Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Aurora crashed WinXP system

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 4 posts
Hello, I posted to the XP forum (please see first email at bottom of this posting) and was referred to this forum. However, the instructions I received were a bit late, as I had already performed the tasks that are written for the Malware forum FIRST! So, instead of simply quarantining the files (as later was the step advised for the Adware scan), I removed all the the quarantined files by selecting Select All and removed them.

Currently, I am running the AVG Anti-Virus (as requested by the other forum). I have booted off of my D drive (alternate Windows), and my Panda Anti-virus is on the C drive.

Running the AVG has JUST picked up a Trojan horse that Panda missed! Wow. I pay GOOD money for that software. Arrgghhh. So, will remove this, then re-run Adware, and then HiJackThis. However, the question here is DO you want me to simply quarantine anything that comes up with Adware, or delete. The other tech's notes are also at the bottom of this post.



I am on a PC using XP Pro, with the service pack 2. My computer (Wednesday evening) was infected with Aurora, aka ABI. I could not remove it using Panda (latest version) or Spy Sweeper. I googled Aurora and found you guys.

I read your description on what to do, however, because of the constant closing of dreaded pop-ups (about one every two to three seconds - unbelievable!), I was unable to download the software that you guys described for the fix, and certainly wasn't able to run it!

Ran a quick search on how many files were "new files' created that day, and the file list simply kept growing before my eyes. Even though I was scared to shut off my machine, I also knew that I could not stop the constant pop-ups and files that were being created. The question then was which would be worse, more new files or turning off my machine? Also, since I had no clue how I had GOTTEN this Trojan/virus (via email, download, hacking), I was afraid that if I left my machine on that other people would become infected via my email. How does it spread, anyway? Unplugging from the Internet meant that others would not be able to use the system, and that I would not be able to use a different machine to search for answers.

It was getting very late (1:30 AM), and the new files being created continued to grow, so I turned off my system. Mistake. BIG mistake.

Next morning, turned on system, and computer went into constant reboot cycle. First it would boot up, then the computer would have an error message that said it was sorry for the inconvienance (blahhaha), but that it could not boot up, and which way did I want to continue, offering: Safe Mode, Safe mode with control prompt, Last known good setting, and another item which I can't remember. I chose ALL of them at different bootups. Nothing, just continued to reboot no matter what I did.

Thankfully, I have an alternate Windows on my D drive (courtesy of my son!) and I was able to choose the alternate Windows before the reboot cycles began. This worked, but it is a virgin Windows, with none of my software installed.

I worked on a different computer, and downloaded the software and printed out the steps steps outlined for getting rid of this pesky Aurora, etc. The software I used in the following order was: CleanUp, Ad-aware SE, CWShredder, Spybot S&D, Ewido Security Suite, HiJackThis. I saved the logs as requested.

However, I still cannot boot back into my old C drive Windows. I am OK with reinstalling all my software (&*%$#!!!! Arrggghhh), but there are a few files that I would like to save that are on my Desktop in the old Windows.

1. Is there a way to STOP the constant rebooting when using the old Windows?
2. If not, is there a way to reclaim 2 files from the old Desktop from the C drive Windows? All other files have been backed up, previously.
3. How is this DANG trojan spread? Does it come from an email, or hacking, or what? I have spyware, Panda Antivirus AND a hardware firewall. HOW did it make it through?
4. Can we SUE these blankety blank blanks!!

Once again, I do have the HiJackThis log, if it would help.

BTW, THANKS so much for your efforts for all of us users out here,

Hello my name is Werner and I'll be assisting you today.

It looks like you may have a serious threat on your PC which will need expert advice. But before going anywhere I recommend trying to get these great Free Programs.

1. AVG Anti Virus
2. Ad Aware SE Personal

After downloading these programs, make sure you update them to the latest definitions files.

Do a full scan with AVG first, and remove ANY threats that it detects.

Then do a Ad Aware scan and quarantine the files but DO NOT REMOVE THEM YET!

After doing the two scans, please go to the MALWARE forum and post your HJT log there. Also ask for advice there and how to deal with the files found by Ad Aware and AVG. The people there are qualified to read logs and most are Malware experts. You'll be in good hands there.

Hope all this helped, Good Luck!

  • 0




    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Logfile of HijackThis v1.99.1
Scan saved at 11:29:28 AM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\0 Wanda ALT\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105937458250
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\System32\oodag.exe
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP