[Aurora in 7 places in registry]

I am helping a friend who had skillions of spywares, trojans and viruses.
I have been able to rid the computer of everything except Aurora.
Counterspy can "remove" or "quarantine "
I have tried both but another scan reveals all 7 right back where they were.

Here is a transcript from Counterspy (def 168) of what it found:

Spyware Scan Details
Start Date: 5/18/2005 2:13:21 PM
End Date: 5/18/2005 2:15:37 PM
Total Time: 2 mins 16 secs

Detected spyware

AURORA Spyware more information...
Status: Ignored
Severe spyware - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT NextInstance 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000 Class LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000 ConfigFlags 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000 DeviceDesc delprot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000 Legacy 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000 Service delprot


Here is a HJT log that was run (normal mode, not safe mode)

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:25:18 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\FromArt\TopDesk.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - Startup: Mail Inspector 2000.lnk = C:\Program Files\Mail Inspector\minspect.exe
O4 - Startup: Shortcut to TopDesk.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


End of KRC HijackThis Analyzer Log.

I have used Spybot, Ad-Aware, Microsoft antispyware beta, TDS-3 and Avast antivirus.

Can anyone make any sense of this ?

TIA------------Daddad

 

Hi Daddad,

Please download the LegacyDelprot.zip attached to this post. Save it to your desktop and extract to it's own folder. Open the folder and double click the delprot.bat to run. It will create and open Delprot.txt Please post the contents of that log.

If it saves as attachment.php, right click and rename to LegacyDelprot.zip

 

Dave, you beat me to it while I researching.

 

Thanks Dave and Charles for the speedy replys

Here is the delprot log:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Can't open Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_DELPROT:

1011 - The configuration registry key could not be opened.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Can't open Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_DELPROT:

1011 - The configuration registry key could not be opened.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Can't open Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_DELPROT:

1011 - The configuration registry key could not be opened.

I disabled all antispyware utilities and ran the delprot.bat in both normal and safe modes and got the same above log ?????????????

Where do I go from here guys ??????

Daddad

 

Sorry Daddad,

I made a goof when I wrote the batch. I have replaced the original attachment. Please delete what you previously downloaded, re-download and run again.

 

Here is the log of the second batch file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT]
"NextInstance "=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000]
"Service "= "delprot "
"Legacy "=dword:00000001
"ConfigFlags "=dword:00000000
"Class "= "LegacyDriver "
"ClassGUID "= "{8ECC055D-047F-11D1-A537-0000F8753ED1} "
"DeviceDesc "= "delprot "
"Capabilities "=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT\0000\LogConf]


I ran that in normal mode.
All 7 instinces of Aurora are still where they were according to Counterspy

Daddad

 

Still not seeing the permissions for the key. Please logon to the Administrator account in safe mode and run the batch to see if more information is given. Might want to delete the current log you have first. If it still won't show the permissions, can you manually go into the registry, right click the Legacy_Delprot key and choose permissions, then let us know what user accounts are listed in the upper pane and the access level for each in the lower pane? You might also try starting with the lower-most subkeys, deleting each until you can delete the Delprot key.

 

Thanks Dave
I went into regedit and was able to kill the delprot key after injecting "full control" to both system and user.
It worked !!
subsequent scan by Counterspy shows NO INFECTION

I usually don't like "messing" with the registry but your suggestion was the backbreaker that helped me the most.

I've been hammering on this for days and got nowhere until you came along.

My hat is off to you

Daddad

 

Happy to hear it's gone, and glad I could help.