Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

unable to remove aurora, DrPMon.dll and more


  • This topic is locked This topic is locked

#1
mayo

mayo

    New Member

  • Member
  • Pip
  • 2 posts
I've used lavasoft and spyware search and destroy. I'm unable to remove several malware:

Elitum.EliteBar
DyFuCa.InternetOptimizer
DrPMon.dll
Aurora

Below is the HijackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 7:00:07 PM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ialkaz.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\suhawj.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ZAA\aurareco.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wupdt.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OLT\aurareco.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wupdt.exe
C:\WINDOWS\System32\mcafe32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\downloads\bug zapping\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.razorny.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKLM\..\Run: [uRbEl4nI] C:\windows\temp\uRbEl4nI.exe
O4 - HKLM\..\Run: [Rg] c:\windows\temp\Rg.exe
O4 - HKLM\..\Run: [wU5r] c:\windows\system32\wU5r.exe
O4 - HKLM\..\Run: [Zf3] C:\documents and settings\administrator\local settings\temp\Zf3.exe
O4 - HKLM\..\Run: [AutoLoaderuw0Z1bOePOLa] "C:\WINDOWS\System32\hcctb.exe"
O4 - HKLM\..\Run: [u3rT3nT] hcctb.exe
O4 - HKLM\..\Run: [2jMJ] c:\documents and settings\administrator\local settings\temp\2jMJ.exe
O4 - HKLM\..\Run: [ZLMsI9qKl] c:\windows\system32\ZLMsI9qKl.exe
O4 - HKLM\..\Run: [51ZrF] c:\documents and settings\administrator\local settings\temp\51ZrF.exe
O4 - HKLM\..\Run: [M2D1PuY] c:\windows\system32\M2D1PuY.exe
O4 - HKLM\..\Run: [JuQ] c:\documents and settings\administrator\local settings\temp\JuQ.exe
O4 - HKLM\..\Run: [W0SaUuSVL] c:\documents and settings\administrator\local settings\temp\W0SaUuSVL.exe
O4 - HKLM\..\Run: [i7rBR3r] c:\documents and settings\administrator\local settings\temp\i7rBR3r.exe
O4 - HKLM\..\Run: [aak3sg8l] C:\WINDOWS\System32\aak3sg8l.exe
O4 - HKLM\..\Run: [oildnPeq6] C:\documents and settings\administrator\local settings\temp\oildnPeq6.exe
O4 - HKLM\..\Run: [eQX] C:\windows\system32\eQX.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KgnJ8V3.exe
O4 - HKLM\..\Run: [neesgqv] c:\windows\system32\suhawj.exe
O4 - HKLM\..\RunServices: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [f003RhfsU] ialkaz.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks all, mayo
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome mayo to Geeks to Go!


You have the Peper trojan.
Download the Peperfix Tool and save it to your Desktop.
Make sure you are connected to the Internet and run it; reboot afterwards. Repeat the procedure as it has to be run twice to ensure its effectiveness.

Then move on to my next advise.
  • 0

#3
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


***

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

***

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

Please download the Killbox. *In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop. Don't run it yet.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Then please run Ewido, and run a full scan. Save the logfile from the scan.

***

Next please run HijackThis, click Scan, and check:

O4 - HKLM\..\Run: [Windows Media Player] mcafe32.exe

O4 - HKLM\..\Run: [uRbEl4nI] C:\windows\temp\uRbEl4nI.exe

O4 - HKLM\..\Run: [Rg] c:\windows\temp\Rg.exe

O4 - HKLM\..\Run: [wU5r] c:\windows\system32\wU5r.exe

O4 - HKLM\..\Run: [Zf3] C:\documents and settings\administrator\local
settings\temp\Zf3.exe

O4 - HKLM\..\Run: [AutoLoaderuw0Z1bOePOLa] "C:\WINDOWS\System32\hcctb.exe"

O4 - HKLM\..\Run: [u3rT3nT] hcctb.exe

O4 - HKLM\..\Run: [2jMJ] c:\documents and settings\administrator\local settings\temp\2jMJ.exe

O4 - HKLM\..\Run: [ZLMsI9qKl] c:\windows\system32\ZLMsI9qKl.exe

O4 - HKLM\..\Run: [51ZrF] c:\documents and settings\administrator\local settings\temp\51ZrF.exe

O4 - HKLM\..\Run: [M2D1PuY] c:\windows\system32\M2D1PuY.exe

O4 - HKLM\..\Run: [JuQ] c:\documents and settings\administrator\local
settings\temp\JuQ.exe

O4 - HKLM\..\Run: [W0SaUuSVL] c:\documents and settings\administrator\local settings\temp\W0SaUuSVL.exe

O4 - HKLM\..\Run: [i7rBR3r] c:\documents and settings\administrator\local settings\temp\i7rBR3r.exe

O4 - HKLM\..\Run: [aak3sg8l] C:\WINDOWS\System32\aak3sg8l.exe

O4 - HKLM\..\Run: [oildnPeq6] C:\documents and settings\administrator\local settings\temp\oildnPeq6.exe

O4 - HKLM\..\Run: [eQX] C:\windows\system32\eQX.exe

O4 - HKLM\..\RunServices: [Windows Media Player] mcafe32.exe

O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe

O4 - HKCU\..\Run: [f003RhfsU] ialkaz.exe

Close all open windows except for HijackThis and click Fix Checked.

***

double-click Killbox.exe to run it.

Select "Delete on Reboot".

Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\documents and settings\administrator\local settings\Temp\wupdt.exe
c:\windows\system32\suhawj.exe
C:\documents and settings\administrator\local settings\Temp\ZAA\aurareco.exe
C:\documents and settings\administrator\local settings\Temp\OLT\aurareco.exe
C:\WINDOWS\System32\mcafe32.exe
C:\windows\temp\uRbEl4nI.exe
c:\windows\system32\wU5r.exe
C:\documents and settings\administrator\local settings\temp\Zf3.exe
C:\WINDOWS\System32\hcctb.exe
c:\documents and settings\administrator\local settings\temp\2jMJ.exe
c:\windows\system32\ZLMsI9qKl.exe
c:\documents and settings\administrator\local settings\temp\51ZrF.exe
c:\windows\system32\M2D1PuY.exe
c:\documents and settings\administrator\local settings\temp\JuQ.exe
c:\documents and settings\administrator\local settings\temp\W0SaUuSVL.exe
c:\documents and settings\administrator\local settings\temp\i7rBR3r.exe
C:\WINDOWS\System32\aak3sg8l.exe
C:\documents and settings\administrator\local settings\temp\oildnPeq6.exe
C:\windows\system32\eQX.exe
C:\WINDOWS\System32\ialkaz.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 24 June 2005 - 01:39 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP