NEED HELP ** Can't remove Aurora-ABI

This spyware/adware is proving difficult to remove and I need some help.

I've followed all the directions in the "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal" thread. Although the tools reported making many fixes, the problem persists.

The only difficulty I had in following the instructions in the thread was in the running of TrendMicro and Symantec scans while booted in Safe Mode; neither would work and had to be run in Normal Mode.

I have downloaded and run HJT and have a log file available.

Please help!

 

Fisrt, download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

- Run the ABIRemover.exe, press install, wait (explorer window will disapear)

- When it finishes just reboot and continue with the below steps.


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Ran the ABI Remover in Safe Mode,
Rebooted,
Ran HJT - log attached

 

-Please download Ewido Security Suite

- Install and get any updates!
- Run a full scan on Local Disk C:\
- Remove ALL found infections

After you complete the scan above, run this last online scan:

Panda Online Scan

After you complete this step, attach BOTH logs as attachments to your post.

 

Ran Ewido which found and removed 86 files.
Could not find any log produced by Ewido, checked several places.
Was instructed to reboot to finalize removal... so I did.

Scanned the hard drives with Panda ActiveScan, report attached.

Also attached another HJT log (because couldn't find Ewido log)

 

With Ewido you have to actually manually save a log, guess I should have included this.

Anyway, now that you have ran and cleaned with it, uninstall it so it wont block anything below.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.ap p1.unisys.com/products/midrange__servers/download.html

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\vidctrl ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\exp.exe

C:\WINDOWS\System32\stb.exe

C:\WINDOWS\System32\PSof1.exe

C:\WINDOWS\VCMnet11.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you complete ALL of the above, Scan with HijackThis and attach the new log.

 

Uninstalled Ewido, no problems

Ran HJT and and fixed listed items, no problems

Boot in Safe Mode and removed files:
- vidctrl empty but removed anyway
- exp.exe not present
- stb.exe removed
- PSof1.exe removed
- VCMnet11.exe not present

CCleaner ran okay

Spybot found 30+ items and removed all but 4. Log attached.

Cleanmgr ran okay

Reset Web and Security settings, no problems

Question - How do these procedures when there is more than one user on the computer? Do I have to repeat the CCleaner, Spybot and Cleanmgr for each user?

 

Typo on previous reply.

Question - How do these procedures change when there is more than one user on the computer? Do I have to repeat the CCleaner, Spybot and Cleanmgr for each user?

 

bjgarrick,

Good evening.
Thought I put in a reply to get this back on the front page.

Have you had a chance to review the logs and comments from yesterday's attempts to remove Aurora ABI from my system?

I really appreciate your help.

 

Each user account must be cleaned separately!

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\cfgmgr52.dll

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Thanks again for you time.

The system is running much better now

I performed the cleaning procedure for each user on the system.
Then I rebooted into Normal Mode and ran HJT for each user... logs attached.
(could upload a zip file so will send the 3rd log in a separate post)

After this problem is cleared up, what maintenance do you suggest as a regular practice and how frequently should it be done?

 

Could NOT upload a zip file with previous post so am sending the 3rd log

 

Your logs are clean, are you having any further problems?

 

Thanks for helping clear up this problem.

What maintenance do you suggest as a regular practice and how frequently should it be done?

Also, in the Add/Remove Programs list there is still an entry for "The ABI Network - A Division of Direct Revenue". Is this something to worry about?

 

See this article on How to Protect yourself from malware!

Can you uninstall it or does it give you wan error?

 

It opens the file c:\windows\abiuninst.htm
This page asks me to go to mypctuneup.com and get the uninstall tool.
Needless to say I am hesitant to download anything from an ABI website.

 

It's ok to run this file below, I have tested it personally.

Download the following file, after download is complete run the uninstaller. When uninstall is complete reboot and let me know how things are running.

Download Uninstaller