General discussion

Locked

adware/spyware/malware

By d4dar ·
I visited a website that installed this annoying adware on my system. The official name of the adware is called 'A BETTER INTERNET'. i have webroot spysweeper - it finds it, but it doesnt stay gone. I also tried Xoftware - it found even less than Webroot. I will now detail everyting I have done. WARNING: THIS IS A LONG LIST...

SYSINFO: WinXP (pro) SP2

ADWARE INFO:

It starts 'Explorer' with a command line telling Windows to run a prog called 'Nail.exe'
(i used 'regmon' to find this out)

It shows up in Add/Remove Programs as 'A Better Internet', but if you try uninstalling it from there - it just pops up saying if you want to remove it then got to website blah-blah. I decided not to trust them since they installed this without my permission in the first place.

Here are the steps taken to remove manually
1) Ended task on the following processes in taskmanager: adbitzun.exe, aurora.exe, aurora-wise1.exe, auroraco.exe, nail.exe, svcproc.exe & deleted the files in the Windows directory

2) Deleted following reg keys:
HKU\S-1-5-21-2000478354-1957994488-725345543-500\software\aurora\ & aurorahandler
HKLM\system\currentcontrolset\control\print\monitors\zepmon
HKEY_CLASSES_ROOT\aurorahandlerdll.aurorahandlerdllobj
HKEY_CLASSES_ROOT\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}
HKEY_CLASSES_ROOT\interface\{544b6a3f-4024-4403-9661-69b8410be505}\iaurorahandlerdllobj
HKEY_CLASSES_ROOT\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\1.1
HKEY_CURRENT_USER\software\aurora
HKEY_CURRENT_USER\software\aurorahandler

3) in command prompt, ran regsvr32 & tried to unregister 'aurorahandler.dll' but got an error with failure address '0x8002801c'

Please help me get this stinky little program off my system.

Thank you,
~Darla

This conversation is currently closed to new comments.

23 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by B_Pope In reply to adware/spyware/malware

The 1st thing I'd do is get a copy of Ad-aware & run & see what it gets rid of, but don't expect much. From what I've read this is more of a trojan your dealing & not a simple adware/spyware, but Ad/aware has one of the best scanning engines going.

I did come across several links & it appears to be a very lengthy ordeal cleaning up this problem, but one thing they fail to mention is to disconnect your Internet connection (pull the plug out) when trying to clean your PC. That should always be the 1st thing you do.

Now I'm not going to post the info, it's way to long so here's the links. I hope it helps!!

http://www.geekstogo.com/forum/Need_help_with_Aurora_Nailexe_and_much_more_-t41112.html

http://spywarewarrior.com/viewtopic.php?t=13090&highlight=aurora

Collapse -

by d4dar In reply to

The geeks are just now getting back to me, but i think i am clean now. now my son's computer has it.

i did a combination of things to get rid of
DELETED reg keys:
"HKU\S-1-5-21-2000478354-1957994488-725345543-500\software\aurora" & "HKLM\system\currentcontrolset\control\print\monitors\zepmon"
"HKEY_CURRENT_USER\software\aurora"
"HKEY_CURRENT_USER\software\aurorahandler"

from the registry.

Did a search for nail.exe in registry (it was running from a command line off of explorer.exe.) removed the command line.

deleted files: adbitzun.exe, aurora.exe, aurora-wise1.exe, auroraco.exe, nail.exe, svcproc.exe, aurorahandler.dll from the windows directory.

downloaded the following programs from majorgeeks.com & some link from geeks to go. updated all definitions &
rebooted into safe mode & ran, ad aware vx2 cleaner, adaware, nail fix, spyware blaster, spybot search & destroy, trojan hunter, vx2 finder & webroot spysweeper. following any removal instructions indicated. then rebooted.

I WANT TO THANK EVERYONE WHO RESONDED THIS WAS DEFINITELY A TEAM EFFORT! THANKS AGAIN!!

Collapse -

by Unidentified In reply to adware/spyware/malware

I actually used ad-aware side by side with x-cleaner- X-Micro online spyware scanner

However, this link may help-http://www.2-spyware.com/remove-net.html

Haven't tried it yet cause am satisfied with my combination above.

Hope it helps

Collapse -

by d4dar In reply to

thanks for answering. there must be more than varient of this malware because the files involved are different. that link talks about the file belt.exe & my varient has the file nail.exe & svcproc.exe & aurorahandler.dll.

this varient is way worse. i have tried the following without success: spybot s & d, ad-aware, ewido security suite, trojan hunter & webroot spysweeper.

this is a nasty piece of code. its almost like it learns everytime you attempt to remove it. it will actually go for a few days & return.

Collapse -

by d4dar In reply to adware/spyware/malware

this is addressed to answer 1: Thanks a lot. i still have the infection at this point. i am waiting for them to analyse my hijackthis log. i also found this prog called nail remover that i might try. i found it on another geek site, but i forgot the name & all my history and stuff of that nature have been deleted. i am going to leave the question open just in case the geeks to go cannot help me.

thanks again.

Collapse -

by d4dar In reply to adware/spyware/malware

Point value changed by question poster.

Collapse -

by Unidentified In reply to adware/spyware/malware

actually, the site also has a link to the variant you're talking about. Have u not seen it?

Anyway, here is the link - http://www.2-spyware.com/remove-aurora.html

Collapse -

by d4dar In reply to

Poster rated this answer.

Collapse -

by FreeTechie In reply to adware/spyware/malware

Firstly,

Sounds like a virus is doing this. So make sure you have the latest DAT's.

Second, download Ad-Aware (as said), Spybot, Spywareblaster, JV16 Powertools and Hijackthis.

Always in safemode...
Ad-Aware and Spybot will scan and clean your system.
Hijackthis will show was is starting up. Do a little research first before removing a startup file.
JV16 has a registry cleaner that I suggest you use after you do the previous steps. Delete any folders that mention the spyware or adware.

Collapse -

by d4dar In reply to

I did everything you said & its still here. Who ever wrote this malware is evil. he should be locked up.

Back to Windows Forum
23 total posts (Page 1 of 3)   01 | 02 | 03   Next

Related Discussions

Related Forums