Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AURORA POPUPS - INVINCIBLE?

Started by manthrax , Apr 30 2005 11:35 PM

  • This topic is locked This topic is locked

#1
manthrax
Posted 30 April 2005 - 11:35 PM

manthrax

    New Member

  • Member
  • Pip
  • 1 posts
I started this thread to see if anyone has had real success getting rid of Aurora popups. I have NOT.

I HAVE however removed about 2 or 3 other pieces of malware that were installed using the same malware multidropper payload from the crap I downloaded off of kazaa.

I am beginning to suspect that the Aurora popups have a REally effective hiding mechanism and may even be something along the lines of a rootkit, although scans with a freely available rootkit revealer came up negative.

I have also noticed a few of these aurora threads indicate that the popups occur both with IE AND FireFox, tragically.

I have also experienced the behaviour mentioned in other threads of Norton AV coming up disabled after reboot and needing manual re-enabling.

I also notice now that my popup killer app (puk) is coming up disabled, or being
disabled soon after boot.
This is a newer behaviour which has only started in the last day or so, of my now nearly month long infestation.
This makes me think that this malware is being actively updated as new suppresion techniques are discovered,, :tazz:

One interesting feature of this cluster of vermin, is that it creates randomly named processes in the process list.
These named are rerandomized after each boot.
I have seen a number of forum threads attempting to address these processes by name, which seems to be wasted effort, since the process is REcreated from the windows prefetch cache upon boot and assigned a new random name each time.
The names are simple random strings of characters like "diglx.exe" or "rgflp.exe" etc. etc.

HAving said all this, I did manage to get rid of the rogue processes in my list using various registry tools, and the addition of a batch file that cleans my temp cache on reboot and shutdown.
BUT the Aurora popups still remain, and my fuse toward a complete wipe and reinstall is burning up.

Has ANYONE managed to free themselves of this beast for more than 24 hours straight?

I submit that you have NOT. as I have NOT.
PLEASE PROVE ME WRONG.

Love to you all, MANTHRAX

p.s - I am in posession of the original infection vector EXE that caused my infestation. If that would be useful to anyone, please pm me and we can discuss.
  • 0

Advertisements

#2
don77
Posted 05 May 2005 - 07:30 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello and welcome to Geeks To Go.

We are having very real success with removing this,

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.
  • Install Ewido security suite
  • Launch Ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

Update HiJackThis
  • Open HiJackThis
  • Click Open the Misc Tools Section
  • Click Check for update online
+++++ Step 4 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.
  • 0

#3
don77
Posted 07 May 2005 - 03:26 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
At the request of the original topic starter this topic is closed,


Don
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP