Can't kick this VX2 Aurora malware..(All steps done)

I completed all the steps in the sticky. Ad-Aware finds 30-40 files of this VX2 Aurora malware, I delete them all and it says it cant delete ALL of them. THis one particular file C:\Windows\System32\drPMon.dll will not go away. After I rescan with Ad-Aware, its still there. Restart my comp and the 30-40 VX2 cohorts are back.

I tried delting the .dll file itself, and it says access is denied because it may be in use. Ad-Aware detecs the file twice, once as a process. Im guessing its running somewhere, but it doesnt show up in task manager either. I can post a HJT log file with a reviewer's request. I know how to post the way you guys like it (running the exe from the HJT folder, not from desktop and closing down all open programs before scanning).

So, do I have the go ahead to post the log or does someone already have an answer. Thanks a million times in advance!

 

I see. So the "wiggygirl" makes a post for help and everyone jumps to be the knight in shining armour to save her PC from spyware.

Just kidding. Well, no I am not. Guys, plz help. This VX2 thing is really annoying.

And I know this is a big request...but if you could not only post steps to removing this from my comp but explain WHY it is particularly difficult for me to remove? That would help for future reference and I wont clutter this board with spyware problems

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks!

 

????

 

Fisrt, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot and procede with the following online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you have completed the above online scans reboot and post a fresh HJT log.

 

thanks for responding. i did all that you said. Here is the HJT log and also screen shot of the scan results for the RAV and BitDefender scans.

The Trend Micro came up with these:

C:\WINDOWS\svcproc.exe
C:\WINDOWS\zwttmdhwkx.exe

And the TrojanScan came up with these:

C:\WINDOWS\System32\DrPMon.dll
C:\WINDOWS\System32\tct101.dll

the other scans I will post as an attachment (screen shots)

 

scans

 

Reboot into Safe Mode and run the AVI Remove again. After you install the program reboot and post a fresh HJT log.

Also, be sure you have System Restore disabled!

 

System restore is always disabled on my PC

Here is the new log.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)

O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [tewobq] c:\windows\system32\zfnwaze.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\zfnwaze.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

When I scanned the first time I noticed the nail.exe thing was back. Then I did ther ABI thing again, scanned again, and it was gone. So was that other exe file you told me to remove. Upon the third scan, there is a new exe file in there. I went to the system32 folder and removed the first file you told me to delete.

Is it possible that whatever is doing this is renaming itself?

 

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After you complete the above, reboot and post your results along with a fresh HJT log.

You MUST get the update for this to successfully remove this pest!

 

Here is the new log.


NOTE: I ran the scan and it surely found trojans. When I cleaned them, my spybot S&D alerted me of registry changes: randomly named .exe files added to my system32 folder.

My guess is that this thing keeps renaming itself and reinstalling once its cleaned. This has happened every time ive scanned, purged, or ran any of this software that is supposed to remove spyware. As I'm typing this, the Aurora window is popping up in my face.

Thanks for you help, and I hope this information gives you more insight as to what to suggest for me.

 

Also, everytime trojanhunter cleans, It pops right back up saying it found Agent.167 and Spybot aalerts me of a registry change (new .exe file added).

 

Reboot into Safe Mode and run the ABI Remover again, after you do this run TrojanHunter once more.

Before you run TrojanHunter, download the updates below. After download is complete, extract the contents to the installation directory of TrojanHunter.

Updates!

 

I rebooted in safe mode. Did exactly what you said. TrojanScanner found one file to be recurring. Its this file:

O4 - HKLM\..\Run: [duaqiml] c:\windows\system32\iutaydf.exe

that iutaydf.exe file kept coming back. I had TrojanScanner clean the 19 or so files it came up with, then I rescanned and it showed that same file again.

I navigated to my windows/system32 folder in the command prompt and i tried deleting it manually (del iutaydf.exe /f /s /q) and it deleted. Ran the scans again and it didnt show up. Ran adaware, spybot and cclean once more before i reboot into regualr mode

Once in regular mode, I ran TrojanScanner and it didnt see that file. However, I ran HJT right after after and the log came up with that file again.

O4 - HKLM\..\Run: [duaqiml] c:\windows\system32\iutaydf.exe

So, I guess it's back. Im posting the log for you. I am stumped at this point.

 

Did what you said, however KillBox could not find the file!

I rand my trojanscanner again and nothing is seeing this file anymore except for HJT. I scanned with HJT again and it still shows it. I have not reboot since my last post. It is also not there when i navigate to the folder with win explorer.

Maybe this thing is waiting to spawn? What do you recommend?

 

Procede with Killbox blue or not it will remove it. If you have rebooted dont waste your time because its already mutated.

 

OK, I have not run into any effects from that file supposedly still being on my computer. Nothing can detect it besides HijackThis, yet I have not had a single aurora popup since. I have not rebooted since either.

Do you still suggest that when I do finally shut it down that I pull the plug?

 

I completed those steps. I dont seem to have the aurora or nail.exe stuff anymore. Pulling the plug on my system may have broken my DVD burner, however. Upon startup, my system sometimes hangs at the windows loading screen. It just loads forever. Sometimes I get in, however.

My dvd drive will not open. I press the button and the led flashes and nothing happens. I can open it by sticking a pin in the little hole, but when I put in a new disc it reads nothing. Device manager detects the drive fine, and I've tried uninstalling it both manually and in the device manager. Nothing. Im guessing pulling the plug on sytem might have broken something? I have to remove the drive completely to make windows boot smoothly now.

Getting power, IDE detecting it, but the damn thing wont open or read discs. All out of the blue since yanking the power cable.

So, Aurora is gone, and my DVD burner with it.

 

So far I have tried all of those things, though not in succession. I uninstalled in device manager but then reinstalled. I unplugged the physical connections and then reinstalled the physical connection. I unplugged the physical connections and reboot with no CD/DVD drive (this is the only way my computer would boot into windows smoothly). I have also checked BIOS.

In all cases, my computer detected the hard drive perfectly in BIOS, Device Manager, My Computer etc. Also, in all cases, my drive had the same problem: it does not respond to the open/eject button other than the flashing led. It stops flashing and does nothing after about 3 seconds. Even when I force the drive open with the pin, and i insert a disk, the eject button is totally unresponsive. Also, right clicking on the drive in My Computer and seecting "eject" does absolutely nothing. It seems its mechanically unresponsive to eject (other than flashing led) in every facet. And maybe as a result of this, its not reading discs as well. I do not know exactly what triggers CD/DVD drives to work.

I will try doing what you said in that successive order, but I cannot do the last step because I only have one CD drive.

 

HP dvd writer 200i

I should note that upon a google search i learned that many people have had a similar problem with the other version of this drive, the 200e, but they all experienced it after installing HPs latest firware...(not my case)

The drive is on my primary IDE, and its the master. It has worked totally fine like this. My boot order is Floppy>HDD>DVD/CD.

How do you configure the HDD as the master and the CD ROM as slave on one IDE cable? The physical structure of most ATX cases has bays for CD drives higher than the bays for 3.5" drives, which means you have to use the black connector on the higher device and the grey on the lower..

 

No, my hard disk is IDE. It has worked fine as the slave.

 

I think I remember doing this because my 2nd IDE channel doesnt detect cd drives. It only seems to detect hard disks.

Anyways, I had it set up like that before, and windows alway boots fine. Im just attributing it to being a crappy drive. Or maybe my mobo is crappy. I dunno, I bought the mobo brand new. I already ordered a SATA DVD burner as its really a necessity for me to have one. Provided my SATA controllers work, it will kill 2 birds with one stone (HDD can then be the master on Pri IDE and DVD drive will be on SATA and SATA is supposedly hot-swappable [no damaging it from unplugging]).

 

How do you physically do this when most ATX cases are set up with 5.25 bays higher than 3.5 bays? I HAVE to put the black (master) on the 5.25 and the blue (slave) connector on the 3.5....unless I turn my drives upside down....

 

Not readily, but I will sometime this week. Trying it in another PC sounds more do-able. I'm really banking on SATA being an interface that encounters less problems than IDE...

To me it sounds like a mechanical problem rather than a configuration problem. It's like whatever triggers the little gears to open/close the tray is dead. If it were a config problem, I can't see anything causing the drive to act this way.

 

I got my SATA drive and hooked it up. Would you believe that the same problem was happening? Everything detected it, but the tray would not open. So I go to the plextor site and troubleshoot the problem. I was getting 5 amber blinking codes when i pressed eject, and that said it was a power problem. So, I open my case, unplug the sata power adapter off the reg power cable and notice i already have sata power cables on my PSU. I plug that in, problem solved. Then I realize that the blinking my HP drive did was also probably a code.

Im guessing that maybe one of my power cables coming from the PSU is messed. Im going to try reinstalling the HP Drive using a different plug on the PSU, then I will just try using it in another PC.

What do you think?