Aurora Removal

[Carmon]

Hey all i got this Spyware called Aurora on my PC ive tried all the Spyware programs i.e

Ad-ware

M$

S&D

Spysweeper

and before ya all go get Firefox its great blah blah etc lol ive tried it and Aurora still rids it bits lol its **** pop up and also certain words say like *PC* will be highlighted in Green as a Advert link.

Ad-ware, M$ and Spysweeper Found it But says It cant remove due to its playing in the Background so i try and close it in Ctrl + Alt + Del . but i close it and loads up aagin but as a different name say example i close ad.exe it starts up wiv ad2.exe etc so i tried doing a scan in Safe-mode and all the ad-ware programs didnt find it ive ran out ideas so any betta idea please tell me

cheers

[firefoxthebomb]

Well what can I say, spyware is always hard to defeat. When I come across one that I can not rid of I use a program called Winspy to see what process is using and launching that program and kill the exe or dll file that launches it.

[Carmon]

^ Cheers for the Tool it told me were it was and deleted it but...

3 mins after i deleted it it returned back again :S

[DigeratiPrime]

Just to be clear, Firefox is a web browser not a spyware removal program.

Make sure you update Ad-Aware and do a deep scan in safe mode.

you can also read through this:

http://forums.techguy.org/showthread.php?t=353342

[Carmon]

i didnt mean the firefox is a anti-spyware remover i ment that ppl say dont use ie get firefox cuz beta etc.

but cheers i followed the guide but still no luck

[Martin Zugec]

Ok, could you please post your hijackthis log?

[Martin Zugec]

Also please run command "wmic process get name" and post the result

[Carmon]

Logfile of HijackThis v1.99.1

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Ad Muncher\AdMunch.exe
c:\windows\system32\hvjtofo.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CaRm0n\Desktop\New Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
O4 - HKLM\..\Run: [waaehqr] c:\windows\system32\hvjtofo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109956786714
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

there ya go

[Martin Zugec]

Here is your problem:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [waaehqr] c:\windows\system32\hvjtofo.exe

Try remove that hvjtofo.exe from registry. Give system few minutes and check again - if it restored these registry setting, there is something called respawner spyware. Run RegMon and set monitoring to this key - you will find out, which process is respawning the value. Also use Process Monitor instead of task manager to see, if there is process tree with parental process nail or hvjtofo. Kill the whole process tree.

Did it help?

[Carmon]

well it did for 5mins then it popped back up again so sumthing still bringing it back up but i dunno wat :S

[DigeratiPrime]

Check on the 2nd post here.

http://forums.techguy.org/showthread.php?t=353323

[Carmon]

well read thru that ive used all teh Anti-Adware/spywar stuff gone thru all the guides this got me puzzled to hell lol i dont wanna do the big Format cuz i anit got the time . so any other idea or wanna test a program that might work give a link

[Aegis]

Hope this works... If it does not, try to find as many arbitrary seven character files as you can and post it.

delspy.rar

[DigeratiPrime]

i wonder if you could run a linux live cd with ntfs read/write and just delete the trouble files.

Or use something like this

http://ubcd4win.com/

http://www.seanster.com/Super_WinPE/SuperWinPE2.htm

[DigeratiPrime]

http://www.bullguard.com/forum/12/Does-any...rora_12733.html

The second to last post claims to have succesfully removed the trouble files.

The last post mentions using an uninstall program program, NOTE i have seen various people mention this uninstaller but they only have 1 post count. So they may be cons.