0

Hi guys,
I've been hijacked (like thousands of others it seems) by aurora. I've managed to rid myself of the dreaded DrPmon.dll and various other nasties but Adaware still picks up 21 references to VX2. I can delete these registry entries in normal mode through regedit but they reappear when I enable my broadband connection. Can anyone help please. Here's my HijackThis log :)

Logfile of HijackThis v1.99.1
Scan saved at 4:53:09 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTSvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\SHDOCVW.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\SHDOCVW.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_11078.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Internet Sweeper Pro\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

3
Contributors
11
Replies
12
Views
12 Years
Discussion Span
Last Post by crunchie
0

You still have indications of the Aurora (DrPmon.dll) infection in your log. Please perform the following standard Aurora removal proceedure; it will probably clean up a lot of other leftover "nasties" as well:


You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.


* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.


* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.


* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly (this is normal).


* Then run Ewido, and run a full scan. Save the logfile from the scan.


* Next run HijackThis, click Scan, and put a check in the box to the left of:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.


* Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

- Close HijackThis


* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

0

Hi again,

I have followed the instructions above and now post the followup HijackThis and Ewido logs. Popups have disappeared but I'm still not sure whether my system is clean. Thank you for your help so far...awesome! ;)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           11:49:04 PM, 7/7/2005
+ Report-Checksum:      9957C653


+ Scan result:


:mozilla.50:C:\Documents and Settings\Hanan\Application Data\Mozilla\Firefox\Profiles\gj571qgl.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Hanan\Application Data\Mozilla\Firefox\Profiles\gj571qgl.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Hanan\Application Data\Mozilla\Firefox\Profiles\gj571qgl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Hanan\Application Data\Mozilla\Firefox\Profiles\gj571qgl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Hanan\Application Data\Mozilla\Firefox\Profiles\gj571qgl.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Hanan\Application Data\Mozilla\Firefox\Profiles\gj571qgl.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00928576.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00929680.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00930336.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00930340.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00930344.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00930561.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00930563.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00930570.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931234.DLL -> Spyware.SmartPops : Cleaned with backup
C:\RECYCLER\NPROTECT\00931235.EXE -> Spyware.SmartPops : Cleaned with backup
C:\RECYCLER\NPROTECT\00931236.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931237.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931238.EXE -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931239.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931240.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\RECYCLER\NPROTECT\00931241.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931242.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931243.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00931244.exe -> Dialer.Generic : Cleaned with backup
C:\RECYCLER\NPROTECT\00931245.EXE/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00931245.EXE/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00931276.exe -> TrojanDownloader.Swizzor.cg : Cleaned with backup



::Report End


Logfile of HijackThis v1.99.1
Scan saved at 11:52:02 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\SHDOCVW.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\SHDOCVW.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_11078.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Internet Sweeper Pro\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by pritaeas: Fixed formatting

0

Your HJT log is almost clean now. :)

There are just a couple of leftovers to take care of:

1. You have the Messenger Plus! 3 program installed, and that program has a "Sponsored" (read: adware-driven) installation mode. If you aren't sure if you installed the Sponsor option when you first installed the program, uninstall it and reinstall it without the sponsor. Better yet- don't reinstall it.


2. Although not the result of malicious infections (it's probably the result of an incomplete program uninstallation), the following entry indicates a missing component in your networking software stack:

O10 - Broken Internet access because of LSP provider 'xfire_lsp_11078.dll' missing

To fix the problem, download WinsockXPFix, run it, and click the "Fix" button. Choose YES when asked if you want to proceed.

0

Excellent! My sincere thanks to you for your help. I have learnt so much by being part of this community and have already recommended the forums to my friends. Keep up the excellent work. :D

0

You are welcome; I'm glad we could help. :)

Were you able to fix the "Broken Internet access..." problem with WinsockXPFix?

0

Sure did.. I've now defragged the machine and everything is sweet. You have given me the confidence to now have a go at my daughter's laptop that has been infected with the Aurora nastie for about a month. Thanks once again ... forums like these are what good internet is all about! :D

0

Glad we could help. :)

In terms of cleaning your daughter's computer, do keep in mind that each computer is configured differently, and will probably have different types of infections in addition to Aurora. Given that, some of the infection removal procedures are computer-specific, as are the results you'll get from HijackThis scans run on different computers. Always ask before fixing anything that you have the slightest question about.

0

Also:


Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:


1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every two or three days.

0

Hi,
Thanks for the advice. Before I got infected I was already running firefox and thunderbird and only used IE to get my windows updates. I had Spybot S&D, Adaware SE and Spyware Blaster installed (all of these I vigilantly kept up to date). I have Norton installed and have that set to receive auto updates (I also checked manually every two days). I enabled the firewall in XP (but I now realise that I will need another firewall program). I scan for spyware and viruses every week, So needless to say I was pretty hacked off about getting Aurora. Still, I'm not the only user on the computer and in this case it was my son who picked up the dreaded lurgy by going into a 'crack' site. He has been repremanded since.

Rest assured I will continue to seek advice when I start the cleaning process of my daughter's lappy.

Cheers

PS: I was just browsing the other forums and have found a link for ieView - now there's no reason to use IE at all! Yahooo!

0

Before I got infected I was already running...

Yeah, what I posted is just a "canned answer" that I paste from a text file; most people are already doing at least some it. :)

0

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.