IVE TRIED IT ALL and aurora is still here

pilatedog · 16-Apr-2005, 02:28 AM #1

Somhow this trojan got on my system and I can not rid it. I have walked through other posts and tried things but nothing,....I need somone to walk me through how to remove this sh@#. I have good knowledge so i just need a push in the right direction. It is the "Aurora" pop up thing that you can not kill. In task manager when you end process tree.....it comes back right away as a different named file. Ive done safe mode scans, and things from CMD prompt and evrything but it is still here. I have Macafee, Adaware 6.o w/ proc, and as-watcher, Microsoft spyware remover, and Spybot. SOMONE PLEASE HELP ME!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 8:26:38 PM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\windows\system32\vbujayh.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

OBP · 16-Apr-2005, 12:02 PM #2

Pilotdog, when you installed MS antispyware did you also install the Malicious Software Removal Tool as well, if not try it, it is here - http://www.microsoft.com/security/m...ve/default.mspx ?
Adaware 6.0 is an old version.
Unless you want to go for Saving your data, reformatting and re-installing windows, how about trying to find what is putting them back on.
If you haven't already got them download, install and update the definitions of -
Adaware SE free version from - http://www.lavasoft.de/support/download/
Also from lavasoft get the VX2 addon form - http://www.lavasoft.de/software/addons/
Spybot S and D from http://www.security.kolla.de
SpywareBlaster from - http://www.javacoolsoftware.com/downloads.html
CWShredder from - http://www.intermute.com/spysubtract..._download.html

First of all click Start>Run and type in sysedit, look in autoexec.bat and config.sys and see what is listed in there, if possible copy and paste them in to wordpad and then on to here. Autoexec and config.sys are both accessed before windows starts, so if they contain anything malicous it does it's work before your anti-virus can stop it.
Next try Start>Run and type in msconfig. In msconfig click the Boot.ini tab.
It should look like this -
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2000 Server" /fastdetect

Next use explorer to search your Hard Drive(s) for *.bat which are batch files that a program may use to reset the deleted virus software make a note of any that you find to compare them with what is on my computer.

Lastly the tricky one, disconnect your computer from the internet.
In Task Manager if any of these are running as processes or services stop them
vbujayh.exe
Nail.exe
svcproc.exe

Find and delete -
c:\windows\system32\vbujayh.exe
C:\WINDOWS\Nail.exe
Rename this C:\WINDOWS\svcproc.exe
to - C:\WINDOWS\svcproc.old just in case it is a real Windows Program (but I don't think it is)

Use HJT to delete thse entries -
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

While you have major Virus problems I would personally delete and MSN, Yahoo, Java Google Toolbars and addons unless you can be absolutley certain nothing is getting in via them, after all you can always install them again afterwards.

Now open msconfig and in the services tab click on disable all, if explore.exe or Task Manager is in there then tick them back on again, then in the startup tab untick everything except explore.exe and Task manager if they are listed.
Run an MS antispy scan and all the other programs I asked you to download, delete anything they find.

Reboot the computer.
Run an MS antispy scan and HJT, are the files back again?
If they are we will know that it is not anything running in Processes or services that is re-instating them.
If they are not back then it is a simple process of elimination to find the culprit.
One of the things that you have to be wary of is prgrams that you think are OK but have been corrupted by the virus, which is why I suggested getting rid of the Toolbars and addons
In fact I would delete everything from the HJT log except the absolute essential Programs.

pilatedog · 17-Apr-2005, 01:17 AM #3

I followed your directions to a tee......downloaded and installed all the spyware removal you suggested.......but heres the thing. There is only black screen when trying to view the autoexec.bat and the config.sys...........so i searched for autoexec and config and I found them as autoexec.NT and config.NT but I can not view them......
I shut off all tool bars, uninstalled them..., I tried to search for bat files and I found 2
msdtcutr.bat
buildall.bat

boot. ini looks like you posted...there was not a file called vbujayh.exe but i deleted nail.exe and svcproc.exe

I turned off all startup and all services in msconfig and rebooted but a new startup file was checked and the spyware was loaded again!!!

When it loads Microsoft spyware remover sees it and warns me by saying....

"program TODO: <product name> is trying to install a new startup program in regitery called TODO: <consumer name> block or allow?

I block it but when i start internet exsplorer the "Aurora" pop up loads anyway. Please guide me further...below is a new HJT report after all services ans startup were shut off.

Logfile of HijackThis v1.99.1
Scan saved at 7:05:28 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\mynprv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [djjkvrn] c:\windows\system32\mynprv.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\hfuxiks.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

any help is always appreciated..............

OBP · 17-Apr-2005, 05:58 AM #4

Did you do this bit -
Use HJT to delete thse entries -
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Something started this - mynprv.exe
and put this in the registry - O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\hfuxiks.exe
but at least we know it is not in startup programs or services.

I haven't got either of those .bat files on my computer, what folders did you find them in?
Right click on each one turn and from the menu click "Edit". This should show you what is held in each of the .bat files.
The other thing you could try is renaming them to msdtcutr.old and buildall.old and then do the Safe Mode deletion routine again to see if that has any effect.
The other thing I will have to do is find you a "Memory Resident Virus" scanner in case the "trigger" is being held in RAM.
Did you install - Malicious Software Removal Tool?
Try running a Hijackthis log in Safe Mode and delete the following -
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [djjkvrn] c:\windows\system32\mynprv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\hfuxiks.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Delete - c:\windows\system32\mynprv.exe
hfuxiks.exe

OBP · 17-Apr-2005, 06:16 AM #5

Try a scan with this web based scanner -
http://www.bitdefender.com/scan/licence.php

OBP · 17-Apr-2005, 06:53 AM #6

I forgot to ask, did you do a system search for TODO: <product name>?

khazars · 07:16 AM

try this.

Go to: Start > Run
Type: services.msc
Hit Enter

In the Services window, scroll down for:

System Startup Service

Right click it and select "Properties"
Click the "Stop" button, and wait for Windows to kill the process
Then change the "Startup Type" drop-down menu from "Automatic" to "Disabled"

Copy these instructions to notepad and then restart to safe mode.

How to start your computer in safe mode (http://service1.symantec.com/SUPPORT...01052409420406)

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [djjkvrn] c:\windows\system32\mynprv.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

del C:\WINDOWS\svcproc.exe

Hit Enter

del O4 - HKLM\..\Run: [qbimvz] c:\windows\system32\mynprv.exe

Hit Enter

cd C:\windows

Hit Enter

nail.exe /FullRemove

Hit Enter

exit

Hit enter

Reboot and post another Hijack This log please.

**dvk01** · 17-Apr-2005, 07:37 AM #8

to be able to fully fix this one we need to find a few hidden files
Download FindIt's.zip to your desktop.
Unzip/extract the files inside open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.

http://forums.net-integration.net/in...post&id=142443

pilatedog · 17-Apr-2005, 01:59 PM #9

I can not exspress enough thank you's to everyone who pitched in with some information to help me out on this thing......However after doing ALL THAT stuff i did yesterday and it still not working I gave up.......I formatede the C drive and re-installed my OS and drivers. I have been with computers for a long time...and I have not come across a spyware I could not remove.....untill now. In answer to you query.....Yes, i searched for TODO:<product name> and nothing came back. I searched again after I set the folders to show all hidden files. My big concern was I noticed that even when I booted in safe mode.....this TODO;<product name> thing loaded anyway.....plus i could not find a file anywere named autoexec.bat or config.sys They were both .NT?!?! I could not openm them to read them from anywere....sysedit would not open it...ony a file named autoexec.bat but it was blank. Command prompt would not type it out for me either. After a complete format, The computer is back down to a normal 28 process and I have a 100% clean bill of health....so far. I took all suggestions to heart and installed all malicous software removers and all updated versions of all spyware and virus protection software. So far so good. I am not to sure were I contracted the bug from, but i will guarentee you I will not fall for their trickery again. Anyway, thanks for everyones help and time and effort. Best wishes...

khazars · 17-Apr-2005, 02:02 PM **#10**

ok, sorry to hear you had to take such drastic action, but at least your pc is now in a more healthier state.

Here's some suggestions to try and keep you free of the bugs.

to stop reinfection get these two tools, spywareguard and spywareblaster from

www.javacoolsoftware.com

get the hosts file from here.

put it into C:\windows\system32\drivers\etc, for xp and w2k or

C:\windows\ for 95,98 and ME

http://www.mvps.org/winhelp2002/hosts.htm

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

winpatrol

http://www.winpatrol.com/winpatrol.html

prevX a new tool, looks like a good one

http://www.prevx.com/prevxhome.asp

Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it. Plus you can also turn on spybot's tea timer
for added protection against pests.

I would also suggest switching to Mozilla's firefox browser, it's safer, has a built in pop up blocker, blocks cookies and adds.

http://www.mozilla.org/

free anti-virus tools

AVG6 from

www.grisoft.com

Avast 4 from

www.avast.com
_____________________________________________________________________

free firewalls

www.zonelabs.com

www.kerio.com

www.sygate.com

how to set up and configure kerio rules based firewall.

http://www.dslextreme.com/users/surferslim/tpf.html

_____________________________________________________________________

sites for testing firewalls

http://grc.com/

www.pclank.com

http://scan.sygatetech.com/

_____________________________________________________________________

pilatedog · 20-Apr-2005, 04:38 PM **#11**

thanks for all of your valuable input! I use firefox...(down with the gates-monster) So i hope That i can stop future problems..... Any word on when any virus protection..(ie: macafee/norton) is going to have a web update available to fix the "aurora" pop up add problem. It looks like it infected a LOT of people.

khazars · 20-Apr-2005, 04:54 PM **#12**

this has turned up from the pesky web-site responsible for nail.exe. , svcproc.exe and aurora.

Mypctuneup.com performs technical support for a number of companies and we are sorry to hear that advertising software is causing you problems. We will gladly assist you in removing our partners' advertising software from your computer as expeditiously as possible.
From our website you can scan your PC and determine whether or not the software is installed on your machine, and if so, you can then choose to uninstall. To run the uninstall tool click on the link below:
http://www.mypctuneup.com/evaluate.php
Or go to www.mypctuneup.com and click on free uninstall tool and follow the steps.

We hope you find this helpful. Thanks again for your continued patience.

Smitty21 · 08:47 PM

I've got a computer with the same problem & I'm not going to format it. I'm going to fix it no matter how long it takes. I've already spent an entire day on it. I've run Spy-Sweeper, Ad-Aware, MS Antispyware, NAV, McAfee, PC-Cillin, AVG, HighjackThis. I've deleted the nail.exe & the Shell entry in the Registry and still have the Aurora pop-ups. I've also booted to a Windows PE CD to get rid of all the other crap in the Program Files, System32, & Temp folders. Who is this mypctuneup.com so I can deliver a bag of crap on their doorstep?

The_Egg · 20-Apr-2005, 09:32 PM **#14**

So did the provided uninstaller not work for you?
http://www.mypctuneup.com/evaluate.php

Smitty21 · 09:53 PM

I haven't tried it yet but I know some of these web sites that offer web-based uninstallers are full of crap and install more spyware. How do I know they're legit? Because they're partners with the developer?

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)