Regenerating spyware

[Inthedirt]

My son was using LimeWire (the next worst thing to Kazaa)
and downloaded lots of spyware and viruses. It looks like
the viruses have been cleaned by McAfee. I have tried the
Microsoft trial and Ad-aware 6.0 antispyware programs.
Both have identified threats and removed them. I also
opened task manager and noticed that more processes are
running than usual and some of the will not end or delete
but get renamed and stay on. I even did some editing of
the registry where it was obviously safe to do so. System
restore will not work properly and the Google toolbar
will not load.

The last time this happened, I spent 6 hours searching
the net on every exe file name and program name I did not
recognize. To minimize additional threats, I used Mozilla
for the searching as a browser since I believe a lot of
spyware is written for IE.

The constant spyware programs are Aurora, Transponder and
People (something). There are others but whatever the
answer is will probably work for all of my issues.

Sorry for the long winded story - any ideas on the
easiest way to wipe them out. I know, don't let the kid
use LimeWire!

TIA
John

 

[AndyManchesta]

Aurora

This link has info on the people behind this:

http://www.webhelper4u.com/transpondersites/index.htm



Related files:

Bolger.dll
Aurora.exe
svcproc.exe
Poller.exe
uacjlupg.exe (random name)
Nail.exe
DrPMon.dll
thnall1ac.html.

Nail.exe generates "exe" files in the System32 folder
with random names.



For Aurora Use This Fix

----------------------------------------------------------
For Xp Download Nailfix

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3261.0;id=294

Download the Remover to your desktop


windows 2000 download nailfix2k

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3261.0;id=295

----------------------------------------------------------
Download The ABI remover (Better Internet Remover)

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop
----------------------------------------------------------

Download latest Hijackthis and unpack it in its own folder
(either desktop or c/drive)

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

----------------------------------------------------------

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

This setup contains the free as well as the plus-version
of the ewido security suite. After the installation, a
free 14-day test version containing all the extensions of
the plus-version will be activated. At the end of the
test phase, the extensions of the plus version are
deactivated and the freeware version can be used
unlimited times.

----------------------------------------------------------
Download Ccleaner

http://download.ccleaner.com/download119bin.asp

----------------------------------------------------------


Reboot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list)


start the ABIRemover.exe, press install, wait (explorer
window will disapear)



in Safe Mode, please double-click on nailfix.bat (or
nailfix2k.bat if you have Windows 2000). Your desktop and
icons will disappear and reappear, and a window should
open and close very quickly.


Next run a full scan in Ewido



Hopefully this will kill this but you can check for
entries in hijack this,Reboot and run hijack this,choose
to run a scan and save the logfile,The entries related to
this are these:

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-
1645A0B08410} - C:\WINDOWS\Bolger.dll

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe


If you find them put a tick beside them in hijack this
close all windows and choose fix checked

You can also copy and paste your hijack logs to these
sites which will give you details on each entry.


http://www.hijackthis.de/en

http://www.help2go.com/modules.php?name=HJTDetective

Only fix things confirmed as nasty if you are unsure
about any id help where i can.I know this involves alot
of programs but i dont think any of the scanners alone
will remove this yet.

run a online virus scan to check for any other malware


Trend Micro http://housecall.antivirus.com/

Panda
http://www.pandasoftware.com/activescan/co...n_principal.h
tm


Hope This Helps

Andy

 

[Guest]

Andy,

Did what you said and it looked good for a while. I'm
going to try the sequence again.
Looks like People on Page is the stubborn one now.
I still believe this stuff is running-just need to prove
it.

John

-----Original Message-----


Aurora

This link has info on the people behind this:

http://www.webhelper4u.com/transpondersites/index.htm



Related files:

Bolger.dll
Aurora.exe
svcproc.exe
Poller.exe
uacjlupg.exe (random name)
Nail.exe
DrPMon.dll
thnall1ac.html.

Nail.exe generates "exe" files in the System32 folder
with random names.



For Aurora Use This Fix

--------------------------------------------------------- -
For Xp Download Nailfix

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3261.0;id=294

Download the Remover to your desktop


windows 2000 download nailfix2k

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3261.0;id=295

--------------------------------------------------------- -
Download The ABI remover (Better Internet Remover)

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop
--------------------------------------------------------- -

Download latest Hijackthis and unpack it in its own folder
(either desktop or c/drive)

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

--------------------------------------------------------- -

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

This setup contains the free as well as the plus-version
of the ewido security suite. After the installation, a
free 14-day test version containing all the extensions of
the plus-version will be activated. At the end of the
test phase, the extensions of the plus version are
deactivated and the freeware version can be used
unlimited times.

--------------------------------------------------------- -
Download Ccleaner

http://download.ccleaner.com/download119bin.asp

--------------------------------------------------------- -


Reboot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list)


start the ABIRemover.exe, press install, wait (explorer
window will disapear)



in Safe Mode, please double-click on nailfix.bat (or
nailfix2k.bat if you have Windows 2000). Your desktop and
icons will disappear and reappear, and a window should
open and close very quickly.


Next run a full scan in Ewido



Hopefully this will kill this but you can check for
entries in hijack this,Reboot and run hijack this,choose
to run a scan and save the logfile,The entries related to
this are these:

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-
1645A0B08410} - C:\WINDOWS\Bolger.dll

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe


If you find them put a tick beside them in hijack this
close all windows and choose fix checked

You can also copy and paste your hijack logs to these
sites which will give you details on each entry.


http://www.hijackthis.de/en

http://www.help2go.com/modules.php?name=HJTDetective

Only fix things confirmed as nasty if you are unsure
about any id help where i can.I know this involves alot
of programs but i dont think any of the scanners alone
will remove this yet.

run a online virus scan to check for any other malware


Trend Micro http://housecall.antivirus.com/

Panda
http://www.pandasoftware.com/activescan/co...n_principal. h
tm


Hope This Helps

Andy



.