R
Ron Kinner
News From The Spyware Front:
Following are the latest malware and therefore the hardest
to remove:
Called nail.exe aurora or bolger.
http://webhelper4u.com/tnewswritigs/bolger_aurora.html
Ewido seems to detect and remove one version which can
also be removed by disabling its service, booting into
Safe Mode and using HijackThis to get rid of the nail and
exe (with Explorer and Iexplore turned off) then Killbox
to remove nail on reboot. but there is another version
with a TODO file that requires a repair console delete or
you can go to the maker www.mypctuneup.com/aurora and run
their uninstall which gets rid of aurora but may install
something else. They make you fill out a form and then
will send you a code to use with the uninstaller. Use a
throwaway email address if you do and lie like crazy on
the form.
http://www.webhelper4u.com/tnewswritigs/mypctuneupmain.html
Another popular one right now is wp.exe which is the
smitfraud.c and which tears up the registry entries for
your desktop so you can't remove the warnign that
appears. Changes the registry to to add System under
Policies and adds some keys to limit the Display
Properties by removing Web and Background tabs.
This is it here:
http://securityresponse.symantec.com/avcenter/venc/data/tro
jan.desktophijack.html
(Same link but in smaller form since i guess that one will
wrap)
http://tinyurl.com/87n46
Then we have the bhoass.dll "Trojan.Win32.Agent.cx"
C:\WINNT\system32\bss.dll
C:\WINNT\bhoass.dll
C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\explorer32dbg.exe
C:\WINNT\iexplore_dbg.exe
C:\WINNT\ghj
this is just six of the files. There are about 10 in
all. The only way I can get rid of them is to use Killbox
to delete all of them on boot. And afterwards Explorer
(the desktop) won't run. Sample hjt log:
http://www.techsupportforum.com/computer/topic/49162-1.html
Also have a random named file that attaches itself to
winlogon notify and won't let go. Often seen in the
company of another random name file that pretends to be
Kavsvc or Navsvc. The Kavsvc file will sometimes go away
with mwav.exe from kaspersky. Nothing seems to work on
the winlogon notify critter. Believe it's a variation on
L2M.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlinzp.exe
O20 - Winlogon Notify: OemStartMenuData -
C:\WINDOWS\system32\p2r4lc9q1f.dll
None are removed completely by AntiSpy unless there has
been a new update that I don't know of..
One final tip. A lot of the new stuff seems to use the
Task Scheduler as a backup. Start, (Settings,) Control
Panel, Scheduled Tasks and remove any that you don't
recognize especially any that have a path that includes
the Application or Temp Folders.
Ron
Following are the latest malware and therefore the hardest
to remove:
Called nail.exe aurora or bolger.
http://webhelper4u.com/tnewswritigs/bolger_aurora.html
Ewido seems to detect and remove one version which can
also be removed by disabling its service, booting into
Safe Mode and using HijackThis to get rid of the nail and
exe (with Explorer and Iexplore turned off) then Killbox
to remove nail on reboot. but there is another version
with a TODO file that requires a repair console delete or
you can go to the maker www.mypctuneup.com/aurora and run
their uninstall which gets rid of aurora but may install
something else. They make you fill out a form and then
will send you a code to use with the uninstaller. Use a
throwaway email address if you do and lie like crazy on
the form.
http://www.webhelper4u.com/tnewswritigs/mypctuneupmain.html
Another popular one right now is wp.exe which is the
smitfraud.c and which tears up the registry entries for
your desktop so you can't remove the warnign that
appears. Changes the registry to to add System under
Policies and adds some keys to limit the Display
Properties by removing Web and Background tabs.
This is it here:
http://securityresponse.symantec.com/avcenter/venc/data/tro
jan.desktophijack.html
(Same link but in smaller form since i guess that one will
wrap)
http://tinyurl.com/87n46
Then we have the bhoass.dll "Trojan.Win32.Agent.cx"
C:\WINNT\system32\bss.dll
C:\WINNT\bhoass.dll
C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\explorer32dbg.exe
C:\WINNT\iexplore_dbg.exe
C:\WINNT\ghj
this is just six of the files. There are about 10 in
all. The only way I can get rid of them is to use Killbox
to delete all of them on boot. And afterwards Explorer
(the desktop) won't run. Sample hjt log:
http://www.techsupportforum.com/computer/topic/49162-1.html
Also have a random named file that attaches itself to
winlogon notify and won't let go. Often seen in the
company of another random name file that pretends to be
Kavsvc or Navsvc. The Kavsvc file will sometimes go away
with mwav.exe from kaspersky. Nothing seems to work on
the winlogon notify critter. Believe it's a variation on
L2M.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlinzp.exe
O20 - Winlogon Notify: OemStartMenuData -
C:\WINDOWS\system32\p2r4lc9q1f.dll
None are removed completely by AntiSpy unless there has
been a new update that I don't know of..
One final tip. A lot of the new stuff seems to use the
Task Scheduler as a backup. Start, (Settings,) Control
Panel, Scheduled Tasks and remove any that you don't
recognize especially any that have a path that includes
the Application or Temp Folders.
Ron
