PDA

View Full Version : OT Uber Spyware



darkhorizon11
07-07-2005, 11:36 AM
Real quick, has anyone been infected with Aurora. Its a program that basically puts pop ups on your computer even when your not online. A box appears with an add in it that is titled Aurora part of the ABI Network. I can't seem to get rid of it. McAfee recognizes it but won't kill it and the new Microsoft Spyware as good as it is doesn't seem to be able to find it either. Can anyone help me with this? http://forums.ubi.com/images/smilies/16x16_smiley-sad.gif

Thanks!

AerialTarget
07-07-2005, 11:55 AM
I just finished banging my head against this wretched program. It turns out there is an uninstaller somewhere. Fortunately for you, it didn't destroy your Norton installation like it did mine.

Do a search for Aurora and you might find the uninstaller. It's the most annoying, invasive, and probably illegal program I've come across.

Cajun76
07-07-2005, 11:59 AM
Edit: Reading this again, sometimes you can get rid of these types of spyware in Add/Remove Programs.


Try Adaware (http://www.lavasoftusa.com/support/download/), which is free, click on either download.com or PCWorld.

Also try Spybot-S&D (http://www.safer-networking.org/en/download/index.html) also free.

Adaware has found more stuff lately, but the Immunize feature of Spybot has helped keep me safe.

darkhorizon11
07-07-2005, 12:39 PM
Thanks I'm at my work comp now when I get home I'll look for the uninstaller, I didn't bother looking before because ussually I'm not that lucky.

As for ad-aware when it first came out it was great but recently it hasn't seemed to do much, the Microsoft program I use seems to be the best freeware spyware remover available, at least that I can find. McAfee does a great job of detecting Spyware but it seems like it only gets rid of about half of them.

Oh well thanks for the help!

Jasko76
07-07-2005, 12:49 PM
Cajun - Thanks for the links you provided!

Ad-Aware helped me track down and eliminate 77 threatsthat Norton was unable to remove. http://forums.ubi.com/images/smilies/25.gif

sunflower1
07-07-2005, 01:25 PM
Tried Firefox yet?

I haven't had anything since I installed it.

Waldo.Pepper
07-07-2005, 02:05 PM
MA Anti Spyware Beta 1

A MS product (that they bought rather than developed) that does not suck.

arcadeace
07-07-2005, 04:04 PM
Originally posted by darkhorizon11:
Thanks I'm at my work comp now when I get home I'll look for the uninstaller, I didn't bother looking before because ussually I'm not that lucky.

As for ad-aware when it first came out it was great but recently it hasn't seemed to do much, the Microsoft program I use seems to be the best freeware spyware remover available, at least that I can find. McAfee does a great job of detecting Spyware but it seems like it only gets rid of about half of them.

Oh well thanks for the help!

Try going into msconfig and check your startup programs. Uncheck those you know you have not installed and/or will not affect your system integrity. Also, do a system search on them and check their properties to more easily verify if they are legitimate or not. Restart your PC and if the popups stop, quarantine or delete the unckecked program(s) you deduce have no good use.

Pirschjaeger
07-07-2005, 04:11 PM
Just had and cleared the same problem today. Worked well. Try it.

http://www.wilderssecurity.com/showthread.php?t=50662

Fritz

Pirschjaeger
07-07-2005, 04:15 PM
Originally posted by Cajun76:
Edit: Reading this again, sometimes you can get rid of these types of spyware in Add/Remove Programs.


Try Adaware (http://www.lavasoftusa.com/support/download/), which is free, click on either download.com or PCWorld.

Also try Spybot-S&D (http://www.safer-networking.org/en/download/index.html) also free.

Adaware has found more stuff lately, but the Immunize feature of Spybot has helped keep me safe.

Hey Cajun, adaware and spybot were not enough. I still got a trojan ad virus. I found this site and a few links to some nice freeby programs. Check it out.

http://www.wilderssecurity.com/showthread.php?t=50662

Geez, I just reread what I wrote; sounds like a cheap commercial. http://forums.ubi.com/images/smilies/35.gif

Fritz

missiveus
07-07-2005, 04:52 PM
This Aurora/nail.exe is a nasty little bugger. There are two methods for removing the files from your PC. DO NOT go to http://www.mypctuneup.com and use their program. It is written by the same people (Direct Revenue) that wrote Buddy/nail/aurora in the first place, and is itself spyware. Avoid it like the plague! Some enterprising folks who were also hit with this malware have posted the email and home address of the president and ceo of the company that is responsible for this e-blight! Ain't the Web grand?

To remove Aurora, follow these instructions. (http://spywarewarrior.com/viewtopic.php?t=14061) I did it by using Ewido Security Suite, Hijack This! and the nail/Aurora removal tool. (http://www.noidea.us/easyfile/index.php?folder=2) I also ran the trial version of Webroot's Spysweeper, which is an excellent program. The combination of the removal tool, Ewido, and Hijack This! did the trick.

Good luck.

Pirschjaeger
07-07-2005, 04:58 PM
I just don't get it. Aren't these ad viruses a criminal act? Is it my imagination or is the no authority can do something about this?

Fritz

LeadSpitter_
07-07-2005, 05:02 PM
The only thing that will remove it is a program called hijackthis.exe which can be found on http://www.download.com

Them get the demo of the program called spy sweeper which will get rid of it for good. Also spysweeper is worth buying becuase it is rated number one out of them all. It catches and removes much more then all the other anti spyware programs out there.

aurora is self replicating so windows anti spyware, adaware spybot and many of the other anti spyware programs will not get rid of it for good it will just keep replicating.

I hope that helps and best of luck to you.

Autozam-1
07-07-2005, 05:39 PM
Yes Hijack This is a good program and will aniihilate almost everything.

Also give Firefox a shot,I used to have to run ad-aware weekly,No I havnt ran it for months.

Luftwaffe_109
07-07-2005, 08:46 PM
I had this problem a while ago. It was a nasty little bugger, and I fought it for hours and hours to no avail. In the end, I killed it the good old fasioned way: complete reformat. Sorry if that isn't very inspiring.

After this I got SP2. Haven't had a single spyware incident since.

Spyware creaters should be shot. http://forums.ubi.com/images/smilies/16x16_smiley-happy.gif

KrasniyYastreb
07-07-2005, 10:11 PM
I think a firewall goes a long way towards warding off spyware. In fact the way I got rid of popups - downloading netscape(which disallows popups except for selected sites)but leaving IE as my default browser. Then I blocked IE in my firewall and voila.

My advice - get a firewall, there are free versions available!

missiveus
07-08-2005, 07:27 AM
My advice - get a firewall, there are free versions available!
In this instance, a firewall does no good. I was hit by this Aurora malware by visiting a popular racing sim website. Because it is self-replicating, any attempt to delete it from Windows does nothing.

Hijack This! alone will NOT rid you of Aurora/nail.exe/Buddy malware. Again, only the combination of HT, Ewido, and the removal tool (http://www.noidea.us/easyfile/index.php?folder=2) worked for me.

http://www.noidea.us/

F19_Ob
07-08-2005, 08:37 AM
Originally posted by Luftwaffe_109:

After this I got SP2. Haven't had a single spyware incident since.

Spyware creaters should be shot. http://forums.ubi.com/images/smilies/16x16_smiley-happy.gif

Same here I also have the norton firewall and virusprogram.
I've had nothing so far.

73GIAP_Milan
07-08-2005, 12:49 PM
For anyone using Norton or McAfee:

DON'T !

Norton slows your computer down by 15% in some cases and special viruses are written against it. Same goes for McAfee

Google for AVG Antivirus FREE edition.. A free virusscanner which is updated automatically atleast once every 2-3 days.. It's small, complete and very system efficient and friendly.

http://forums.ubi.com/groupee_common/emoticons/icon_smile.gif

AVG in combination with Spybot and Adaware and you're good to go!

darkhorizon11
07-09-2005, 01:08 AM
Thanks for all the responses fellas this has turned into a good selfhelp thread. Its also relevant because spyware isn't only annoying it can slow down your computer significantly.

zdenkaxx1
07-09-2005, 09:47 AM
i think its fair to say that if you stay away from porn sites you have many less problems http://forums.ubi.com/groupee_common/emoticons/icon_rolleyes.gif

GTO_68
07-09-2005, 09:48 AM
I clicked on Leadspitter's link and read some of the reviews there and decided to give the free version of Spyware Doctor a shot. I always thought my system was relatively clean, but this program found 273 threats that Ad-Aware and Spybot missed. I also use Spyware Blaster, so naturally, this comes as somewhat of a shock to me.

zjulik
07-09-2005, 10:04 AM
Many of you should do some reading on the differences between spyware and virii. Don`t criticize your spyware remover for not spotting a virus. Don`t criticize your antivirus for not spotting spyware. Although some spyware can be spotted by antivirus programs, and the other way around, and although some of these programs claim to be all-in-one solutions, (and although some nasties can be said to belong to both categories,) you currently need to have both an antivirus program and an antispyware program running. Know the difference between these two, and what they can do.

Recommendations:
Free antivirus: Avast, AVG
Commercial antivirus: NOD32

Free antispyware: Microsoft Antispyware, AdAware SE Personal, SpyBot Search&Destroy
Commercial antispyware: SpySweeper, CounterSpy

Links at Google http://forums.ubi.com/groupee_common/emoticons/icon_wink.gif
NOTE: A whole lot of tempting antispyware removers are nothing but spyware themselves, so be careful of what you try out. This list is a good place to look if you are unsure about a product:
http://www.spywarewarrior.com/rogue_anti-spyware.htm#products

-HH- Beebop
07-09-2005, 10:34 AM
Originally posted by 73GIAP_Milan:
...Google for AVG Antivirus FREE edition.. A free virusscanner which is updated automatically atleast once every 2-3 days.. It's small, complete and very system efficient and friendly.

AVG in combination with Spybot and Adaware and you're good to go!

I'm with Milan on this one. Same setup plus Webroot's Spy Sweeper and I've had not problems at all. **knocks on wood**

RAF92_Moser
07-09-2005, 11:01 AM
Ahh, can't stand spyware. Firefox does a good job blocking it. But I use Internet Explorer now because I have no problems with spyware with any browser. It seems my Zone Alarm Pro firewall can block anything. The Avast anti-virus scanners also work very well and is free.

All spyware I think is illegal unless you have agreed to a contract that states it will install on your system. Even that **** large publishers put on your system you don't know about is illegal.

darkhorizon11
07-09-2005, 12:53 PM
Heres the log file from Hijack this. They said to show it to knowledgable folks to make sure you don't delete anything important.

Logfile of HijackThis v1.99.1
Scan saved at 1:50:56 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Perfigo\SmartEnforcer\SmartEnforcer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jay Kelsall\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kirby Alarm.lnk = C:\Program Files\Kirby Alarm\kirbyalarm.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SmartEnforcer.lnk = C:\Program Files\Perfigo\SmartEnforcer\SmartEnforcer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fe32238faed060dc16/netzip/RdxIE601.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D36EFCF-B662-402E-A6FC-7551E17D5B4C}: NameServer = 134.129.212.30,134.129.212.13,134.129.111.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = aero.und.edu,cs.und.edu,und.nodak.edu,und.edu,noda k.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = aero.und.edu,cs.und.edu,und.nodak.edu,und.edu,noda k.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = aero.und.edu,cs.und.edu,und.nodak.edu,und.edu,noda k.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Grue_
07-09-2005, 03:04 PM
Microsoft bought a company called Giant who made one of the best spyware products in the business.

A good product combined with Microsoft's intimate knowledge of their own operating system makes for a free spyware remover that works well.

Laugh if you want but I do recommend it.

Firewall's can't block spyware unless it's one of those pain in the backside all in one firewall/anti-virus/spyware blockers that won't let you move your mouse without pasting warnings all over the screen.

When the revolution comes, spyware & adware writers will be first against the wall http://forums.ubi.com/images/smilies/16x16_smiley-wink.gif