Aurora and abetterinternet

[Jeffrey Penfield]

Both of these spyware programs continually invaded my
computer. I would run MS antispyware and they would
detect them over and over again and remove them, but as
soon as they were deleted they would pop up again and
spyware would detect them again. How come SPyware can't
clean these and is there some solution for them?

 

[Guest]

Having the same problem. Microsoft PLEASE FIX!!!

 

[Engel]

Hello Jeffrey

You can delete nail.exe from the windows directory in safe
mode - command prompt. Then reboot into safe mode and run
your scans.

Go into the windows and system32 folders and attacking the
pest where it lives - renaming the files and deleting them
in safe mode or by killbox. The ABIRemover isn't working
anymore from what I can tell.

From: "Andre Da Costa"
From Andy & Plun:
Aurora Removal:
News from webhelper4u about removal with
mypctuneup......

http://www.webhelper4u.com/tnewswritigs/mypctuneup5252005.h
tml

Uninstall file:
http://www.mypctuneup.com/

Download CCleaner and remove all temporarily junk.
www.ccleaner.com

HijackThis download:
http://www.merijn.org/files/hijackthis.zip

Lavasofts Adaware:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022-10319876.html?tag=list And make certain
that "Search for negligible entries" and "Search for low
risk entries" are checked.

I agree the transpnders gang are very nasty and can be
very difficult to remove fully

File names related to this variant are:

Poller.exe, uacupg.exe(random name) , Nail.exe,
thnall1ac.html(random name)DrPMon.dll, svcproc.exe.

The Nail.exe is the main reinfestational agent which also
creates a random named exe file in the %window% %system%
folder that is 74kb in size and the name in the properties
will possibly show: TODO.

The windows service file could be C:\WINDOWS\svcproc.exe

To check for this go to the run command and type
services.msc.

In the services window that opens,press name to sort into
alphabetical order,check for System Startup Service,if you
find it right click it and choose disable in the dropdown
box. Then hit the Stop button.

Download these programs :

Download Ccleaner (Removes temp & unused files)

http://download.ccleaner.com/download119bin.asp

Download the BetterInternet/Nail/Bolger/Aurora Remover

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download the Remover to your desktop
Download Hijack this:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Download to either the desktop or c/drive

Download Killbox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Removal:

Reboot into safemode

start the ABIRemover.exe, press install, wait (explorer
window will disapear)

Run hijackthis and save the logfile what you are looking
for are entries like this but if your unsure post the log
back before fixing

Tick to fix :-

F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name every time you boot - but it will
be in the same place in the log)

O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe

Close all other open windows and choose fix checked

Run the Killbox.exe file

check the box "Delete on Reboot"

copy and paste the following line bold into the "Full Path
of File to Delete" box in Killbox

C:\WINDOWS\svcproc.exe

click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox

C:\WINDOWS\Nail.exe

click the red button with the white X on it

It will ask you if you want to reboot ... say "NO"

copy and paste the following bold line into the "Full Path
of File to Delete" box in Killbox

C:\WINDOWS\kkuibquo.exe ... this name changes, use hijack
this to find the name on yours.

click the red button with the white X on it

It will ask you if you want to reboot ... say "YES"

Let it reboot

When you get back in normal mode run Ccleaner to remove
any other traces of this in the temp files.If this doesnt
fix it for you or you cannot find some of the files then
Another usefull tool for this is FindIt's

Download FindIt's.zip to your desktop. >
http://forums.net-integration.net/index.php?
act=Attach&type=post&id=142443

2. Unzip/extract the files inside open the folder

3. Run the FindIt's.bat and wait for a text to open,

4. copy & paste the contents of the text file in your next
reply here.

Good luck

 

[AndyManchesta]

Hi Engel

I've never advised users to use the mypctuneup site, id
appreciate it if you could correct that quote.Ive tested
that site and it left Bolger.dll,DrPmon.dll,the random
files in my system folder and Windows/last good folder
and tons of thnall1ac.html files in my prefetch folder !

My method of fixing Aurora is this :



(Copy it to notepad so you can still view it in safe
mode )

----------------------------------------------------------
Download Nailfix to your desktop


http://www.noidea.us/easyfile/file.php?
download=20050515010747824

mirror:

http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix

----------------------------------------------------------
Download The ABI remover (Better Internet Remover)

http://andymanchesta.com/Downloads/ABIremover.zip


Download the Remover to your desktop
----------------------------------------------------------

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

install and get all updates while in normal mode & run in
safe mode

----------------------------------------------------------
Download AD-Aware SE

http://www.download.com/3000-2144-10045910.html

install and get all updates while in normal mode & run in
safe mode

----------------------------------------------------------
Download Ccleaner

http://download.ccleaner.com/download120bin.asp

----------------------------------------------------------

You may need to empty your system restore points,Drpmon &
Bolger.dll is sometimes left in the restore area.To turn
off system restore goto start then right click my
computer then goto properties then system restore.
Check the box 'Turn off system restore' then press apply
and exit


Reboot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list)


start the ABIRemover.exe, press install, wait (explorer
window will disapear)


in Safe Mode, double-click on nailfix.bat. Your desktop
and icons will disappear and reappear, and a window
should open and close very quickly.


Next run a full scan with Ewido & Ad-aware SE (Ewido will
find the random named files in the system folder and
windows/last good folder if they exist.Ad-aware will
detect and remove DrPmon and Bolger.dll )


Goto start then run and type

prefetch

delete the contents of this folder


Run Ccleaner and remove anything found,also use
the 'issues' button and fix any problems that are
detected.

Reboot & Re-Enable System Restore (Goto start again,then
right click my computer,then choose properties & goto
system restore) Un-check the box 'turn off system
restore' and press apply


Your done !



Andy

 

[Engel]

Hi Andi

I'm sorry.

Cheking on 5-29-2005
RE: Aurora and Dr.PMon

I'll be more careful

Engel

 

[AndyManc]

Its not a problem mate, Its just i dont really trust the
site,It does stop Aurora but it leaves that many files
still on the system it wouldnt take much for it to
reinstall if people ever visited Direct Revenue's sites
again.Its up to the user though so i appreciate why you
have posted it,

The site stops Aurora by removing Nail and Svcproc so it
can be usefull if you then use other removers like
Adaware SE & Ewido also MS Antispy in safe mode to remove
the Bolger & Drpmon.dll files plus the random files that
are created in the windows folders(System & Lastgood)

Thanks Andy

 

[plun]

Engel expressed precisely :

Hi Andi

I'm sorry.

Cheking on 5-29-2005
RE: Aurora and Dr.PMon

I'll be more careful

Spyware is like quicksand .........

But with Aurora it will be a manual fight for a long time I believe.
I now understand why MSAS dont touch when we hear this
rumours about Claria/Gator.

And MyPCtuneup removes alot without so much work........

...
plun

 

[Engel]

Hi Andy

Re-checking my log, i think is plun recomendation.

Again Sorry

Engel

 

[plun]

Engel pretended :

Hi Andy

Re-checking my log, i think is plun recomendation.

Again Sorry

Dont be sorry ! My advice was Mypctuneup and
webhelper4u what I can remember.
But maybe also something else but I have never
recommended to only got to MyPctuneup.

Maybe also Andre took it and it was mixed with Andys

It is easy to see within webhelper4u how transponders are
being left behind after removal.

 

[Guest]

-----Original Message-----
Both of these spyware programs continually invaded my
computer. I would run MS antispyware and they would
detect them over and over again and remove them, but as
soon as they were deleted they would pop up again and
spyware would detect them again. How come SPyware can't
clean these and is there some solution for them?
.
Go to the following links and download these programs

to your desktop.
(http://www.mypctuneup.com/uninstaller_exe.php)
(http://www.majorgeeks.com/download4609.html)
When your downloads are complete disable all of your
spyware protection and restart your computer into safe
mode with network by pressing f8 on startup. When you are
in safe mode run a search to find the programs you
downloaded unless you have already found them yourself.
When you find them run ABI remover. When it finishes you
can then run the my pc uninstaller. When you are done
running both programs shutdown your computer and start up
normally.

 

[Ani]

So am I, it's getting frustrating having to continuously
run AntiSpyware, which finds the transponder/aurora/dpmon
threats and removes them, only for them to re-appear as
soon as I reboot. If anyone has any suggestions for how
to remove PERMANENTLY please let me know

Thanks