how do you remove aurora?

  • Thread starter Thread starter Monitor
  • Start date Start date
M

Monitor

Subject: Re: Aurora
From: "Andre Da Costa" <[email protected]> Sent:
5/29/2005 1:47:55 PM

From Andy & Plun:
Aurora Removal:
News from webhelper4u about removal with
mypctuneup...... ;)

http://www.webhelper4u.com/tnewswritigs/mypctuneup5252005.h
tml


Uninstall file:
http://www.mypctuneup.com/

Download CCleaner and remove all temporarily junk.
www.ccleaner.com

HijackThis download:
http://www.merijn.org/files/hijackthis.zip

Lavasofts Adaware:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022-10319876.html?tag=list

I agree the transpnders gang are very nasty and can be
very difficult to remove fully

File names related to this variant are:

Poller.exe, uacupg.exe(random name) , Nail.exe,
thnall1ac.html(random name)DrPMon.dll, svcproc.exe.


The Nail.exe is the main reinfestational agent which also
creates a random named exe file in the %window% %system%
folder that is 74kb in size and the name in the properties
will possibly show: TODO.

The windows service file could be C:\WINDOWS\svcproc.exe

To check for this go to the run command and type
services.msc.

In the services window that opens,press name to sort into
alphabetical order,check for System Startup Service,if you
find it right click it and choose disable in the dropdown
box. Then hit the Stop button.


Download these programs :

Download Ccleaner (Removes temp & unused files)

http://download.ccleaner.com/download119bin.asp



Download the BetterInternet/Nail/Bolger/Aurora Remover

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop



Download Hijack this:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Download to either the desktop or c/drive



Download Killbox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip




Removal:



Reboot into safemode

start the ABIRemover.exe, press install, wait (explorer
window will disapear)



Run hijackthis and save the logfile what you are looking
for are entries like this but if your unsure post the log
back before fixing

Tick to fix :-

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name every time you boot - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe

Close all other open windows and choose fix checked


Run the Killbox.exe file


check the box "Delete on Reboot"

copy and paste the following line bold into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\svcproc.exe


click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\Nail.exe


click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\kkuibquo.exe ... this name changes, use hijack
this to find the name on yours.


click the red button with the white X on it

It will ask you if you want to reboot ... say "YES"

Let it reboot



When you get back in normal mode run Ccleaner to remove
any other traces of this in the temp files.If this doesnt
fix it for you or you cannot find some of the files then
Another usefull tool for this is FindIt's

Download FindIt's.zip to your desktop. >
http://forums.net-integration.net/index.php?
act=Attach&type=post&id=142443

2. Unzip/extract the files inside open the folder

3. Run the FindIt's.bat and wait for a text to open,

4. copy & paste the contents of the text file in your next
reply here.

Good luck
 
Remember Monitor "Re:" when responding.
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Monitor said:
Subject: Re: Aurora
From: "Andre Da Costa" <[email protected]> Sent:
5/29/2005 1:47:55 PM

From Andy & Plun:
Aurora Removal:
News from webhelper4u about removal with
mypctuneup...... ;)

http://www.webhelper4u.com/tnewswritigs/mypctuneup5252005.h
tml


Uninstall file:
http://www.mypctuneup.com/

Download CCleaner and remove all temporarily junk.
www.ccleaner.com

HijackThis download:
http://www.merijn.org/files/hijackthis.zip

Lavasofts Adaware:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022-10319876.html?tag=list

I agree the transpnders gang are very nasty and can be
very difficult to remove fully

File names related to this variant are:

Poller.exe, uacupg.exe(random name) , Nail.exe,
thnall1ac.html(random name)DrPMon.dll, svcproc.exe.


The Nail.exe is the main reinfestational agent which also
creates a random named exe file in the %window% %system%
folder that is 74kb in size and the name in the properties
will possibly show: TODO.

The windows service file could be C:\WINDOWS\svcproc.exe

To check for this go to the run command and type
services.msc.

In the services window that opens,press name to sort into
alphabetical order,check for System Startup Service,if you
find it right click it and choose disable in the dropdown
box. Then hit the Stop button.


Download these programs :

Download Ccleaner (Removes temp & unused files)

http://download.ccleaner.com/download119bin.asp



Download the BetterInternet/Nail/Bolger/Aurora Remover

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop



Download Hijack this:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Download to either the desktop or c/drive



Download Killbox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip




Removal:



Reboot into safemode

start the ABIRemover.exe, press install, wait (explorer
window will disapear)



Run hijackthis and save the logfile what you are looking
for are entries like this but if your unsure post the log
back before fixing

Tick to fix :-

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name every time you boot - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe

Close all other open windows and choose fix checked


Run the Killbox.exe file


check the box "Delete on Reboot"

copy and paste the following line bold into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\svcproc.exe


click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\Nail.exe


click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox


C:\WINDOWS\kkuibquo.exe ... this name changes, use hijack
this to find the name on yours.


click the red button with the white X on it

It will ask you if you want to reboot ... say "YES"

Let it reboot



When you get back in normal mode run Ccleaner to remove
any other traces of this in the temp files.If this doesnt
fix it for you or you cannot find some of the files then
Another usefull tool for this is FindIt's

Download FindIt's.zip to your desktop. >
http://forums.net-integration.net/index.php?
act=Attach&type=post&id=142443

2. Unzip/extract the files inside open the folder

3. Run the FindIt's.bat and wait for a text to open,

4. copy & paste the contents of the text file in your next
reply here.

Good luck
-----Original Message-----

.
Click to expand...
Click to expand...
 
Back
Top