|
Posted by Steve on August 15, 2005, 12:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I've spent the last couple of days trying to get rid of the Aurora
"Abetterinternet" malware. I ran the Sophos scan using David Lipman's
advice which identified a couple of Trojan's. (Sophos tool 13 hours to
complete the scan, haven't run Trend - McAfee is my "native" installation).
Hopefully having used Nailfix, the problem is now finally resolved.
(nail.exe re-spawns when deleted).
However, there is something still amiss.
Using Windows Task Manager process display, there is an unknown process
running, currently "xpgbpo.exe". It was previously "arsmpxq.exe".
When this process is deleted it respawns with a different random name, it
starts at 180k then its use of memory grows. I've found the file in
C:\windows\system32 with a files size of 89k it has a buddy "rjdvkm" and
I'm convinced a third "ready to go" with a file size of 0KB "afnhped".
All these names appear to be random and I've deleted the live process a
dozen times and the filename is always 6 or 7 characters in length.
If I delete the live process then a new process is spawned with a new
random name. This is an extract from Filemon where I deleted "armspxq" and
it is re-spawned as "xpgbpo" McAfee can be seen running, but doesn't flag
any issues, don't know why.
Neither Sophos or McAfee flag this as a virus, unless I've made a poor job
of cleaning up - any ideas?
TIA
Steve
16:42:49 McShield.exe:316 SET INFORMATION C:\WINDOWS\Nail.exe SUCCESS
FileBasicInformation
16:42:50 arsmpxq.exe:2324 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 12288
16:42:50 arsmpxq.exe:2324 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 12288
16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS Length: 91136
16:42:50 arsmpxq.exe:2324 WRITE C:\WINDOWS\system32\xpgbpo.exe SUCCESS
Offset: 0 Length: 65536
16:42:50 arsmpxq.exe:2324 WRITE C:\WINDOWS\system32\xpgbpo.exe SUCCESS
Offset: 65536 Length: 25600
16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 wintasks.exe:3348 SET INFORMATION C:\WINDOWS\system32\arsmpxq.exe
SUCCESS FileBasicInformation
16:42:50 wintasks.exe:3348 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
SUCCESS FileBasicInformation
16:42:50 explorer.exe:564 DELETE C:\WINDOWS\system32\arsmpxq.exe SUCCESS
16:42:50 svchost.exe:1028 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 20480
16:42:50 xpgbpo.exe:4060 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 24576
16:42:50 xpgbpo.exe:4060 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 28672
16:42:50 xpgbpo.exe:4060 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 32768
16:42:50 xpgbpo.exe:4060 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 36864
16:42:50 xpgbpo.exe:4060 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 40960
16:42:50 xpgbpo.exe:4060 SET INFORMATION
C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 45056
16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\crypt32.dll
SUCCESS FileBasicInformation
|
|
Posted by David H. Lipman on August 15, 2005, 1:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I've spent the last couple of days trying to get rid of the Aurora
| "Abetterinternet" malware. I ran the Sophos scan using David Lipman's
| advice which identified a couple of Trojan's. (Sophos tool 13 hours to
| complete the scan, haven't run Trend - McAfee is my "native" installation).
|
| Hopefully having used Nailfix, the problem is now finally resolved.
| (nail.exe re-spawns when deleted).
|
| However, there is something still amiss.
|
| Using Windows Task Manager process display, there is an unknown process
| running, currently "xpgbpo.exe". It was previously "arsmpxq.exe".
|
| When this process is deleted it respawns with a different random name, it
| starts at 180k then its use of memory grows. I've found the file in
| C:\windows\system32 with a files size of 89k it has a buddy "rjdvkm" and
| I'm convinced a third "ready to go" with a file size of 0KB "afnhped".
|
| All these names appear to be random and I've deleted the live process a
| dozen times and the filename is always 6 or 7 characters in length.
|
| If I delete the live process then a new process is spawned with a new
| random name. This is an extract from Filemon where I deleted "armspxq" and
| it is re-spawned as "xpgbpo" McAfee can be seen running, but doesn't flag
| any issues, don't know why.
|
| Neither Sophos or McAfee flag this as a virus, unless I've made a poor job
| of cleaning up - any ideas?
|
| TIA
|
| Steve
|
| 16:42:49 McShield.exe:316 SET INFORMATION C:\WINDOWS\Nail.exe SUCCESS
| FileBasicInformation
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 12288
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 12288
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS Length: 91136
| 16:42:50 arsmpxq.exe:2324 WRITE C:\WINDOWS\system32\xpgbpo.exe SUCCESS
| Offset: 0 Length: 65536
| 16:42:50 arsmpxq.exe:2324 WRITE C:\WINDOWS\system32\xpgbpo.exe SUCCESS
| Offset: 65536 Length: 25600
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 wintasks.exe:3348 SET INFORMATION C:\WINDOWS\system32\arsmpxq.exe
| SUCCESS FileBasicInformation
| 16:42:50 wintasks.exe:3348 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 explorer.exe:564 DELETE C:\WINDOWS\system32\arsmpxq.exe SUCCESS
| 16:42:50 svchost.exe:1028 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 20480
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 24576
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 28672
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 32768
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 36864
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 40960
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 45056
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\crypt32.dll
| SUCCESS FileBasicInformation
|
Have you tried such applications as Ad-aware SE v1.06 and SpyBot Search and
Destroy v1.4 ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Steve on August 15, 2005, 1:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> |
>
> Have you tried such applications as Ad-aware SE v1.06 and SpyBot Search
> and Destroy v1.4 ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Yes I have both upto dat on my machine. - Just spotted Aurora ABI is back
so I've clearly made a poor job of cleaning up...
I've run Mailfix a couple of time in safe mode, so either its not working
in this instance or I need to do more reading...
Many Thanks
Steve
|
|
Posted by Malke on August 15, 2005, 4:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>>
>> |
>>
>> Have you tried such applications as Ad-aware SE v1.06 and SpyBot
>> Search and Destroy v1.4 ?
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> http://www.ik-cs.com/got-a-virus.htm
>>
>>
>
> Yes I have both upto dat on my machine. - Just spotted Aurora ABI is
> back so I've clearly made a poor job of cleaning up...
>
> I've run Mailfix a couple of time in safe mode, so either its not
> working in this instance or I need to do more reading...
>
> Many Thanks
>
> Steve
I think I answered this in another newsgroup to which you posted, but -
run HijackThis and post your log to one of the following forums:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
Whatever forum you choose, read their posting FAQ first.
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
|
|
Posted by =?Utf-8?B?c2hvdXNl?= on August 16, 2005, 11:27 am
If you were Registered and logged in, you could reply and use other advanced thread options
http://securityresponse.symantec.com/avcenter/FixBinet.exe
and for that matter other removal tools can be found at:
http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html
hope this helps
"Steve" wrote:
>
> >
> > |
> >
> > Have you tried such applications as Ad-aware SE v1.06 and SpyBot Search
> > and Destroy v1.4 ?
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
> Yes I have both upto dat on my machine. - Just spotted Aurora ABI is back
> so I've clearly made a poor job of cleaning up...
>
> I've run Mailfix a couple of time in safe mode, so either its not working
> in this instance or I need to do more reading...
>
> Many Thanks
>
> Steve
>
>
>
|
| Similar Threads | Posted | | URL problem | April 4, 2007, 3:50 pm |
| Very odd dns problem | July 5, 2007, 4:23 pm |
| W32.alcra.b problem | July 1, 2005, 2:34 pm |
| Please Help! Problem with Start Up!! | August 27, 2005, 11:35 am |
| VundoFix - another problem | September 8, 2005, 2:20 am |
| possible virus problem... help!!!! | November 24, 2005, 1:56 pm |
| spyware problem | December 10, 2005, 11:39 pm |
| PROBLEM WITH FIREWALL AND IIS | December 23, 2005, 3:01 pm |
| Problem getting rid of TROJ_AGENT.AMV | February 10, 2006, 6:58 am |
| Got problem with W32.Rontokbro.B@mm | February 19, 2006, 9:20 am |
|
XML site map