Aurora & DrPmon

[Phil]

I have installed MS Antispyware on my pc & overall it is
very good.

The following files are ones that keep re-appearing after
Antispy has found and deleted them:

Transponder.ABetterInternet.Aurora
Transponder.ABetterInternet.DrPmon
Trojan.startup.0e3df3

Can anyone please tell me how to rid myself of these for
good?

 

[JohnF.]

You will have to kill the trojan first - see if you can find success through
the following notes from previous successes:

--
If you are under attack and MSAS does not seem to help:

*Submit suspected spyware report in the tools menu of MSAS*

*Here is an excellent page showing you how to kill off spyware!*
http://tinyurl.com/awnad (smitfraud, in this case)

PREP YOUR MACHINE FIRST!
- IF you are using Spybot S/D, UN-Immunize your computer
- IF you are using Adaware, turn off AD-Watch
- Disable all other active anti-spy applications
- Dump all temporary file locations and Internet files

1. Download:
lspfix.exe www.cexx.org/lspfix.htm
winsockxpfix.exe www.snapfiles.com/get/winsockxpfix.html
ccleaner.exe www.ccleaner.com
killbox.exe www.bleepingcomputer.com/files/killbox.php

2. Clean out all temp file locations with ccleaner.exe

3. Install and use killbox to delete stubborn files

4. Reboot into safe mode - http://tinyurl.com/pfca
5. Run MSAS at least twice in full/deep mode
6. Run a robust, updated antivirus software scan
7. Reboot into normal mode,see if problem has been corrected

8. If you think something is there but can't see it, download:
- Blacklight by F-Secure
www.europe.f-secure.com/exclude/blacklight/blbeta.exe
- RootKitRevealer by SysInternals
www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

9. If your problem is Virus or Security patch related:
In the United States or Canada, call 1-866-PCSAFETY
MS will provide free support for those issues.

Battle Notes:
- If you have trojans (files that won't go away),
you may have to disable System Restore on XP:
http://tinyurl.com/movy

- If your Internet connectivity quits:
http://support.microsoft.com/kb/892350
http://support.microsoft.com/kb/811259
LSPFix - www.cexx.org/lspfix.htm
Winsockxpfix - www.snapfiles.com/get/winsockxpfix.html

- Install SpywareBlaster to block malware apps from
installing on your machine. Does not actively run
on your machine, you run it, it makes changes that
protect you.
http://www.javacoolsoftware.com/

- This program will not detect or remove viruses
http://www.microsoft.com/athome/security/viruses/default.mspx

Application Notes:
Registering a VB6 dll seems to fix missing agents:
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware
4) If that fails, install VB6 runtime files:
http://www.softwarepatch.com/windows/vbrun6download.htm

- To report false positives:
www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx
- To submit disputes or requests:
www.microsoft.com/athome/security/spyware/software/isv/cdform.aspx
- To learn more about how MS analyzes suspected spyware:
www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx
- To Run MSAS in passive mode:
http://support.microsoft.com/kb/892375

Alternative Anti-Spyware Applications:
- Spybot Search and Destroy
http://www.majorgeeks.com/download2471.html
- LavaSoft AdAware
http://www.majorgeeks.com/download506.html
- AdAware VX2 Cleaner Plugin
http://www.majorgeeks.com/download4283.html
- PestPatrol
http://www.majorgeeks.com/download1187.html
- Webroot Spysweeper
http://www.majorgeeks.com/download3263.html
- Ewido Security Suite
http://www.ewido.net/en/
- CounterSpy (Same Giant Company Engine as MSAS)
- http://www.sunbelt-software.com

Recommended Software to help protect you:
- Windows XP Service Pack 2
http://www.microsoft.com/windowsxp/sp2/default.mspx
- SpywareBlaster
http://www.javacoolsoftware.com
- Outpost Firewall Pro
http://www.agnitum.com/products/outpost
---------------------------------------------

 

[Engel]

Subject: Re: Aurora and Dr PMon
From: "Andre Da Costa" <[email protected]> Sent:
5/29/2005 1:47:55 PM

<<quote>>
From Andy & Plun:
Aurora Removal:
News from webhelper4u about removal with
mypctuneup......

http://www.webhelper4u.com/tnewswritigs/mypctuneup5252005.h
tml

Uninstall file:
http://www.mypctuneup.com/

Download CCleaner and remove all temporarily junk.
www.ccleaner.com

HijackThis download:
http://www.merijn.org/files/hijackthis.zip

Lavasofts Adaware:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022-10319876.html?tag=list

I agree the transpnders gang are very nasty and can be
very difficult to remove fully

File names related to this variant are:

Poller.exe, uacupg.exe(random name) , Nail.exe,
thnall1ac.html(random name)DrPMon.dll, svcproc.exe.


The Nail.exe is the main reinfestational agent which also
creates a random named exe file in the %window% %system%
folder that is 74kb in size and the name in the properties
will possibly show: TODO.

The windows service file could be C:\WINDOWS\svcproc.exe

To check for this go to the run command and type
services.msc.

In the services window that opens,press name to sort into
alphabetical order,check for System Startup Service,if you
find it right click it and choose disable in the dropdown
box. Then hit the Stop button.


Download these programs :

Download Ccleaner (Removes temp & unused files)

http://download.ccleaner.com/download119bin.asp

Download the BetterInternet/Nail/Bolger/Aurora Remover

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop

Download Hijack this:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Download to either the desktop or c/drive

Download Killbox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Removal:

Reboot into safemode

start the ABIRemover.exe, press install, wait (explorer
window will disapear)

Run hijackthis and save the logfile what you are looking
for are entries like this but if your unsure post the log
back before fixing

Tick to fix :-

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name every time you boot - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe

Close all other open windows and choose fix checked

Run the Killbox.exe file

check the box "Delete on Reboot"

copy and paste the following line bold into the "Full Path
of File to Delete" box in Killbox

C:\WINDOWS\svcproc.exe

click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\Nail.exe


click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\kkuibquo.exe ... this name changes, use hijack
this to find the name on yours.


click the red button with the white X on it

It will ask you if you want to reboot ... say "YES"

Let it reboot

When you get back in normal mode run Ccleaner to remove
any other traces of this in the temp files.If this doesnt
fix it for you or you cannot find some of the files then
Another usefull tool for this is FindIt's

Download FindIt's.zip to your desktop. >
http://forums.net-integration.net/index.php?
act=Attach&type=post&id=142443

2. Unzip/extract the files inside open the folder

3. Run the FindIt's.bat and wait for a text to open,

4. copy & paste the contents of the text file in your next
reply here.

Good luck

<<un qoute>>

Disclaimer: the above is not my personal opinion and is
not the opinion of my employer, my wife, or the hundreds
of little green men that have been following me all day.


Engel

 

[Engel]

Subject: Re: Aurora and Dr PMon
From: "Andre Da Costa" <[email protected]> Sent:
5/29/2005 1:47:55 PM

From Andy & Plun:
Aurora Removal:
News from webhelper4u about removal with
mypctuneup......

http://www.webhelper4u.com/tnewswritigs/mypctuneup5252005.h
tml


Uninstall file:
http://www.mypctuneup.com/

Download CCleaner and remove all temporarily junk.
www.ccleaner.com

HijackThis download:
http://www.merijn.org/files/hijackthis.zip

Lavasofts Adaware:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022-10319876.html?tag=list

I agree the transpnders gang are very nasty and can be
very difficult to remove fully

File names related to this variant are:

Poller.exe, uacupg.exe(random name) , Nail.exe,
thnall1ac.html(random name)DrPMon.dll, svcproc.exe.

The Nail.exe is the main reinfestational agent which also
creates a random named exe file in the %window% %system%
folder that is 74kb in size and the name in the properties
will possibly show: TODO.

The windows service file could be C:\WINDOWS\svcproc.exe

To check for this go to the run command and type
services.msc.

In the services window that opens,press name to sort into
alphabetical order,check for System Startup Service,if you
find it right click it and choose disable in the dropdown
box. Then hit the Stop button.

Download these programs :

Download Ccleaner (Removes temp & unused files)

http://download.ccleaner.com/download119bin.asp

Download the BetterInternet/Nail/Bolger/Aurora Remover

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop
Download Hijack this:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Download to either the desktop or c/drive

Download Killbox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Removal:

Reboot into safemode

start the ABIRemover.exe, press install, wait (explorer
window will disapear)

Run hijackthis and save the logfile what you are looking
for are entries like this but if your unsure post the log
back before fixing

Tick to fix :-

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name every time you boot - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe

Close all other open windows and choose fix checked

Run the Killbox.exe file

check the box "Delete on Reboot"

copy and paste the following line bold into the "Full Path
of File to Delete" box in Killbox

C:\WINDOWS\svcproc.exe

click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox

C:\WINDOWS\Nail.exe

click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox

C:\WINDOWS\kkuibquo.exe ... this name changes, use hijack
this to find the name on yours.

click the red button with the white X on it

It will ask you if you want to reboot ... say "YES"

Let it reboot

When you get back in normal mode run Ccleaner to remove
any other traces of this in the temp files.If this doesnt
fix it for you or you cannot find some of the files then
Another usefull tool for this is FindIt's

Download FindIt's.zip to your desktop. >
http://forums.net-integration.net/index.php?
act=Attach&type=post&id=142443

2. Unzip/extract the files inside open the folder

3. Run the FindIt's.bat and wait for a text to open,

4. copy & paste the contents of the text file in your next
reply here.

Good luck

Disclaimer: the above is not my personal opinion and is
not the opinion of my employer, my wife, or the hundreds
of little green men that have been following me all day.