1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Aurora - please review logs

By puff_davey ยท 6 replies
Sep 6, 2005
  1. Hi y'all - I somehow ended up with that freakin' Aurora bug on my machine. There is a hot spot in hell reserved for the creaters of that thing.

    Anyway, I followed the instructions above (ewido, ccleaner, etc.) and saved the attached log files. Can someone review and let me know if anything else needs removing? Anything you see besides Aurora that could use removing would be helpful to note as well.

    My eternal gratitude,

    puff davey
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    There's no more Aurora.

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager.
    On Windows 95/98/ME, press CTRL+ALT+DELETE.
    On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
    Click the Processes tab, select the process (if there) and click End Process for:
    PowerReg Scheduler V3.exe

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O4 - HKLM\..\Run: [fryilau] C:\WINDOWS\system32\beulqd.exe r
    O4 - Startup: PowerReg Scheduler V3.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://business.dellnet.com/ (file missing) (HKCU)
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    Fix ALL your O16 - DPF: entries
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.

    You should also learn not to download all that crap from wildtangent, zone.msn.com, viewpoint and god knows what else!
    The minute you install any of it, you'll be infested again!
  3. puff_davey

    puff_davey TS Rookie Topic Starter

    Okay, did all of the above and Aurora is still lurking about. Getting a zonealarm warning right after booting.

    I did notice in my ewido log that the second log entry says: "[1116] VM_01950000 -> Adware.BetterInternet : Error during cleaning". Think that's the problem? There were other BetterInternet files that were cleaned, wonder if it just missed this one.

    Should I run through the whole routine again? Any other thoughts?
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  5. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    I got the virus as well. I am having problems removing two files in the system volume information folder. I cannot access those folders - I am denied by windows. Is there a way to do it? :mad:

    the virus was found in

    C:\ System volume information\_restore80F20A1D-752F-4198-BF

    tried using deletefxpfiles program, still unable to access the folder.
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503


    I assume, when you switch OFF System Restore, see how here, those files should be automatically deleted.
    I've never switched it even ON on my PC, so I can't help you there.
    I use DriveImage for backups, much more flexible (for me at least).
  7. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    did just that- Howard helped me out. Virus free now. Thanks a bunch.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...