Aurora - please review logs

Status
Not open for further replies.
Hi y'all - I somehow ended up with that freakin' Aurora bug on my machine. There is a hot spot in hell reserved for the creaters of that thing.

Anyway, I followed the instructions above (ewido, ccleaner, etc.) and saved the attached log files. Can someone review and let me know if anything else needs removing? Anything you see besides Aurora that could use removing would be helpful to note as well.

My eternal gratitude,

puff davey
 
There's no more Aurora.

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Next, open Windows Task Manager.
On Windows 95/98/ME, press CTRL+ALT+DELETE.
On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
Click the Processes tab, select the process (if there) and click End Process for:
beulqd.exe
PowerReg Scheduler V3.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O4 - HKLM\..\Run: [fryilau] C:\WINDOWS\system32\beulqd.exe r
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://business.dellnet.com/ (file missing) (HKCU)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
Fix ALL your O16 - DPF: entries
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

You should also learn not to download all that crap from wildtangent, zone.msn.com, viewpoint and god knows what else!
The minute you install any of it, you'll be infested again!
 
Okay, did all of the above and Aurora is still lurking about. Getting a zonealarm warning right after booting.

I did notice in my ewido log that the second log entry says: "[1116] VM_01950000 -> Adware.BetterInternet : Error during cleaning". Think that's the problem? There were other BetterInternet files that were cleaned, wonder if it just missed this one.

Should I run through the whole routine again? Any other thoughts?
 
I got the virus as well. I am having problems removing two files in the system volume information folder. I cannot access those folders - I am denied by windows. Is there a way to do it? :mad:

the virus was found in

C:\ System volume information\_restore80F20A1D-752F-4198-BF

tried using deletefxpfiles program, still unable to access the folder.
 
Tedster

I assume, when you switch OFF System Restore, see how here, those files should be automatically deleted.
I've never switched it even ON on my PC, so I can't help you there.
I use DriveImage for backups, much more flexible (for me at least).
 
Status
Not open for further replies.
Back