Trojan.Startup.NameShifter.BK

[George]

I am using Microsoft AnitSpyware on my laptop which is
running XP service pack 2. It found
Trojan.Startup.NameShifter.BK Trojan. I had it remove it
and rebooted by computer and it is still there. I have
run the full system scan twice and it still is active.
How do I manually get rid of it?

Thanks
George

 

[plun]

George presented the following explanation :

Trojan.Startup.NameShifter.BK Trojan.
How do I manually get rid of it?

Hi

Restart is safe mode, press F8 during reboot/start just before Windows
flag screen appears, choose fullscan with all options checked within
MSAS.

Also download CCleaner www.ccleaner.com for temporarily junk removal
before scan. Beacuse this saves a lot of scan time and you will have a
faster PC. Don´t be surprised if CCleaner finds several hundreds MB of
junk.

 

[AndyManchesta]

This detection relates to BetterInternet, I Scanned
poller.exe with MS Antispy which gave the detection
Trojan.Startup.NameShifter.BK so If its the same then you
have been infected with one of BetterInternet's
wonderfull programs

Go with Pluns suggestion of scanning in safe mode but
poller.exe is part of Aurora which is very difficult to
remove as there is a part that changes its name everytime
you reboot.

Can you do a search on your system for a couple of files
and let me know if you find them, If its Aurora I will
post a few fixes you can use.


Go to Start then search > goto tools on the top bar> then
click Folder Options-> then goto the View tab .

make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply

You can set this back later by opening the same page and
pressing 'restore defaults' then pressing apply,

Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane,
click on the 'More advanced options' at the bottom. Make
sure that Search system folders, Search hidden files and
folders, and Search subfolders are checked.


Then Search for these even if you find 1 of them it means
its Aurora:

Nail.exe
svcproc.exe
DrPMon.dll

Also check your Add/Remove screen in control panel for
this entry :

The ABI Network-A Division of Direct Revenue


Let me know if you find any of them

Thanks

Andy

 

[Sparky]

I followed Pluns suggestion and it worked. No more
Trojan.Startup.Nameshifter.BK. But I still have Aurora. I
am managing it with MAS, I delete the program when it
starts and delete any startups the come up. But the
program always changes names, seemingly random letters.

I have run ewido, cccleaner and nailfix. Those have helped
because now I only have one program instead of 6. But it
is the "ABetterInternet" that keeps installing or running
from somewhere.

Any suggestions would be much appreciated.

 

[plun]

Hi Sparky

Within todays definition update Spybot have Aurora removal.

http://www.safer-networking.org/en/index.html

Do not "Immunize" (Spybot) your system beacuse it interfers with MSAS.

Please report back if Spybot removes Aurora

--
plun



Sparky used his keyboard to write :

 

[Sparky]

I downloaded the update for Spybot, restarted the computer
in safe mode and ran the Spybot scan. It cleaned out
Aurora and a few other things. But after a reboot, aurora
was back.

I went into safe mode, re-scanned with Spybot. Then I
cleared the Prefetch folder. Then I checked the
C:\Windows\ folder for suspicious looking applications. I
deleted two .exe. files. I wish I had written them down.
One was named something like ckelfia.exe (It says Buddy
Window as the name of the program). The other file either
named Thinstaller.exe or it was a randomly named file.

I wish I had written them down. At the time, I honestly
didn't think deleting the files would work.

Anyway, thanks for your suggestion. It seemed to be the
key to getting rid of this nasty program.

 

[plun]

Hi Sparky

Yes Aurora is nasty and hated but the problem is that
you clicked "Yes" to Auroras EULA.

Nevertheless, removal from Andy (the great)

The only fix ive got up to now is to download Nailfix,
Ewido & Ccleaner as usual

Nailfix:
--------

http://www.noidea.us/easyfile/file.php?
download=20050711214630636

or

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3719.0;id=310


Ewido-Install & update in normal mode and use in safe mode
------
http://www.ewido.net/en/


Ccleaner:
---------
http://www.ccleaner.com/ccdownload.asp


Then goto start menu and to run and type:

services.msc

When this opens press name to sort them in order and find:

System Startup Service

Right click and view properties then press 'Stop' and
change the startup type from 'Automatic' to 'Disabled'and
click apply - this is svcproc.exe

Next boot into safe mode (Reboot and keep tapping F8 then
choose safe mode from the list)

Once you are in safe mode double click Nailfix.exe and
then follow the instructions-explorer.exe will be stopped
for a few seconds then your desktop icons and taskbar
will come back.

Next run Ewido on a complete scan as many times as it
takes to remove the files, It took me 3 full scans.

Also use MS Antispy as that does better at detecting some
of the junk that is now being bundled with Aurora.

Finally use Ccleaner twice on both settings 'Run Cleaner'
and 'Issues' and clear all problems

Clear the prefetch folder

goto start and run and type

prefetch

delete the contents of this folder

Then Reboot back to normal mode and thats it,

Andy

--
plun