Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Way to detect what launches aurora...


  • Please log in to reply

#1
MiltoxBeyond

MiltoxBeyond

    New Member

  • Member
  • Pip
  • 4 posts
If you have tried just about everything else to remove Aurora/Buddy popups from showing up including

-Deleting the files
-Editing Registries
-Safe Mode Deletions
-All sorts of Spyware removers

then what I did might help you...

I recently downloaded the File Monitor Program from www.sysinternals.com (its shareware)... It checks all running processes and gives a general idea of what they're doing.

While it runs... Open up a browser window and go to any site that will bring up a popup (game/store/etc. website). Check the name of the exe in Task man related to the Aurora Window...

Copy the name then search for it in File Monitor...

I found one Svchost.exe with a PID of 1016 to be opening and recopying the Aurora Program, although it may be something else in your case... If it is a Svchost, be sure to look at the name in File Monitor. It'll be named Svchost.exe:XXXX, where the X's represent the PID number.

Afterwards open up the Taskmanager, and close the program(if your closing svchost, be sure to get the one with the right PID).

This also got rid of the Green Advertisement Links on IE since the two are related aparently...
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Hi MiltoxBeyond,

Are you sure it was svchost.exe?

I have seen a few using svhost.exe (NOTE the c is missing)

Regards,
  • 0

#3
MiltoxBeyond

MiltoxBeyond

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Yeah I'm almost certain... I closed it and Aurora stopped...
If it isn't then you can see the name with the File Monitor.

Only problem is I'm not sure where its called at the startup...I've been digging through Registries to find it...so this is only a temporary solution...

Edited by MiltoxBeyond, 27 April 2005 - 08:55 AM.

  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
What we have found sofar is that removing the startup-entries and running Ewido (in safe mode if necessary) helps in most cases, although I have just finished up two where extra actions had to be performed.

Regards,

Pieter
  • 0

#5
MiltoxBeyond

MiltoxBeyond

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I also found a spoolsv was trying to run some of the spyware that used to be on my pc...

It tries to run each the "randomly generated names".

Thing is, it looks to be not random... It goes through a specific list...and I caught the list of names with ... I'll post it later, since I have to go...
  • 0

#6
MiltoxBeyond

MiltoxBeyond

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I found out why it used spoolsv.exe
It was being controlled by the DrPMon.dll, which was loaded through a few
settings in the ControlSets in the Registry.

HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Control/Print/Monitor/ZepMon
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Print/Monitor/ZepMon
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP