Aornum Spyware!!!

Discussion in 'adware, spyware & hijack cleaning' started by River Dave, Nov 30, 2003.

Thread Status:
Not open for further replies.
  1. River Dave

    River Dave Registered Member

    Joined:
    Nov 30, 2003
    Posts:
    4
    Hi everyone,

    I have the most recent SpywareBlaster and continually update it when the definitions are available. When I run Spybot "Aornum" shows up in the registry as spyware. So when I delete it using Spybot my home page which is Iwon.com turns blank, I have to keep resetting my Internet settings. I know that Aornum is part of Iwon but is there any way I could keep it out of my system without giving up Iwon.com. I do have the most recent 2 definitions for Aornum. But apparently, IWon has modfied Aornum so this version is by-passed by SpywareBlaster. I have not downloaded any of the Iwon software (I have checked). The only thing that I do is visit my.iwon page. Please let me know if there is anyway I can visit Iwon and keep "Aornum" out of my system.

    THANK YOU!
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Hi, and welcome to the board. :)

    We'd like a closer look at your configuration:
    Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. River Dave

    River Dave Registered Member

    Joined:
    Nov 30, 2003
    Posts:
    4
    To TonyKlein,

    For of all, thank you for your suggestion. But I finally find it hidden in my Registry Editor. I used Spybot and performed a scan and found "AORNUM". I then right click on "more details" and then click on "Jump to Location" and it brought me to my Registry Editor. Below the MICROSOFT Folder, It opened the "SEARCH ASSISTANT' Folder and then opened a sub-folder titled "ACMru" and then another sub-folder titled "5603" and the following appeared:

    ab000 REG_SZ Iwon
    ab001 REG_SZ Tensoft
    ab002 REG_SZ Arnum
    ab003 REG_SZ Aornum

    Now that I found it, I do have the ability to right click and then either modify or delete. But being the novice that I am will I do any harm if I delete these.

    Please let me know if deleting these will do any damage.

    THANK YOU!
    River Dave
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    That registry subkey just contains the history of searched files and folders , and it won't have been responsible for your Hijack.

    Would you please post that Hijack This log as requested, so that we may have a look to see whether anything's still remaining?
     
  5. River Dave

    River Dave Registered Member

    Joined:
    Nov 30, 2003
    Posts:
    4
    Hi TonyKlein,

    Please bare with me, like I said before I don't know much about computers. I noticed that I need to unzip a file from HijackThis. How do I go about doing that. I have never unzip a file before. Also what free program can I download to do this. I have Windows XP. PLEASE HELP!

    THANK YOU!
    River Dave
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    As you noticed, this download is a *.zipfile, which means you need to decompress it with a utility like WinZip

    Many downloads come in the shape of a compressed file, so it's an indispensible tool, really.
    It has an evaluation version which you can use for a month or so

    Here's a tutorial

    It's extremely easy to do.

    BTW, QuickZip is an excellent alternative to WinZip that's freeware: http://www.quickzip.org/

    After unzipping the file to a folder of your choice, you'll end up with the file itself, which is Hijackthis.exe, and that's the one you'll need to doubleclick.
    It will create a log automatically.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    XP has his own built-in unzipper by the way.

    If you open a zip file (by doubleclicking it) you will see the actual file inside and you can copy and paste it to anywhere you like.

    I would recommend making a special folder for HijackThis since it will create backups in the folder it is in.

    Regards,

    Pieter
     
  8. River Dave

    River Dave Registered Member

    Joined:
    Nov 30, 2003
    Posts:
    4
    To TonyKlein and Pieter,

    First of all thank you for your help. I really appreciate this. Here is the information.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:36:30 PM, on 12/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic Agent\Web\SearchBar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2625bdd70e1b18703c17/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.4510416667
    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi River Dave,

    No mistery where the Aornum reports are coming from. :(

    Your StartPage.

    Have a look here: http://www.doxdesk.com/parasite/Aornum.html


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2625bdd70e1b18703c17/netzip/RdxIE601.cab

    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab

    Then reboot and change your StartPage to something else.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.