro.com/spyware-scan/


All the best if you need any more help just reply


Andy

 

[=?iso-8859-1?B?QW5kcuk=?=]

I tried first to remove it and it didn't work. Now I put
it in Quarantaine, and it doesn't appear anymore.

 

[Guest]

Having same problem, scanner can't get rid of this
Trojan.startup.nameshifter.bn just keeps going and
going and going. We need help someone help us solve our
problem.