need HELP removing Transponder.ABetterInternet.Aurora

[HELP PLEASE!!!!!!!!!]

I have two spyware problems that I keep on deleting and
it keeps coming back with the popups when I go online.
Its called Transponder.ABetterInternet.Aurora and
Transponder.ABetterInternet.DrPMon. I have located the
exact files in the Windows folder but it keeps respawning
after I delete it after I restart. This spyware has a
rating of ten and it is severe.

ANY SUGGESTIONS ANYONE??????????????????

 

[AndyManchesta]

I agree the transpnders gang are very nasty and can be
very difficult to remove fully

File names related to this variant are:

Poller.exe, uacupg.exe(random name) , Nail.exe,
thnall1ac.html(random name)DrPMon.dll, svcproc.exe.


The Nail.exe is the main reinfestational agent which also
creates a random named exe file in the %window% %system%
folder that is 74kb in size and the name in the
properties will possibly show: TODO.

The windows service file could be C:\WINDOWS\svcproc.exe

To check for this go to the run command and type
services.msc.

In the services window that opens,press name to sort into
alphabetical order,check for System Startup Service,if
you find it right click it and choose disable in the
dropdown box. Then hit the Stop button.


Download these programs :

Download Ccleaner (Removes temp & unused files)

http://download.ccleaner.com/download119bin.asp



Download the BetterInternet/Nail/Bolger/Aurora Remover

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop



Download Hijack this:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Download to either the desktop or c/drive



Download Killbox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip




Removal:



Reboot into safemode

start the ABIRemover.exe, press install, wait (explorer
window will disapear)



Run hijackthis and save the logfile what you are looking
for are entries like this but if your unsure post the log
back before fixing

Tick to fix :-

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name every time you boot - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe

Close all other open windows and choose fix checked


Run the Killbox.exe file


check the box "Delete on Reboot"

copy and paste the following line bold into the "Full
Path of File to Delete" box in Killbox


C:\WINDOWS\svcproc.exe


click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full
Path of File to Delete" box in Killbox


C:\WINDOWS\Nail.exe


click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full
Path of File to Delete" box in Killbox


C:\WINDOWS\kkuibquo.exe ... this name changes, use hijack
this to find the name on yours.


click the red button with the white X on it

It will ask you if you want to reboot ... say "YES"

Let it reboot



When you get back in normal mode run Ccleaner to remove
any other traces of this in the temp files.If this doesnt
fix it for you or you cannot find some of the files then
Another usefull tool for this is FindIt's

Download FindIt's.zip to your desktop. >
http://forums.net-integration.net/index.php?
act=Attach&type=post&id=142443

2. Unzip/extract the files inside open the folder

3. Run the FindIt's.bat and wait for a text to open,

4. copy & paste the contents of the text file in your
next reply here.







Good luck

Andy

 

[AndyManc]

Hi There

Ive only known about this variant for about 3 or 4 weeks
so im still trying to perfect the removal on this,I know
Bill (MVP) said he had removed this manually as well so
hopefully if he has a quicker fix he will reply.

Using hijack this is your best starting point to identify
the random filenames



Heres what i know on this Transponder.Aurora

Below is the Bolger.dll(screenshot) - Note** This is only
a image file showing the screenshot of Aurora (28kb Jpeg
image)


http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3259.0;id=293


Bolger.dll

CLSID: {302A3240-4805-4a34-97D7-1645A0B08410}

Components:

Bolger.dll, Aurora.exe, svcproc.exe, Poller.exe,
uacupg.exe, Nail.exe, DrPMon.dll, thnall1ac.html.

The thnall1ac.html is actually their thnall1ac.exe that
does the registry registering of the bolger.dll

This is a pain to remove because 1 part is running as a
windows service,1 part as a BHO then one or more entries
under random names both in the registry and windows
system folder.

None of these processes like being killed especially the
svcproc and the nail.exe so i think using hijack this to
fix them then using killbox to delete them is more likely
to work than just manually deleting the files.
Nail.exe will keep returning if all the other components
to this are not removed at the same time

The Nail.exe will generate a random named *.exe file
around 74kb in the %system% folder and if not removed
along with the Nail.exe and bolger.dll at the same time,
re-infestation will occur

Im sure most spyware scanners (Spybot
S&D,Adaware,SpySweeper etc ) will include this into their
scanning definitions very soon,maybe they have done
already so it could save you alot of time by running the
scanners in safe mode,I just cant advise one as a sure
fix yet with this being very new.I know the ewido scanner
targets this which is also a free download so maybe worth
running that as well,

Main site:

http://www.ewido.net/en/


Symantec have a repair tool for betterinternet

http://securityresponse.symantec.com/avcenter/FixBinet.exe

but this isnt for this latest variant the fix is for
ceres.dll/speer and buddy.exe type that was before this


Theres probably other guests on here who could advise
other ways to remove this I know manual removal is always
confusing and isnt always the best move,so maybe worth
seeing what other peoples views are first


Regards Andy

 

[Bill Sanderson]

I've only seen it once, and don't feel very qualified to dig into it
remotely, I'm afraid. I don't recall seeing the standard names that are
posted here. I did see nail.exe and the randomly named 74k piece, but the
third part I'm not recognizing. I can't recall if I posted about that piece
when I did this cleaning long ago.

I'm assuming that what is being seen now is newer--since ABIremover was
effective for a period of time, but isn't now.

I'm glad I don't see many infected machines among my clients, 'cause with
the advent of summer here, I'm having trouble getting the regular work done.
OTOH, I could use the hands on experience.

--