Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Way to detect what launches aurora...

Started by MiltoxBeyond , Apr 27 2005 08:51 AM

  • Please log in to reply

#1
MiltoxBeyond
Posted 27 April 2005 - 08:51 AM

MiltoxBeyond

    New Member

  • Member
  • Pip
  • 4 posts
If you have tried just about everything else to remove Aurora/Buddy popups from showing up including

-Deleting the files
-Editing Registries
-Safe Mode Deletions
-All sorts of Spyware removers

then what I did might help you...

I recently downloaded the File Monitor Program from www.sysinternals.com (its shareware)... It checks all running processes and gives a general idea of what they're doing.

While it runs... Open up a browser window and go to any site that will bring up a popup (game/store/etc. website). Check the name of the exe in Task man related to the Aurora Window...

Copy the name then search for it in File Monitor...

I found one Svchost.exe with a PID of 1016 to be opening and recopying the Aurora Program, although it may be something else in your case... If it is a Svchost, be sure to look at the name in File Monitor. It'll be named Svchost.exe:XXXX, where the X's represent the PID number.

Afterwards open up the Taskmanager, and close the program(if your closing svchost, be sure to get the one with the right PID).

This also got rid of the Green Advertisement Links on IE since the two are related aparently...
  • 0

Advertisements

#2
Metallica
Posted 27 April 2005 - 08:53 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi MiltoxBeyond,

Are you sure it was svchost.exe?

I have seen a few using svhost.exe (NOTE the c is missing)

Regards,
  • 0

#3
MiltoxBeyond
Posted 27 April 2005 - 08:54 AM

MiltoxBeyond

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Yeah I'm almost certain... I closed it and Aurora stopped...
If it isn't then you can see the name with the File Monitor.

Only problem is I'm not sure where its called at the startup...I've been digging through Registries to find it...so this is only a temporary solution...

Edited by MiltoxBeyond, 27 April 2005 - 08:55 AM.

  • 0

#4
Metallica
Posted 27 April 2005 - 09:02 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
What we have found sofar is that removing the startup-entries and running Ewido (in safe mode if necessary) helps in most cases, although I have just finished up two where extra actions had to be performed.

Regards,

Pieter
  • 0

#5
MiltoxBeyond
Posted 27 April 2005 - 09:10 AM

MiltoxBeyond

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I also found a spoolsv was trying to run some of the spyware that used to be on my pc...

It tries to run each the "randomly generated names".

Thing is, it looks to be not random... It goes through a specific list...and I caught the list of names with ... I'll post it later, since I have to go...
  • 0

#6
MiltoxBeyond
Posted 28 April 2005 - 01:30 PM

MiltoxBeyond

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I found out why it used spoolsv.exe
It was being controlled by the DrPMon.dll, which was loaded through a few
settings in the ControlSets in the Registry.

HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Control/Print/Monitor/ZepMon
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Print/Monitor/ZepMon
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP