aurora Options

[lovescream]

all of a sudden, i'm getting aurora pop-ups. is that how it's spelled?
well, anyways, is anyone else getting this? =l
Just one day.. it popped out of nowhere and it started constantly coming at me. Before, I had absolutely no pop-ups. >.> pft. I scanned my computer and everything, thinking it was a spyware, adware, or a virus? still there. it stops once in a while, but comes back just later!
rawr. does anyone know what it is? how to get rid of it?

[dispn0ygonekrazy]

Hi SpiritedFreak im dispn0ygonekrazy and ill be glad to help you today if you still have time and still on please reply

[lovescream]

... Hi? <-- still here.

[dispn0ygonekrazy]

all right good i would like you to download HiJack This from this > website < and save it into its own FOLDER (i.e. C:\ HJT) after you've done that Open it up and click on System Scan and save Log File, after it scans Notepad should open up. Whatever you get from notepad PASTE IT ALL here in the same thread thank you

[lovescream]

Logfile of HijackThis v1.99.1
Scan saved at 9:45:19 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\gtwbxf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [YKO6o.exe] C:\docume~1\chakli~1\locals~1\temp\YKO6o.exe
O4 - HKLM\..\Run: [DQhJD.exe] C:\docume~1\chakli~1\locals~1\temp\DQhJD.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [2#HYKBB2@EEJ@2] C:\WINDOWS\System32\UfmSN7q.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bljejd] c:\windows\system32\gtwbxf.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [GoldenFTPserver] C:\Program Files\Golden FTP Server\GFTP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://66.28.46.99/iwasher/pptproactauthco...etwasherpro.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/21769f6bf64866452521/...ip/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O20 - AppInit_DLLs: mad.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

?

i have to sleep soon.. and I'm not really supposed to download anything.. so you should kinda hurry because i get off or else my mom will find out.

[dispn0ygonekrazy]

well i just want to tell you the virus you have takes more than one step and to be completely gone you have to pay attention to every step here and man im srry bout your mom dont want you to get in trouble for trying to get rid of a virus =[
(Note Programs i tell you to download are all good for your system =] just incase your mom asks why)


but well we'll continue alright , Listen and read carefully here these are step by step and should be followed as listed or removal will not work.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

You are also infected with the Peper Trojan Virus

Removal Instructions:

To remove this program we need to download a special tool:

1 Download PeperFix from the following location:

PeperFix


2 Save the file on your desktop.


3 Double-click on the file to run it.


4 Reboot and do the same process again.

Your computer should now be clean of the Peper Trojan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Find this file when you do a system scan with HiJack This by placing an check or X next to its name.


Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.


This is just the first part we'll continue the rest either tommorow or when you have time =] if your worried that you can trust me well =] im a spyware/virus specialist in a different forumn just in case!! =]

[lovescream]

oh, okay, thanks for everything. I'm going to do it tomorrow when she goes to work and head off to bed. thank you very much, though. i appreciate it.

[ryanoman]

Many people have gotten it. But I'd do what dispn0ygonekrazy just said. I believe there are some sites out there that also explain how to remove it also. I'd also look on Google.

[dispn0ygonekrazy]

*EDIT*

[Eryi]

I have the Aurora pop ups too. Though it only comes when I go onto Photobucket, so I stopped using that now.

[lovescream]

I scanned my computer, but only to 5.8%.
Yes, in Safe mode.
I waited for a while, and it quickly went to 4.3%.
So I went to watch TV and realize my computer went to a screensaver?
I came back and it was 5.8%
So I went outside for a long, long time. Like 2 hours? I came back and it was still 5.8% finished. Is anything wrong?

[ryanoman]

Hmm... yes something probably is wrong. I don't know if the virus is doing this or not... Is this an online scan, or what program is it?

Oh, and some Aurora help links are here:

http://monster-isp.com/forums/showpost.php...19&postcount=17
http://castlecops.com/postlite119148-aurora.html
http://reviews.cnet.com/5208-6142-0.html?f...ssageID=1185795

[dispn0ygonekrazy]

Alright did you follow the directions thoroughly?

When you downloaded Ewido you must not run a scan yet but first update the DEFINITIONS

Then Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet

When You've done that GO TO SAFE MODE!!!

Run the Nailfix you downloaded earlier FIRST

Then run a full scan of Ewido and see if it still stops at 5.8%

[toodlepops.]

Yeah, I'm having that problem too.

[dispn0ygonekrazy]

For all the ones that have problems with aurora i can help you but please post a new thread here in technology forumn if you really want help so we can keep people whose having problems between the user and the helper thank you.

[sharerol]

Ugh, yes. I get Aurora pop-ups all the time. They just came out of nowhere.. Anyway..I scan my computer everyday. I've done it a number of times in safe mode and everything, but nothing seems to work. I am getting fewer of them, I think. I'm not sure, though, because everytime I get a pop-up, I just close it, not really noticing I get a pop-up. It's just a force of habit, and I get pop-ups so often, I don't realize it anymore. But I THINK I've noticed less pop-ups. I'll check tomorrow if I get any more Aurora pop-ups. Anyway, I guess I prefer just scanning and stuff or I really don't know. The stuff listed up there seems too complicated.

[dispn0ygonekrazy]

hehe its not that complicated if you still want help and need it just ask ok =]

[pAtRiCk_sTar]

Hmm....no I haven't been noticing lately, but I have a pop-up blocker on. Does your internet provider have some sort of pop-up blocker you can use?

[lovescream]

Hmm... yes something probably is wrong. I don't know if the virus is doing this or not... Is this an online scan, or what program is it?

Oh, and some Aurora help links are here:

http://monster-isp.com/forums/showpost.php...19&postcount=17
http://castlecops.com/postlite119148-aurora.html
http://reviews.cnet.com/5208-6142-0.html?f...ssageID=1185795

That last link really helped. THANK YOU SOOSOSO much.
i'm hoping this iwll stay for a while because there has been no pop-ups for almost 2 hours. and that's totally a record. *bows* whoopdeedoo!

[ryanoman]

No problem. I hope you don't get anymore popups.

[dispn0ygonekrazy]

haha looks like you are cleared spirited one ryanamo good job dude lol