# IVE TRIED IT ALL and aurora is still here



## pilatedog (Apr 16, 2005)

Somhow this trojan got on my system and I can not rid it. I have walked through other posts and tried things but nothing,....I need somone to walk me through how to remove this [email protected]#. I have good knowledge so i just need a push in the right direction. It is the "Aurora" pop up thing that you can not kill. In task manager when you end process tree.....it comes back right away as a different named file. Ive done safe mode scans, and things from CMD prompt and evrything but it is still here. I have Macafee, Adaware 6.o w/ proc, and as-watcher, Microsoft spyware remover, and Spybot. SOMONE PLEASE HELP ME!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 8:26:38 PM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\windows\system32\vbujayh.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)


----------



## OBP (Mar 8, 2005)

Pilotdog, when you installed MS antispyware did you also install the Malicious Software Removal Tool as well, if not try it, it is here - http://www.microsoft.com/security/m...ve/default.mspx ?
Adaware 6.0 is an old version.
Unless you want to go for Saving your data, reformatting and re-installing windows, how about trying to find what is putting them back on.
If you haven't already got them download, install and update the definitions of -
Adaware SE free version from - http://www.lavasoft.de/support/download/
Also from lavasoft get the VX2 addon form - http://www.lavasoft.de/software/addons/
Spybot S and D from http://www.security.kolla.de
SpywareBlaster from - http://www.javacoolsoftware.com/downloads.html
CWShredder from - http://www.intermute.com/spysubtract/cwshredder_download.html

First of all click Start>Run and type in sysedit, look in autoexec.bat and config.sys and see what is listed in there, if possible copy and paste them in to wordpad and then on to here. Autoexec and config.sys are both accessed before windows starts, so if they contain anything malicous it does it's work before your anti-virus can stop it.
Next try Start>Run and type in msconfig. In msconfig click the Boot.ini tab.
It should look like this -
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2000 Server" /fastdetect

Next use explorer to search your Hard Drive(s) for *.bat which are batch files that a program may use to reset the deleted virus software make a note of any that you find to compare them with what is on my computer.

Lastly the tricky one, disconnect your computer from the internet.
In Task Manager if any of these are running as processes or services stop them 
vbujayh.exe
Nail.exe
svcproc.exe

Find and delete -
c:\windows\system32\vbujayh.exe
C:\WINDOWS\Nail.exe
Rename this C:\WINDOWS\svcproc.exe
to - C:\WINDOWS\svcproc.old just in case it is a real Windows Program (but I don't think it is)

Use HJT to delete thse entries -
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

While you have major Virus problems I would personally delete and MSN, Yahoo, Java Google Toolbars and addons unless you can be absolutley certain nothing is getting in via them, after all you can always install them again afterwards.

Now open msconfig and in the services tab click on disable all, if explore.exe or Task Manager is in there then tick them back on again, then in the startup tab untick everything except explore.exe and Task manager if they are listed.
Run an MS antispy scan and all the other programs I asked you to download, delete anything they find.

Reboot the computer.
Run an MS antispy scan and HJT, are the files back again?
If they are we will know that it is not anything running in Processes or services that is re-instating them.
If they are not back then it is a simple process of elimination to find the culprit.
One of the things that you have to be wary of is prgrams that you think are OK but have been corrupted by the virus, which is why I suggested getting rid of the Toolbars and addons
In fact I would delete everything from the HJT log except the absolute essential Programs.


----------



## pilatedog (Apr 16, 2005)

I followed your directions to a tee......downloaded and installed all the spyware removal you suggested.......but heres the thing. There is only black screen when trying to view the autoexec.bat and the config.sys...........so i searched for autoexec and config and I found them as autoexec.NT and config.NT but I can not view them......
I shut off all tool bars, uninstalled them..., I tried to search for bat files and I found 2
msdtcutr.bat
buildall.bat

boot. ini looks like you posted...there was not a file called vbujayh.exe but i deleted nail.exe and svcproc.exe

I turned off all startup and all services in msconfig and rebooted but a new startup file was checked and the spyware was loaded again!!!

When it loads Microsoft spyware remover sees it and warns me by saying....

"program TODO: <product name> is trying to install a new startup program in regitery called TODO: <consumer name> block or allow?

I block it but when i start internet exsplorer the "Aurora" pop up loads anyway. Please guide me further...below is a new HJT report after all services ans startup were shut off.

Logfile of HijackThis v1.99.1
Scan saved at 7:05:28 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\mynprv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [djjkvrn] c:\windows\system32\mynprv.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\hfuxiks.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

any help is always appreciated..............


----------



## OBP (Mar 8, 2005)

Did you do this bit - 
Use HJT to delete thse entries -
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Something started this - mynprv.exe
and put this in the registry - O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\hfuxiks.exe
but at least we know it is not in startup programs or services.

I haven't got either of those .bat files on my computer, what folders did you find them in?
Right click on each one turn and from the menu click "Edit". This should show you what is held in each of the .bat files. 
The other thing you could try is renaming them to msdtcutr.old and buildall.old and then do the Safe Mode deletion routine again to see if that has any effect.
The other thing I will have to do is find you a "Memory Resident Virus" scanner in case the "trigger" is being held in RAM.
Did you install - Malicious Software Removal Tool?
Try running a Hijackthis log in Safe Mode and delete the following - 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [djjkvrn] c:\windows\system32\mynprv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\hfuxiks.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Delete - c:\windows\system32\mynprv.exe
hfuxiks.exe


----------



## OBP (Mar 8, 2005)

Try a scan with this web based scanner - 
http://www.bitdefender.com/scan/licence.php


----------



## OBP (Mar 8, 2005)

I forgot to ask, did you do a system search for TODO: <product name>?


----------



## khazars (Feb 15, 2004)

try this.

Go to: Start > Run
Type: services.msc
Hit Enter

In the Services window, scroll down for:

System Startup Service

Right click it and select "Properties"
Click the "Stop" button, and wait for Windows to kill the process
Then change the "Startup Type" drop-down menu from "Automatic" to "Disabled"

Copy these instructions to notepad and then restart to safe mode.

How to start your computer in safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [djjkvrn] c:\windows\system32\mynprv.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

del C:\WINDOWS\svcproc.exe

Hit Enter

del O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\mynprv.exe

Hit Enter

cd C:\windows

Hit Enter

nail.exe /FullRemove

Hit Enter

exit

Hit enter

Reboot and post another Hijack This log please.


----------



## dvk01 (Dec 14, 2002)

to be able to fully fix this one we need to find a few hidden files 
Download FindIt's.zip to your desktop. 
Unzip/extract the files inside open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.

http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443


----------



## pilatedog (Apr 16, 2005)

I can not exspress enough thank you's to everyone who pitched in with some information to help me out on this thing......However after doing ALL THAT stuff i did yesterday and it still not working I gave up.......I formatede the C drive and re-installed my OS and drivers. I have been with computers for a long time...and I have not come across a spyware I could not remove.....untill now. In answer to you query.....Yes, i searched for TODO:<product name> and nothing came back. I searched again after I set the folders to show all hidden files. My big concern was I noticed that even when I booted in safe mode.....this TODO;<product name> thing loaded anyway.....plus i could not find a file anywere named autoexec.bat or config.sys They were both .NT?!?! I could not openm them to read them from anywere....sysedit would not open it...ony a file named autoexec.bat but it was blank. Command prompt would not type it out for me either. After a complete format, The computer is back down to a normal 28 process and I have a 100% clean bill of health....so far. I took all suggestions to heart and installed all malicous software removers and all updated versions of all spyware and virus protection software. So far so good. I am not to sure were I contracted the bug from, but i will guarentee you I will not fall for their trickery again. Anyway, thanks for everyones help and time and effort. Best wishes...


----------



## khazars (Feb 15, 2004)

ok, sorry to hear you had to take such drastic action, but at least your pc is now in a more healthier state.

Here's some suggestions to try and keep you free of the bugs.

to stop reinfection get these two tools, spywareguard and spywareblaster from

www.javacoolsoftware.com

get the hosts file from here.

put it into C:\windows\system32\drivers\etc, for xp and w2k or

C:\windows\ for 95,98 and ME

http://www.mvps.org/winhelp2002/hosts.htm

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

winpatrol

http://www.winpatrol.com/winpatrol.html

prevX a new tool, looks like a good one

http://www.prevx.com/prevxhome.asp

Use spybot's immunize button and use spywareblaster' enable 
protection once you update it. you can put spybot's hosts file into 
your own and lock it. Plus you can also turn on spybot's tea timer 
for added protection against pests.

I would also suggest switching to Mozilla's firefox browser, it's safer, has a built in pop up blocker, blocks cookies and adds.

http://www.mozilla.org/

free anti-virus tools

AVG6 from

www.grisoft.com

Avast 4 from

www.avast.com
_____________________________________________________________________

free firewalls

www.zonelabs.com

www.kerio.com

www.sygate.com

how to set up and configure kerio rules based firewall.

http://www.dslextreme.com/users/surferslim/tpf.html

_____________________________________________________________________

sites for testing firewalls

http://grc.com/

www.pclank.com

http://scan.sygatetech.com/

_____________________________________________________________________


----------



## pilatedog (Apr 16, 2005)

thanks for all of your valuable input! I use firefox...(down with the gates-monster) So i hope That i can stop future problems..... Any word on when any virus protection..(ie: macafee/norton) is going to have a web update available to fix the "aurora" pop up add problem. It looks like it infected a LOT of people.


----------



## khazars (Feb 15, 2004)

this has turned up from the pesky web-site responsible for nail.exe. , svcproc.exe and aurora.

Mypctuneup.com performs technical support for a number of companies and we are sorry to hear that advertising software is causing you problems. We will gladly assist you in removing our partners' advertising software from your computer as expeditiously as possible.
From our website you can scan your PC and determine whether or not the software is installed on your machine, and if so, you can then choose to uninstall. To run the uninstall tool click on the link below:
http://www.mypctuneup.com/evaluate.php
Or go to www.mypctuneup.com and click on free uninstall tool and follow the steps.

We hope you find this helpful. Thanks again for your continued patience.


----------



## Smitty21 (Apr 21, 2005)

I've got a computer with the same problem & I'm not going to format it. I'm going to fix it no matter how long it takes. I've already spent an entire day on it. I've run Spy-Sweeper, Ad-Aware, MS Antispyware, NAV, McAfee, PC-Cillin, AVG, HighjackThis. I've deleted the nail.exe & the Shell entry in the Registry and still have the Aurora pop-ups. I've also booted to a Windows PE CD to get rid of all the other crap in the Program Files, System32, & Temp folders. Who is this mypctuneup.com so I can deliver a bag of crap on their doorstep?


----------



## The_Egg (Sep 16, 2002)

So did the provided uninstaller not work for you?
http://www.mypctuneup.com/evaluate.php


----------



## Smitty21 (Apr 21, 2005)

I haven't tried it yet but I know some of these web sites that offer web-based uninstallers are full of crap and install more spyware. How do I know they're legit? Because they're partners with the developer?


----------



## The_Egg (Sep 16, 2002)

Because AcaCandy (admin here) said it works, and so does everyone else who's tried it :/


----------



## dvk01 (Dec 14, 2002)

They are the partbers wit the scum who develop this

the company that has done the developing is very well known in the malware field as scumbags but the uninstallers do work and all tests done haven't found any ill effects from it

This site http://www.webhelper4u.com/ deals entirely with these transponder/direct revenue scumbags and the author of the site is widely acknowledged as the expert on these pests. I have been in contact with him and he has confirmed that the uninstaller does work and in all his tests nothing has been extra installed

there are some cases where it doesn't get it all but we can normally clean those up once the uninstaller has got ris of the worse

THe main problem is that this one also gets bundled with other adware/spyware that the uninstaller doesn't fix


----------



## Smitty21 (Apr 21, 2005)

OK, I took your word for it & tried the uninstaller. It appears to have worked. I ghosted the hard drive first to find out what changes were made to the Registry. One of the pop-ups I got asked for my eBay information. That's a little worse than just simple advertising. I'm going to report them to eBay.


----------



## dvk01 (Dec 14, 2002)

Smitty21


do you use Zonealarm as one of the things that can be aafected by this pest is Zonealarm and as ZA can maintain an ebay password.
If the infection is gone - perhaps fry the contents of the C:\WINDOWS\Internet Logs where ZA keeps it's config and reconfigure it ? -- or reinstall ZA


----------



## OBP (Mar 8, 2005)

dvk01, this poster couldn't get the Un-install to work.
http://forums.techguy.org/t354356.html


----------



## Smitty21 (Apr 21, 2005)

No I don't use Zone Alarm. The eBay pop-up had Aurora on the Title Bar. I took a screen shot & sent it to eBay. Thanks for the help though everyone.


----------



## dvk01 (Dec 14, 2002)

can you also send a screenshot to me please so I can pass it on to the people who are really keeping an eye on these aurora/direct revenue scum so it can be added to the list of bad behaviour that this causes

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files


----------



## Smitty21 (Apr 21, 2005)

ok, dvk01, it's done. Hopefully eBay will bust em because I doubt eBay would approve that. Its not asking for my current eBay info like I thought, its asking me to register and asking for my date of birth, etc.


----------



## dvk01 (Dec 14, 2002)

I've passed it on and this is the reply



> That is their aurora.exe which is the same as their buddy.exe for their offeroptimizer ads. It is an online form to join ebay. Now, during the uninstall process, the transponder will still send out a routine checkin which can then kick in a transmission from their offeroptimizer ad server which can popup an ad at the same time they are online to uninstall the transponder and components.
> 
> After the uninstall it will still send one or more transmissions until the dll or exe is not loaded as a process and that means users would have to click the YES to restart the computer when the box is shown or you will still get transmissions because the files are still loaded into memory.


It seems that ebay do have an affiliate scheme whereby people can get a small payment for referring a new user to ebay. Obviously these scum have got an affiliate account and are making monewy from ebay sign ups

Complaints to ebay and keep complaining is the only way to have their affiliate account removed

Edit: it looks like there is a LOT of money in the ebay affiliate scheme http://affiliates.ebay.com/?ssPageName=home:f:f:US


----------



## Smitty21 (Apr 21, 2005)

That's good info. Hopefully, I'm not the only one that's complained and hopefully there's some kind of fine print in the affiliate agreement they abused. But then they'll probably just sign up under another DBA name and start over.


----------



## maddspd (Apr 23, 2005)

Well, I got this same thing too... I was on limewire and downloaded some file with the name "keygen" in it. I work at a computer shop, so i know what I'm doing, and have McAfee, SpySweeper, Adaware, SpyBot, SpySubtrack, CWS, and XoftSpy; all of which have current updates.

Upon running this file called keygen, nothing happened, so i double clicked again... still nothing. So I scanned that directory for viruses. Nothing. Use all of the above software to scan for adware/spyware. Nothing. Preformed a full system scan using each one of the above pieces of software. Still nothing except a few cookies SpySweeper wanted to delete.

I had the same randomly named .EXE file in my task list, and every time I ended it, it was renamed and restarted... no matter how fast I tried to delete the file before it got renamed, I just couldnt do it. I also found out that "Nail.exe", "pohoignlfyy.exe", and "svcproc.exe" were related to this, so I went into safe mode and deleted everything I could find. I also cleaned out the registry where it said the shell was "Explorer.EXE nail.exe" and everything else that people have mentioned before this post.

Well, tonight, at a friend's house, I noticed that same darn aurora thing on his CPU when he opens mozilla. So now I'm back... I wanna figure this out! I've been getting random lockups, and I just reinstalled windows on here a couple weeks ago...although the lockups could be related to my cooling... 2 days ago, my room was 90 degrees because the AC doesnt work upstairs and because of the pollen, I could not open the Window, so my Athlon XP 2600+ was running at about 56-60 degrees C.

Next, I sent those files (Nail.exe", "pohoignlfyy.exe", and "svcproc.exe") and the randomly named file in the system32 folder to COMPUTER ASSOCIATES for analysis. I got an email back from some guy telling me it was related to VX2 transponder, another site told me it was related to ABetterInternet. Computer Associates also told me _"The file has been identified as Win32.SillyDl.LR trojan. Aliases reported by other Antivirus products are listed here: (Trojan.Win32.Agent.cp) (BackDoor-CQQ) (Trojan Horse)"_ 
After submitting it to McAfee's AVERT Labs in Tokyo, they told me: "_These files are being considered for inclusion in our potentially unwanted program (PUP) definition files. If the sample meets our PUP criteria, detection and removal will be supported in a future DAT release for qualifying products_ I also got the idea from somewhere that this was related to something called "Buddy" virus.... don't remember where I got that info from...

About a week ago, SpySweeper came up and told be that it detected "ABetterInternet" running--this was like right after I had updated definitions from SpySweeper... After doing a full scan, SpySweeper removed it. I then downloaded the plug-in for Adaware (it think it was called VX2) and some other VX2 fix tool from Symantec and ran those, which found nothing. I thought that maybe I had gotten rid of it, but as I was using Adobe Premiere yesterday, I noticed the Aurora in the taskbar... Im thinking that if you have a fast computer, you will see that task bar less, because it comes and goes so fast. But since my CPU was bogged down converting video, I was able to see that task bar icon for a good 10 seconds.
Anyways, I just did another REGEDIT and deleted some folder named "aurora"

Now I'm stuck... there's really nothing left I can think of to do... The file with the random name is no longer running in the task manager, and all of the "svchost" are either "SYSTEM", "LOCAL SERVICE", or "NETWORK SERVICE"... none with my user name, like a regular program would have... BUT, I still see this aurora sometimes... I'm not getting any pop-ups, although come to think of it, I did get one popup a couple of seconds after I click that original "keygen" file when I opened internet explorer, but none after then...

I have not tried the uninstall link that was provided because those usually contain more crap and are fake... PLUS, the person who was told to try it seems to be having the trouble still...as you can tell by his response with that eBay scam that popped up.

Anyways, just wondering if anyone had any other insight to this nasty thing... I might just give up for once and reformat again, since I just reformatted a couple weeks ago!

Talk to ya later,
Andrew Bucklin
Manager of Technical Service, MicroHelp, Inc.


----------



## dvk01 (Dec 14, 2002)

Andrew

The uninstall link does work and is the easiest way to deal with this one


----------



## maddspd (Apr 23, 2005)

Well, I just downloaded the "uninstall" from that website, http://www.mypctuneup.com/evaluate.php and ran it. At first, it asked to access the internet, so I blocked it, but it then gave an error message, so I went back and allowed it... Then another window asked for internet access so I allowed that one too... I typed in some verification code and then told it to go ahead... It shut down all internet explorer windows and deleted this Browser Page:

"CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/s................"

and then it re-added the above entry...
Also, while doing this, Webroot's SpySweeper got some updates and told me it found ABetterInternet running in memory... I skipped the scan for now and I'm about to go ahead and let the uninstalled reboot my system...

BRB...


----------



## maddspd (Apr 23, 2005)

Well, it seems as thoguh that worked.... So far...
I did a quick scan of the registry to see if "aurora" was found but nothing... Still no weird task running and I'm not seeing that quick taskbar flash of "aurora"...

I have yet to do more scans using all the adware/pryware/virus software, but I doubt I'll find anyithng... However, if I do, I promise to come back and post something... but if you don't hear from me again, my advice would be to use that uninstalled.... probably the fist uninstaller I've seen that actually uninstalls it!

Later,
Andrew


----------



## fox37 (Apr 25, 2005)

You legends... i'd been getting an increasing number of empty Aurora popups for a few days before i considered them malicious. i'm using Firefox and run spyware scans once a week.

after reading the first part of your thread, i thought i'd need to wipe and reload my PC, cos i got lost in the techie instructions.

BUT when i dubiously followed the uninstall link it worked!!  
here it is for anyone who missed it:
http://www.mypctuneup.com/evaluate.php


----------



## maddspd (Apr 23, 2005)

It was good! The install link worked! I did a scan after the uninstall and a couple of day of using the computer and reboots each day (I turn off the CPU during the day and at night) --McAfee only found 2 items relating to ABetterInternet, both of which where in temp. folder. All the other Spyware/Adware scanners found little to nothing.. none of which related to aurora... GOOD JOB UNINSTALL!!!
http://www.mypctuneup.com/evaluate.php

Andrew Bucklin
Manager, Techincal Services
MicroHelp, Inc.
[email protected]
AIM: MADDSPD


----------



## FHH (Apr 27, 2005)

I am not sure but I do know that I had Aurora on my system and I ran this program and it seemed to clean it I am not 100% sure but seemed to have worked. Here is a link to the site where I downloaded the program. http://www.mypctuneup.com/


----------



## mooseman74 (May 4, 2005)

I tried running this uninstall program and it keeps giving me errors saying I have adjust my settings to allow sessions/cookies...and even after I do it I keep getting this error.....so I'm still stuck with this sh1t.


----------



## maddspd (Apr 23, 2005)

mooseman74 said:


> I tried running this uninstall program and it keeps giving me errors saying I have adjust my settings to allow sessions/cookies...and even after I do it I keep getting this error.....so I'm still stuck with this sh1t.


Man... that really sucks... maybe you have other issues with someother Adware/Spyware/Virus that is messing that up... You dont have any anit-spyware/adware stuff running while doing this, do ya? Maybe something is blocking the cookie... like Cookie Blocker or SpySweeper... :-\


----------



## mooseman74 (May 4, 2005)

No...no other spyware/adware running that I can find or tell...usually keep my computer pretty clean. I did try Ewido Security Suite a little while ago and I think it may have worked.....it's been a while now since I had any aurora popups.....fingers crossed!


----------



## dvk01 (Dec 14, 2002)

mooseman

the only guaranteed way then is to completely wipe the computer, by formattiing it and reinstalling everything

sometimes we have managed to removed the majority of it with various tools adn if you want to try then post a Hijackthis log. BUT be warned it is a long and difficult fix and is NOT guaranteed to work

go to here and download 'Hijack This!' double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop. 
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log. 
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, 
so *do NOT fix anything yet.*
Someone here will be happy to help you analyze the results.


----------



## zardiw (Jan 8, 2005)

DO NOT run that wwwmypctuneup.com removal tool!!!!!!!!! They tell you to turn OFF your firewall before you run it....I tried it just to see if it would try to 'phone home'.....Kerio immediately popped up, and it got DENIED!!!

What kind of removal tool phones home???? and what is it trying to send????????

This procedure will remove this malware:

http://www.cybertechhelp.com/forums/showthread.php?t=75452

z


----------



## dvk01 (Dec 14, 2002)

yes the removal tool needs to connect to it's controlling website to work 

The instruction tell you that 

In all tests so far it has removed all of the malware without putting it back on or anything else on and I am perfectly happy to suggest using it until it is proved to install something or stops working


----------



## zardiw (Jan 8, 2005)

Well, any legitimate 'removal' tool would have NO NEED to connect to the 'home office'.......You can let the Fox in the Henhouse if you want, but you can count me OUT on that deal buddy...........z


----------

