Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works


  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 1 posts
I started this thread to see if anyone has had real success getting rid of Aurora popups. I have NOT.

I HAVE however removed about 2 or 3 other pieces of malware that were installed using the same malware multidropper payload from the crap I downloaded off of kazaa.

I am beginning to suspect that the Aurora popups have a REally effective hiding mechanism and may even be something along the lines of a rootkit, although scans with a freely available rootkit revealer came up negative.

I have also noticed a few of these aurora threads indicate that the popups occur both with IE AND FireFox, tragically.

I have also experienced the behaviour mentioned in other threads of Norton AV coming up disabled after reboot and needing manual re-enabling.

I also notice now that my popup killer app (puk) is coming up disabled, or being
disabled soon after boot.
This is a newer behaviour which has only started in the last day or so, of my now nearly month long infestation.
This makes me think that this malware is being actively updated as new suppresion techniques are discovered,, :tazz:

One interesting feature of this cluster of vermin, is that it creates randomly named processes in the process list.
These named are rerandomized after each boot.
I have seen a number of forum threads attempting to address these processes by name, which seems to be wasted effort, since the process is REcreated from the windows prefetch cache upon boot and assigned a new random name each time.
The names are simple random strings of characters like "diglx.exe" or "rgflp.exe" etc. etc.

HAving said all this, I did manage to get rid of the rogue processes in my list using various registry tools, and the addition of a batch file that cleans my temp cache on reboot and shutdown.
BUT the Aurora popups still remain, and my fuse toward a complete wipe and reinstall is burning up.

Has ANYONE managed to free themselves of this beast for more than 24 hours straight?

I submit that you have NOT. as I have NOT.

Love to you all, MANTHRAX

p.s - I am in posession of the original infection vector EXE that caused my infestation. If that would be useful to anyone, please pm me and we can discuss.
  • 0




    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello and welcome to Geeks To Go.

We are having very real success with removing this,

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.
  • Install Ewido security suite
  • Launch Ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

Update HiJackThis
  • Open HiJackThis
  • Click Open the Misc Tools Section
  • Click Check for update online
+++++ Step 4 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.
  • 0



    Malware Expert

  • Retired Staff
  • 18,526 posts
At the request of the original topic starter this topic is closed,

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP