Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

The Aurora PopUp[RESOLVED]


  • This topic is locked This topic is locked

#61
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
If you follow the steps I posted all that will be done.
I will add comments to it in this post.

See if you have this file: C:\i386\explorer.exe and compare it's properties with the infected one. If you can tell they are different use this one to copy to the C:\ directory, if not copy C:\Program Files\Internet Explorer\iexplore.exe to C:\WINDOWS\
Rename the file you are going to use to Explorer.new
Preparing the good copy. Saving it as C:\Windows\explorer.new

Now open TaskManager by hitting Ctrl-Alt-Del
Open the command prompt f.e. by Start > Run > cmd
Divide to the two over your screen so you can work in both.
In taskmanager select all the explorer.exe processes and terminate them one by one.
Stopping explorer.exe so it can be replaced

At the first prompt type cd\
At the C:\> prompt type...
ren C:\WINDOWS\explorer.exe explorer.old press Enter.
disabling the infected C:\WINDOWS\explorer.exe

Now at the C:\> prompt type....
ren C:\windows\explorer.new explorer.exe press Enter.
Renaming the good copy so it will take over from the infected one

Now in Taskmanager on the Applications tab click "New Task"
and type C:\WINDOWS\explorer.exe
Starting the new clean copy

Now delete:
C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
According to the Symantec site this one also gets replaced so we delete it

Hope that makes it a bit clearer.

Regards,
  • 0

Advertisements


#62
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Right I think I've done it - couldn't find the "C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe" file though :s

How can I check I've done it correctly?
  • 0

#63
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Does NAV still give you alerts when you try to open a folder?
Because that would mean explorer.exe is still infected.

Regards,
  • 0

#64
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Nope, no warnings from NAV :tazz:

What should I do with the "explorer.old" file?
  • 0

#65
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Good show. :tazz:

Can you have that file scanned here:
http://virusscan.jotti.org/ ?

Let me know the results. That would telll us if we were treating it the right way.

Regards,
  • 0

#66
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here's what the scan said:

File: explorer.old
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a0732187050030ae399b241436565e64
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
  • 0

#67
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Hmmmm. Can you send me that file?
Send a (preferably zipped) copy to:
pieterATwilderssecurity.org (replace At with @)

TIA,
  • 0

#68
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Sent the e-mail a while ago - has it arrived???
  • 0

#69
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts

Sent the e-mail a while ago - has it arrived???

View Post



Yes I did, but I can't find any differences between the one you sent me and my own explorer.exe :tazz:

Is your computer still running OK?

Regards,
  • 0

#70
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Yes PC seems to be working fine - is running a bit better now with regard to opening folders etc.

Not quite sure how the file isn't infected though :s
  • 0

Advertisements


#71
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
I'll try running it later today, but I expect it to be clean. Could it be that NAV was able to clean it once it was no longer active?
That should be in it's logs.

Anyway, I really hope we have completely cleaned you now.
Let me know in 24 hours and I'll close this one.

Regards,
  • 0

#72
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I hope I'm clean too - any way of checking for sure?

One thing though, I am having a couple of problems with viewing web pages. The page and content displays fine but all the adverts and things around the page say page cannot be displayed.

Not a massive problem, just a bit weird
  • 0

#73
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
That's probably one of the protectors you installed, at work blocking ads.
:tazz:

As long as you can see and read what the page is about, it's all good.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. ;)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP