M
Manny
How can I get this Aurora stuff off my computer. It is
annoying me and spyware removes it and puts it back at
restart.
annoying me and spyware removes it and puts it back at
restart.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
E
Engel
News From The Spyware Front:
Following are the latest malware and therefore the hardest
to remove:
Called nail.exe aurora or bolger.
http://webhelper4u.com/tnewswritigs/bolger_aurora.html
Ewido seems to detect and remove one version which can
also be removed by disabling its service, booting into
Safe Mode and using HijackThis to get rid of the nail and
exe (with Explorer and Iexplore turned off) then Killbox
to remove nail on reboot. but there is another version
with a TODO file that requires a repair console delete or
you can go to the maker www.mypctuneup.com/aurora and run
their uninstall which gets rid of aurora but may install
something else. They make you fill out a form and then
will send you a code to use with the uninstaller. Use a
throwaway email address if you do and lie like crazy on
the form.
http://www.webhelper4u.com/tnewswritigs/mypctuneupmain.html
Another popular one right now is wp.exe which is the
smitfraud.c and which tears up the registry entries for
your desktop so you can't remove the warnign that
appears. Changes the registry to to add System under
Policies and adds some keys to limit the Display
Properties by removing Web and Background tabs.
This is it here:
http://securityresponse.symantec.com/avcenter/venc/data/tro
jan.desktophijack.html
(Same link but in smaller form since i guess that one will
wrap)
http://tinyurl.com/87n46
Then we have the bhoass.dll "Trojan.Win32.Agent.cx"
C:\WINNT\system32\bss.dll
C:\WINNT\bhoass.dll
C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\explorer32dbg.exe
C:\WINNT\iexplore_dbg.exe
C:\WINNT\ghj
this is just six of the files. There are about 10 in
all. The only way I can get rid of them is to use Killbox
to delete all of them on boot. And afterwards Explorer
(the desktop) won't run. Sample hjt log:
http://www.techsupportforum.com/computer/topic/49162-1.html
Also have a random named file that attaches itself to
winlogon notify and won't let go. Often seen in the
company of another random name file that pretends to be
Kavsvc or Navsvc. The Kavsvc file will sometimes go away
with mwav.exe from kaspersky. Nothing seems to work on
the winlogon notify critter. Believe it's a variation on
L2M.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlinzp.exe
O20 - Winlogon Notify: OemStartMenuData -
C:\WINDOWS\system32\p2r4lc9q1f.dll
None are removed completely by AntiSpy unless there has
been a new update that I don't know of..
One final tip. A lot of the new stuff seems to use the
Task Scheduler as a backup. Start, (Settings,) Control
Panel, Scheduled Tasks and remove any that you don't
recognize especially any that have a path that includes
the Application or Temp Folders.
Following are the latest malware and therefore the hardest
to remove:
Called nail.exe aurora or bolger.
http://webhelper4u.com/tnewswritigs/bolger_aurora.html
Ewido seems to detect and remove one version which can
also be removed by disabling its service, booting into
Safe Mode and using HijackThis to get rid of the nail and
exe (with Explorer and Iexplore turned off) then Killbox
to remove nail on reboot. but there is another version
with a TODO file that requires a repair console delete or
you can go to the maker www.mypctuneup.com/aurora and run
their uninstall which gets rid of aurora but may install
something else. They make you fill out a form and then
will send you a code to use with the uninstaller. Use a
throwaway email address if you do and lie like crazy on
the form.
http://www.webhelper4u.com/tnewswritigs/mypctuneupmain.html
Another popular one right now is wp.exe which is the
smitfraud.c and which tears up the registry entries for
your desktop so you can't remove the warnign that
appears. Changes the registry to to add System under
Policies and adds some keys to limit the Display
Properties by removing Web and Background tabs.
This is it here:
http://securityresponse.symantec.com/avcenter/venc/data/tro
jan.desktophijack.html
(Same link but in smaller form since i guess that one will
wrap)
http://tinyurl.com/87n46
Then we have the bhoass.dll "Trojan.Win32.Agent.cx"
C:\WINNT\system32\bss.dll
C:\WINNT\bhoass.dll
C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\explorer32dbg.exe
C:\WINNT\iexplore_dbg.exe
C:\WINNT\ghj
this is just six of the files. There are about 10 in
all. The only way I can get rid of them is to use Killbox
to delete all of them on boot. And afterwards Explorer
(the desktop) won't run. Sample hjt log:
http://www.techsupportforum.com/computer/topic/49162-1.html
Also have a random named file that attaches itself to
winlogon notify and won't let go. Often seen in the
company of another random name file that pretends to be
Kavsvc or Navsvc. The Kavsvc file will sometimes go away
with mwav.exe from kaspersky. Nothing seems to work on
the winlogon notify critter. Believe it's a variation on
L2M.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlinzp.exe
O20 - Winlogon Notify: OemStartMenuData -
C:\WINDOWS\system32\p2r4lc9q1f.dll
None are removed completely by AntiSpy unless there has
been a new update that I don't know of..
One final tip. A lot of the new stuff seems to use the
Task Scheduler as a backup. Start, (Settings,) Control
Panel, Scheduled Tasks and remove any that you don't
recognize especially any that have a path that includes
the Application or Temp Folders.
J
Julie
I am having the same problem. I have installed the beta, which did a great
job of removing everything, I rebooted and it call came back. Nail is
impossible to remove. What can I do to get rid of this if I am not
extremely experienced with computers? I have spent probably 5 hours today
trying to get rid of this. How did it get on machine? Does anyone know
what their mechanism is that spread this?
job of removing everything, I rebooted and it call came back. Nail is
impossible to remove. What can I do to get rid of this if I am not
extremely experienced with computers? I have spent probably 5 hours today
trying to get rid of this. How did it get on machine? Does anyone know
what their mechanism is that spread this?
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.