aurora virus, can't figure out how to get rid of it |
HijackThis Forum Posting Rules:Please do not add your logs to another person's topic. To receive assistance, please start your own topic.
Only authorized personnel may provide advice. Unauthorized replies posted in other member topics will be removed.
  |
aurora virus, can't figure out how to get rid of it |
| Guest_Guest_chris_* |
 May 5 2005, 10:22 PM
Post
#1
|
|
Guests  |
hi, i think i musta opened up a trojan or something and now i'm stuck with this virus. Occasionally it shows underlined green links that shouldn't be there, but usually it just randomly throws popups at me. This is my first time using a forum too, but if you could help me out i'd be extremely grateful!
|
 |
 
|
| Guest_Guest_chris_* |
May 5 2005, 10:25 PM
Post
#2
|
|
Guests |
btw, i've tried Ad-aware and Spybot (fully updated definitions) and no luck
|
|
|
|
| Guest_Guest_chris_* |
May 5 2005, 10:40 PM
Post
#3
|
|
Guests |
okay nvm, i got this problem fixed up, all u gotta do is click the question mark on the aurora popup and it takes u to d/l an uninstall program!
|
|
|
|
|
May 6 2005, 09:08 PM
Post
#4
|
|||
  Group: ASAP VIP Posts: 476 Joined: 17-April 04 Member No.: 242 |
And if you did not have a firewall or other antipspyware/AV running at the same time..I am sure it got all of it.  But for those of you still having problems you can try this method Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet. Please run Notepad and copy the following text into a new file:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal. Then please run Ewido, and run a full scan. Post the log from the scan here for me. Then please run HijackThis, click Scan, and check: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe Close all open windows except for HijackThis and click Fix Checked. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. The key to the whole thing of course is to make sure you get rid of this entry F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe in the hijackthis log..after all else is in the process of being cleaned. |
||
|
|
|
||
| Guest_Layo_* |
May 17 2005, 07:04 PM
Post
#5
|
|
Guests |
I was having the same troubles so I did what you asked and here are the log files.
Logfile of HijackThis v1.99.1 Scan saved at 1:48:04 PM, on 5/17/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\Explorer.exe E:\Documents and Settings\Leo\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - E:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PRISMSVR.EXE] "E:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [YBrowser] E:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ares] "E:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Program Files\Yahoo!\common\yinsthelper.dll O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe |
|
|
|
 May 17 2005, 11:41 PM
Post
#6
|
|
 Group: ASAP VIP Posts: 2,103 Joined: 13-July 04 Member No.: 832 |
Hello,Layo & Welcome
please start a new thread if you need help this get's to confusing for all trying to help HGD
-------------------- Die Hijacker Die
Steps to take before you post a HJT logfile. QUOTE |
|
|
|
| Guest_Guest_* |
May 24 2005, 06:30 PM
Post
#7
|
||
|
Guests |
Hellow guest chris, did you try to unistall aurora by clicking the (?) and did it work ? because i don't really trust that program it sas do not run norton antivirus 
|
||
|
|
|
||
|
May 24 2005, 08:17 PM
Post
#8
|
|||
 Group: ASAP VIP Posts: 367 Joined: 6-April 05 Member No.: 3,332 |
Would you trust a thief to give the stolen items back to you  Jan 
--------------------   |
||
|
|
|
||
|
May 31 2005, 06:18 PM
Post
#9
|
|
 Group: Members Posts: 2 Joined: 31-May 05 Member No.: 4,071 |
My web browser has been hijacked. Even after I have used three of the best virus and trojan detectors I still can't get rid of stealthSws114!. Each time I go to the web I'm redirected to http://searchmaid.com.
How can I fix this once and for all? Do they really think people are going to buy AntiSpyware products from them with these tactics? |
|
|
|
|
May 31 2005, 06:27 PM
Post
#10
|
|
|
Group: ASAP VIP Posts: 367 Joined: 6-April 05 Member No.: 3,332 |
Hi Please No More stealthSws114! and welcome,
Searchmaid is a pain in the ... but we can help you with it, no doubt  Please start your own topic and post your HijackThis-log in it, so we can help you properly. Refer to the following post for explanation about posting a HijackThis-log: http://forums.maddoktor2.com/index.php?showtopic=3853 Good luck, Jan -------------------- |
|
|
|
| Guest_Andrew_* |
Jun 6 2005, 03:20 AM
Post
#11
|
|
Guests |
Thank you for the help. I have run several programs trying to get rid of the aurora virus. I have aquestion. Does this virus screw up IE? Everytime I go into IE and my googlee search it redirects me to nasty sites. I dont know how this works. I truely have not gone to any of those sites. HELP!!!!
Thank you |
|
|
|
|
Jun 6 2005, 04:54 AM
Post
#12
|
|
|
Group: ASAP VIP Posts: 367 Joined: 6-April 05 Member No.: 3,332 |
Hi Andrew,
I think your problem is a browser-hijacker. Please follow these guidelines to post a hijackthis-log, so we can help you to get rid of it  Good luck, Jan
-------------------- |
|
|
|
| Guest_Guest_jason_* |
Jun 9 2005, 10:43 AM
Post
#13
|
|
Guests |
Hi, ive got that prob with hotsearch bar 2, i can delete it with spybot. But everytime when i go to that website (which is www.kingsofchaos.com) i got that stupid spybot again:S, i dont know how to block it. Can someone plz help me?
ty.... |
|
|
|
|
Jun 12 2005, 06:36 PM
Post
#14
|
|
|
Group: ASAP VIP Posts: 367 Joined: 6-April 05 Member No.: 3,332 |
Hi jason,
I took a quick look at the Kings of Chaos-site but couldn't find anything wrong. So, i cannot help but think that you may have some more malware on your computer. Just to be sure of that, post your HijackThis-log in a new topic, so we can see if there is something wrong ... If we know what's really wrong, we are able to give you a better advice. Jan -------------------- |
|
|
|
 |
| Lo-Fi Version | Time is now: 31st July 2010 - 03:25 AM |
