Viruses, Spyware and...

Newbie to site. Need help eliminating aurora, drpmon.dll virus

•

Join Date: Jun 2005

Posts: 3

Reputation: AppleSam is an unknown quantity at this point

Solved Threads: 0

AppleSam

Offline

Newbie Poster

Newbie to site. Need help eliminating aurora, drpmon.dll virus

Jun 4th, 2005

Sorry to all for posting my problem in wrong area of your site.

Would someone please help me? I am a professional prepress operator that has knowledge of Mac OS but am a novice when it comes to fixing a Windows OS.
Thanks in advance for your help and time.
Here is my HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:03 PM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\MySoftware\MyInvoices\tracker.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
c:\windows\system32\xrvqpuo.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 - HKLM\..\Run: [cBZnV] C:\docume~1\mikemc~1\locals~1\temp\cBZnV.exe
O4 - HKLM\..\Run: [peawiygl] C:\WINDOWS\System32\hrruivmh.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [gqnvtj] c:\windows\system32\xrvqpuo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again,
AppleSam
Here is my HJT log file:

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: Newbie to site. Need help eliminating aurora, drpmon.dll virus

Jun 4th, 2005

Hi AppleSam, welcome to DaniWeb

Glad you found the right place to post this

Remove Newdotnet, either from Add/Remove Programs, or by going to http://www.newdotnet.com/#remove and scrolling down to the Uninstall tool.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail...e/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O4 - HKLM\..\Run: [peawiygl] C:\WINDOWS\System32\hrruivmh.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [gqnvtj] c:\windows\system32\xrvqpuo.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...90/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...,23/mcgdmgr.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folder:

C:\Program Files\Kontiki\bin\bh304181.dll
C:\WINDOWS\system32\stlb2.dll
C:\WINDOWS\System32\hrruivmh.exe
C:\windows\system32\xrvqpuo.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\NewDotNet

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Reboot, close any open browser windows, scan with HJT, and post a new log please along with the Ewido log.

Links to help you help yourself :

Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html

Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html

Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html

•

Join Date: Jun 2005

Posts: 3

Reputation: AppleSam is an unknown quantity at this point

Solved Threads: 0

AppleSam

Offline

Newbie Poster

Re: Newbie to site. Need help eliminating aurora, drpmon.dll virus

Jun 5th, 2005

Hello,
Here is the log from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:42 AM, on 6/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\MySoftware\MyInvoices\tracker.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 - HKLM\..\Run: [cBZnV] C:\docume~1\mikemc~1\locals~1\temp\cBZnV.exe
O4 - HKLM\..\Run: [tfbkft] c:\windows\system32\qnojky.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

And here is the log from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:59:07 AM, 6/5/2005
+ Report-Checksum: C584C84

+ Scan result:

C:\I386\system@free.aol[1].txt -> Spyware.Cookie.Aol
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0042796.exe -> Spyware.SaveNow
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0042800.dll -> Spyware.SaveNow
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0043755.exe -> TrojanDownloader.Apropo.m
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0043759.exe -> Spyware.Apropos
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045770.exe/cd_clint.dll -> Spyware.Cydoor
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045780.EXE -> Spyware.MyWay
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045783.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045789.dll -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045790.exe -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045795.dll -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045798.dll -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045800.dll -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045801.dll -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045803.dll -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045804.dll -> Spyware.Gator
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045813.exe -> Spyware.SaveNow
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045815.dll -> Spyware.SaveNow
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0045817.exe -> Spyware.SaveNow
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP354\A0045879.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP354\A0045879.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP354\A0045879.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP354\A0045879.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP354\A0045879.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP354\A0045879.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046238.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046238.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046238.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046238.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046238.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046238.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046304.exe -> TrojanDownloader.IstBar.er
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046310.dll -> Spyware.Adstart
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046316.exe -> Spyware.AproposMedia
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046331.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046339.exe -> Spyware.NewDotNet
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP355\A0046358.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP356\A0046370.dll -> Spyware.AproposMedia
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046387.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046387.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046387.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046387.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046387.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046387.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046389.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.eXact
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046395.exe -> Spyware.BargainBuddy
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046400.exe -> Spyware.CashBack
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046430.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046448.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP357\A0046449.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046459.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046476.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046492.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046546.exe -> Spyware.AproposMedia
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046547.exe -> TrojanDownloader.Intexp.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046550.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046551.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046565.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046566.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046577.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046578.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046589.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046590.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046591.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP359\A0046594.exe -> TrojanDownloader.Intexp.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\A0046927.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\A0046966.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\A0047062.exe -> Spyware.BetterInternet
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\A0047066.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP375\A0047067.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0047070.exe -> TrojanDownloader.Intexp.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP378\A0047075.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP378\A0047082.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP378\A0047086.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP378\A0047087.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP378\A0047104.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP379\A0047120.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP379\A0047128.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP380\A0047132.exe -> TrojanDownloader.Intexp.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP381\A0047141.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP381\A0047142.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0049879.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0049962.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0049971.exe -> Spyware.AproposMedia
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0049993.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0049994.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0049995.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0050170.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0050196.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0050200.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP393\A0050206.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP394\A0050245.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP394\A0050270.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP394\A0050279.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP394\A0050280.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP395\A0050299.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP395\A0050309.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP395\A0050314.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP395\A0050321.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP396\A0050324.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP397\A0050330.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP397\A0050394.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP397\A0050424.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP397\A0050432.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP397\A0050433.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP398\A0050435.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP398\A0050437.dll -> Spyware.NewDotNet
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP398\A0050444.exe -> Trojan.Agent.cp
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP398\A0050457.exe -> Trojan.Nail
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP398\A0050458.exe -> Trojan.Stervis.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP398\A0050460.ini -> Spyware.Cookie.Firsthorizon
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet
C:\WINDOWS\NDNuninstall5_20.exe -> Spyware.NewDotNet
C:\WINDOWS\NDNuninstall5_48.exe -> Spyware.NewDotNet
C:\WINDOWS\NDNuninstall5_64.exe -> Spyware.NewDotNet
C:\WINDOWS\NDNuninstall6_10.exe -> Spyware.NewDotNet
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet
C:\WINDOWS\ozdwjt.exe -> Spyware.BetterInternet
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@free.aol[1].txt -> Spyware.Cookie.Aol
C:\WINDOWS\SYSTEM32\D0CE0C16B1.DLL -> Spyware.Hijacker.Generic
C:\WINDOWS\SYSTEM32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d
C:\WINDOWS\SYSTEM32\ied.exe -> TrojanDownloader.Mediket.ab
C:\WINDOWS\SYSTEM32\infamous.exe -> TrojanSpy.Briss.h
C:\WINDOWS\SYSTEM32\qnojky.exe -> Trojan.Agent.cp
C:\WINDOWS\SYSTEM32\stlb2.dll -> TrojanDownloader.Braidupdate.d

::Report End

Thanks,
AppleSam

•

Join Date: Jun 2005

Posts: 3

Reputation: AppleSam is an unknown quantity at this point

Solved Threads: 0

AppleSam

Offline

Newbie Poster

Re: Newbie to site. Need help eliminating aurora, drpmon.dll virus

Jun 5th, 2005

Hi dlh6213,
Once this problem has been eliminated I will need a better antivirus defense. Do you recommend Norton Antivirus?
Thanks again for your help.
AppleSam

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: Newbie to site. Need help eliminating aurora, drpmon.dll virus

Jun 5th, 2005

•

Originally Posted by AppleSam

Hi dlh6213,
Once this problem has been eliminated I will need a better antivirus defense. Do you recommend Norton Antivirus?
Thanks again for your help.
AppleSam

Not really; it's one of the best at what it does, but it uses a lot of system resources, it is more intrusive then most, and causes problems for a lot of users. It's also a pain to remove (I just took it off of mine a couple of weeks ago). A better alternative is Nod32 (http://www.nod32.com/home/home.htm); if you check the reviews, you'll find that is consistantly the best at finding viruses and is one of the fastest at scanning. I think it costs less then Norton too, or at least competetive.

Another good alternative, that's free, is AVG (http://www.grisoft.com/doc/1). It's not the best, but it's pretty darn good for the price

Here are some reviews:
http://www.nod32.com.hk/news/compare.htm
http://www.virusbulletin.com/vb100/a...ucts.xml?table
Detailed report:
http://www.virusbtn.com/library/files/4pg_reprint.pdf

Your log looks much better, but I don't have time to go through it completely right now; I'll get to it ASAP.

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: Newbie to site. Need help eliminating aurora, drpmon.dll virus

Jun 5th, 2005

Is MyInvoices a program you installed yourself?

Scan with hijackthis and have it fix the following entries:

O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [cBZnV] C:\docume~1\mikemc~1\locals~1\temp\cBZnV.exe
O4 - HKLM\..\Run: [tfbkft] c:\windows\system32\qnojky.exe

Remember to close any open windows before hitting Fix checked.

Go to c:\windows\system32 and delete qnojky.exe

You still have something running from a Temp folder, so go through this again:

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Follow the instructions in this thread:
http://www.daniweb.com/techtalkforums/thread13362.html

Reboot, close any open browser windows, scan with HJT, and post a new log please.