"Aurora" pop up

  • Thread starter Thread starter Ryan
  • Start date Start date
R

Ryan

I use Spybot-SD and Microsoft AntiSpyware. Neither find
this popup "Aurora". In a search I find its basic files
located in c:\Windows\ and Windows\Prefetch with a file
name of ZDZDHTVSPTA.exe and ZDZDHTVSPTA.EXE-09069334.pf
respectively. I used Microsoft to send "suspicious" notice
but during submission get a "please check internet proxy
settings" error. I know MS spyware is beta but would
still like them to see this unkown popup.
 
This one has three parts. I cleaned it by hand on Friday from a system,
after Microsoft Antispyware cleaned perhaps a dozen other items.

I'm sorry that you aren't able to send the suspected spyware report, but I
believe Microsoft will have seen this one.

There are three executables involved.

I believe you have found the hardest-to-spot of the three. I believe this
one is randomly named, but retains the same name on a given system.

There are two other parts. Look for nail.exe--can't recall for sure whether
in \windows or \windows\system32. Additionally, use the Tools, Advanced
Tools, System explorers, to see the running processes. Look for a process
whose name starts with TODO--and an executable name consisting of 6 random
letters. You can kill this process with Microsoft Antispyware, but it will
return immediately with a new name--you'll need to refresh the screen to see
the new version.

Here's how I was able to do the thing in, in the end.

I wasn't able to delete or modify the file you mention in either normal or
any safe mode.

So--I booted from the Windows CD, and chose Repair, and chose the recovery
console--this is a command prompt alternative OS, which allows you to see
some portions of the installed OS. From this, I was able, at a command
prompt to find and delete the three pieces--the ones you've spotted (I
missed the prefetch piece!) the shorter randomly named piece, and nail.exe.

On reboot, I got an error message to the effect that Windows couldn't find
nail.exe

So I searched the registry, found nail.exe appended to the line which
defines the Windows Shell, and removed it.

If you need help with this process, I'd recommend calling Microsoft PSS for
support--I believe this is within the range of services they provide for
free. If you are in the US or Canada, call 1-866-pcsafety. Elsewhere in
the world, call your local Microsoft office--the same free help is
available, although the phone call may not be free.

This free help is limited to issues with viruses and virus removal or
problems with Security patches, or obtaining them. In this case, I believe
your issue is sufficiently virus-like that it'll be within their
guidelines--in fact, their first guideline will be to try using Microsoft
Antispyware.
 
I had this, and went through all kinds of hell trying to
get rid of it, up to seriously contemplating paying MS to
help me with it, after using what free help was available.
Best thing I discovered was to go to the Aurora site by
clicking on one of their insanely numerous and obtrusive
pop-ups, and have it uninstalled through them. Then search
for nail.exe and todo and aurora files it leaves behind.
Also check your registry.
 
I was desperate. They actually had the nerve to state that
their wonderful program (read extremely intrusive and
annoying virus which installed itself without my knowledge
or consent) didn't do any harm, and no info was collected
or used except for their purely altruistic purposes (and I
can surely trust them!), but if you're sure you want to
remove it, click here. Of course, it didn't fully remove
it, but at least it stopped it from continuously reviving
itself in endless variations in the task manager process
window. I'm pretty sure I drove a stake through its nasty
little heart by following through with the aforementioned
searches and removals. (Knock on wood.)
 
Do you have the URL handy that you went to?

It does sound like you did a good job of cleaning afterwards.
 
FWIW, that was a lot easier than cleaning this up by hand--although as you
noted--hand cleaning afterwards is needed too.

There are about 3 other reports of this same critter active in these groups
at the moment, so I'm sure we'll have other opportunities to collect the
URL.
 
Back
Top