[Previous entry: "p.s. it's my birthday"] [Next entry: "shicoxp, lauchsrv"]
07/06/2005: "Aurora - ABI Network - Revenue - A Better Internet?"
Okay..... just posting the link here to where I found removal instructions (I had to find this because their removal tool did NOT work!):
http://forum.adaytay.com/viewtopic.php?p=1735
http://forum.adaytay.com/viewtopic.php?p=1735
Posted: Thu Jun 16, 2005 12:02 pm Post subject: Removing "Aurora - Part of the ABI Network" Popups
--------------------------------------------------------------------------------
Hi - welcome. If you're looking for information on how to remove "Aurora - Part of the ABI Network" popups, you've definitely come to the right place.
One of the nastiest spyware / adware apps that I've ever seen is "Aurora". It CLAIMS to be part of the "ABI" network - which stands for "A Better Internet". So it's Adware - in other words, it tracks your movements around the web so that it can deliver to you targetted advertisements, based on the kind of websites you've been visiting.
It is a massive pain in the neck. I've had it on my machine, and it's done my head in!!
Removing it is VERY tricky... but possible. It's just a bit long-winded. Might be worth printing this off - download all the files specified first though.
Thanks for Geeks2Go.com for these instructions.
First off, if you've not got it already, download and install, update and run a full sweep with Webroot SpySweeper. This will remove the main bits of it. Webroot SpySweeper is available from here.
***
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
***
Download the Killbox.
Unzip it to the desktop but do NOT run it yet.
***
Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.
***
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
***
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
***
Then please run Ewido, and run a full scan. Save the logfile from the scan.
***
Next please run HijackThis, click Scan, and check:
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer -
{E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [zxerdtc] c:\windows\system32\ctybtzn.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program
files\partypoker\IEExtension.dll
Close all open windows except for HijackThis and click Fix Checked.
***
Please double-click Killbox.exe to run it.
In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
Code:
C:\WINDOWS\System32\msxct.exe
c:\windows\system32\ctybtzn.exe
c:\windows\system32\xgjycr.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Let the system reboot.
***
Restart your computer in normal mode
