Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help Aurora :( spyware [RESOLVED]

Started by coollivinghp , Jun 23 2005 07:54 PM

This topic is locked

#16
coollivinghp

Posted 24 June 2005 - 09:47 AM

Member

Topic Starter
Member
30 posts

Heres Qoologic file. :tazz:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\IRISU.DLL
* KavSvc C:\WINDOWS\System32\NENIRKP.DLL
* aspack C:\WINDOWS\System32\WQWKP.DAT
* aspack C:\WINDOWS\System32\DCDMBAN.EXE
* aspack C:\WINDOWS\System32\HKHPRA.EXE
* aspack C:\WINDOWS\System32\IRISU.DLL
* aspack C:\WINDOWS\System32\NENIRKP.DLL
* UPX! C:\WINDOWS\SVCPROC.EXE
* UPX! C:\WINDOWS\WUPDSNFF.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\RDRI.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
hp center UI.lnk
hp center.lnk
Microsoft Office.lnk
rdri.exe
SnapDetect.lnk

User Startup:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgmxfyng
<NO NAME> REG_SZ {dda7f5b8-d0ba-4b4e-9643-7f22cfe63371}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

#17
Trevuren

Posted 24 June 2005 - 10:30 AM

Old Dog

Retired Staff
18,699 posts

When Killbox isn't able to kill a file on the first attempt, are you writing down the file so you can try and kill it the second way?

What files aren't being killed the first time? What seems strange is that they are essentially the same files as I gave you to kill. When Narrator comes back, it usually comes back with mostly different files. That is what I am having a difficult time understanding.

Please provide answers to these questions after running the next step:
-----------------------------------------------------------------------------------------

Download Find-IT 2000/XP to your desktop.
Unzip/extract the files inside preferable to C:\ < a new folder.
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!
Open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.

Notes:

1. If you get an error similar to: autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application...etc etc' or a 16 bit application error.

2. Go here and use the appropriate fix for your system
http://www.tech-foru...opic/29806.html
More info here: http://support.micro...kb;en-us;324767

Trevuren

#18
coollivinghp

Posted 24 June 2005 - 11:03 AM

Member

Topic Starter
Member
30 posts

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is C0F2-521D

Directory of C:\WINDOWS\System32

06/24/2005 10:41 PM <DIR> dllcache
06/21/2005 10:28 PM 32 {0D3ED11C-355A-4B8C-BB5B-D304E3C7654B}.dat
10/28/2002 11:28 AM <DIR> Microsoft
1 File(s) 32 bytes
2 Dir(s) 67,564,769,280 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is C0F2-521D

Directory of C:\WINDOWS\System32

06/24/2005 10:41 PM <DIR> dllcache
06/21/2005 10:28 PM 32 {0D3ED11C-355A-4B8C-BB5B-D304E3C7654B}.dat
10/28/2002 10:34 AM 488 WindowsLogon.manifest
10/28/2002 10:34 AM 488 logonui.exe.manifest
10/28/2002 10:34 AM 749 sapi.cpl.manifest
10/28/2002 10:34 AM 749 nwc.cpl.manifest
10/28/2002 10:34 AM 749 ncpa.cpl.manifest
10/28/2002 10:34 AM 749 wuaucpl.cpl.manifest
10/28/2002 10:34 AM 749 cdplayer.exe.manifest
8 File(s) 4,753 bytes
1 Dir(s) 67,564,765,184 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is HP_PAVILION
Volume Serial Number is C0F2-521D

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C is HP_PAVILION
Volume Serial Number is C0F2-521D

Directory of C:\WINDOWS\System32

08/29/2002 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 67,564,765,184 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
{0d3ed~1.dat Tue Jun 21 2005 10:28:34p A.SH. 32 0.03 K

1 item found: 1 file, 0 directories.
Total of file sizes: 32 bytes 0.03 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\dcdmban.exe: .aspack
C:\WINDOWS\system32\hkhpra.exe: .aspack
C:\WINDOWS\system32\irisu.dll: .aspack
C:\WINDOWS\system32\nenirkp.dll: .aspack
C:\WINDOWS\system32\wqwkp.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\rdri.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\\hp\\bin\\BlockTracker.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""
"nwiz"="nwiz.exe /installquiet /keeploaded"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"SpyBlocker"="C:\\Program Files\\SpyBlocker Software\\spyblocker.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#19
coollivinghp

Posted 24 June 2005 - 11:25 AM

Member

Topic Starter
Member
30 posts

My norton Antivirus 2003 detected poller.exe but it couldn't delete it ... :tazz:

it detected it atleast 5-7 times .

#20
Trevuren

Posted 24 June 2005 - 11:37 AM

Old Dog

Retired Staff
18,699 posts

Please respond to the questions that I asked you in my previous post
(They are just before the find-it intructions.)

Trevuren

#21
coollivinghp

Posted 24 June 2005 - 01:08 PM

Member

Topic Starter
Member
30 posts

i'm following every single step that u give me :tazz:

deleated every file and wrote down file name and it got deleated after reboot

#22
coollivinghp

Posted 24 June 2005 - 01:14 PM

Member

Topic Starter
Member
30 posts

do i deleat the folder of Aurora in my C: drive? the path is like this C:\!Submit and it has Nail.exe, Hkhpra.exe, Uenterpriseserver.exe, and buddy.exe

#23
Trevuren

Posted 24 June 2005 - 01:20 PM

Old Dog

Retired Staff
18,699 posts

You can, I will be back with a new solution later tonight

Trevuren

#24
coollivinghp

Posted 24 June 2005 - 01:26 PM

Member

Topic Starter
Member
30 posts

thanks man

u rock

#25
Trevuren

Posted 24 June 2005 - 03:47 PM

Old Dog

Retired Staff
18,699 posts

First:
Please download ewido security suite it is a trial version of the program.

Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.

ONCE THE UPDATES INSTALLED, REBOOT INTO SAFE MODE. DURING THE SCAN DO NOT OPEN ANY FOLDERS OR GO INTO CONTROL PANEL.

Open EWIDO and do the following:

Click on scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop

Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

Regards,

Trevuren

#26
coollivinghp

Posted 24 June 2005 - 03:47 PM

Member

Topic Starter
Member
30 posts

Trevuren just curious to know if u cam up with any solutions. I hate this aurora thing. And ur the BIGGEST help i got :tazz:

Thanks a lot man.

#27
Trevuren

Posted 24 June 2005 - 03:56 PM

Old Dog

Retired Staff
18,699 posts

I just posted the EWIDO solution

Trevuren

#28
coollivinghp

Posted 24 June 2005 - 06:25 PM

Member

Topic Starter
Member
30 posts

Trevuren, i'm sorry i couldn't save the file log cuz my sister mest it up. she was sitting looking at the fix and when it finshed she restarted it BUT i had to write the quarantine file down . Here it is ...

C:\Documents and settings\owner\local settings\temp\leu\aurareco.exe
C:\Documents and settings\owner\local settings\temp\Installer_marketing49
C:\Documents and settings\owner\local settings\temp\HXO\aurareco.exe
C:\Documents and settings\owner\cookies\owner@xiti[1].txt
C:\Documents and settings\owner\cookies\[email protected][2].txt
C:\Documents and settings\owner\cookies\[email protected][1].txt
c:\windows\vkahxqlqgri.exe
c:\windows\system32\im49.exe
C:\windows\system32\drPmon.dll_tobedeleated

#29
Trevuren

Posted 24 June 2005 - 06:44 PM

Old Dog

Retired Staff
18,699 posts

Run it again please, the same way and then post the log. We'll get that critter yet.

Trevuren

#30
coollivinghp

Posted 24 June 2005 - 07:22 PM

Member

Topic Starter
Member
30 posts

Hi i just completed the scan again here's my file :tazz:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:18:44 AM, 6/25/2005
+ Report-Checksum: 54CE321A

+ Date of database: 6/25/2005
+ Version of scan engine: v3.0

+ Duration: 28 min
+ Scanned Files: 65793
+ Speed: 38.57 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!

::Report End