Trojans and Aurora

Hi Folks,

It's been a while, and I've been clean until recently. My Norton Internet Security corrupted during an electrical storm and I spent three days trying to figure out why we couldn't connect.

During the process of eliminating problems, I unfortunately connected directly, without my router, to the DSL Modem and without protection. I think I picked up four Trojans, or a combination of Arora and Trojans.

Before bothering you busy people, I tried your clean processes and could not clean the viruse. House call found them, but could not remove them.

I'm not afraid to pay for the tools, but I do need to be directed. So any advise will be highly appreciated.

Thanks in advance,

Victor

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Hi and thanks for responding so quickliy:

I did attempt all the suggestions from the post you cited. Id did not work, Housecall could not clean the system.

I've downloaded Hijackthis and saved as you instructed. I've attached the log file.

Thanks again,

Victor

 

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

Sorry, I'm a rookie:

Hope this is correct.

Victor

 

Thats the correct location! Lets begin the fix!

Fisrt, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

After doing the above REBOOT and post a fresh HJT log.

 

Thank you, I've done as you requested.

Attached you'll find the new log.

Victor

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cybercentral.willowcsn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O2 - BHO: (no name) - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [qksgzjx] c:\windows\system32\ftcxabd.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.238/ecwplugins/ncs.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/weblaunch/weblaunch.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\ftcxabd.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Hi, I got it all done. I think I didn't miss anything. However, an Aurora pop up just greeted me as I logged on. I know the pop ups are not as bad as the Trojans I had, but if you got any quick suggestions, I'd appreciate it.

Thanks again for all your help.

Victor

 

Run the ABI Remover again. Boot into Safe Mode and run the tool as requested before.

Afterwards boot back into normal mode and attach a fresh HJT log. You still have some problems but first lets get this one.

 

Hello:

Perhaps I'm not runnint the ABI correctly. I open the file, then follow the wizard. It seems however, that it only installs files into the system. But is there another step I have to follow? Or is the process complete once I click on "Finish" on the wizard?

In any case, attached is the new log file.

Thanks,

Victor

 

That should be it!

Download Pocket KillBox
(Don't run it yet)

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [aqxgxje] c:\windows\system32\tpajrg.exe

Make sure All Browser Windows are Closed when you Click FIX.

Locate PocketKillbox

Now, Copy and Paste c:\windows\system32\tpajrg.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach a fresh HJT log.

 

Hello again:

I did as you suggested. I could only find two of the three files you noted. When I finished, I could not find C:\windows\systyem32\tpa......exe, therefore I could not use the Kill Box.

There was however, a very close file, I did not recognize.

Thanks,

Victor

 

Okay, I see whats going on, I had one of these at my office today.

First, run these online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you run these online scans, procede with the next step.

Download the following programs:

Ad-Aware SE 1.05

SpySweeper 3.5

After installing the above programs, get all updates and then reboot into Safe Mode.

Once in Safe Mode run a full scan with both programs removing all found infections. After you complete the online scans and the others reboot and post a fresh HJT log.