Hijack by ABI Network

ibrachels, The mypctuneup uninstall might work to get rid of ABI Network adware, but how do you know you didn't install a spyware at the same time? I'm just asking the question, because their method of hijacking our computer should be illegal to begin with. We need to contact our congress representatives to find out if they can stop these criminals from writing programs that takes over our computer.

Aurora Mal Ware
I ran Ad-aware, but Aurora still pops up. I read on this thread to D/L HijackThis and post the results, so here goes:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:38 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\ehome\ehSched.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\rsjlpn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\AMERIC~1.0B\waol.exe
C:\PROGRA~1\AMERIC~1.0B\shellmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.aol.com/DoReEgon/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gxkdsp] c:\windows\system32\rsjlpn.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A70DFA47-3493-4DEC-BA86-6CF11B8FFC81}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

THANKS

mypctuneup
Yes mypctuneup is free, I was wrong to make that evil claim. I still believe they caused the adware virus. But running it did not work for me. Even more adware files detected between Norton, Trend Micro, and Spybot. I will try one of the guru methods discussed earlier before giving up and starting over.

PLEASE SEE

THIS TOPIC[/u]

BEFORE POSTING YOUR HIJACKTHIS LOG

Unless and untill the preliminary steps and scans are accomplished, including all necessary updates, and your particular specific help request is opened in its own topic, as directed, it is highly likely no help will be forthcoming.

Cicerone, I didnt try the fix. In fact i dont recall seeing a fix posted that people were claiming worked! This method seems to have worked. On their site it says the fix also installs somthing that stops you downloading their ad progs again. which is a blessing providing its not doing anything else.

abi network aurora spyware
maybe this will help. its a programm which consists of various spyware killers. it worked for me.

http://www.hitmanpro.nl

Re: ABI Network - not the Toronto ABI Network!
hello rpbert, where can my customer send you the bill at? what's your address? i charged him $300.00 to get this off his laptop. give me an email when you get a chance. thnx matt.

wow
I am having the exact same problem. I havent managed to fix it yet, but this may help. Go to your C:\Documents and Settings\[user]\local settings\temp folder and first end the aurora process then delete all of the aurora programs on here. This is not the only place where the .exe exists but it is one(I had 3 of them in there).

Quote, "Cicerone, I didnt try the fix. In fact i dont recall seeing a fix posted that people were claiming worked! This method seems to have worked. On their site it says the fix also installs somthing that stops you downloading their ad progs again. which is a blessing providing its not doing anything else."

What we are unsure of with "mypctuneup" is whether they have put spyware into your computer. That's the reason why I have recommended going to the Computer Forum on a2k, and follow timber's detailed instruction.

There is something truly strange about this whole thread. Anybody else notice? Note: It has nothing to do with c.i.

And it has nothing to do with you! Why do you find that strange? LOL

What are you talking about c.i.?

What I was talking about was the large number of first time posters on A2K appearing here.

So? What does that have to do with anything about this forum?

Ever shop at EBay?

Not lately, but yes. So, what's your point?

I think this topic comes up easily in a goolge search on the problem.


CI how did you get infected with this ? I'm just counting my lucky stars I don't or didn't get this yet - on any of our PC's

husker, I'm not sure how my computer got infected. The only links I usually open are those that are "safe" according to my ISP provider. I don't open emails from people I do not recognize, and delete them.

fix I think
I tried all of the tools mentioned plus symantec's removal tool for betterinternet. None worked.

SO...I created new versions of the 3 main offending files on my desktop. I set the attribute on these files to read-only and then denied all file permissions for the user currently logged on and the alluser user. I Then cut/pasted all three into the proper directory accepted replace current version of files. I got access denied on the drpmon.dll file so I just changed attributes & permissions on the original file. After doing this run regedit.exe and do finds for the 3 files. Delete each instance you find. After cleaning the registry, reboot. On restart run ad-aware or the like to remove remnants.

The 3 files you want to replace are:

<b>%system%\windows\system32\drpmon.dll

%system%\windows\nail.exe

%system%\windows\xxxxxxxx.exe </b>

The last file has different names but all are just a bunch of letters. Mine was <b>atldxwxjztf.exe</b>. I found the filename using the threat advisory in Symantec AV. You might check your AV's quarantine for the filename. You can also look in the windows directory for a suspect file. When you find one, open the properties dialog box and click the version tab. If this is the correct file, when you highlight <b>"company"</b> it will show <b>"Direct Revenue"</b> as the company name. Create a replacement file with the same filename with read-only attributes and denied permissions to current user and allusers. Replace the file in the windows directory.

This thing sucks. I think I got it from either goldenpalacecasino.com or partypoker.com. I plan on sending a bill to Direct Revenue for the time that I spent on my machine. I will also tell my clients that they should do the same with my invoice to them. When I get over a couple of grand worth of these I plan to sue these yahoos. The way it's spreading this might even reach class action status. I'm not an atty, but it sounds like a good plan.

PC-dr, Include me in the class action suit. I don't want any money, but I want them to spend the bucks to defend themselves. I hope it costs them millions.