Killing Aurora Popups

Aurora popups haven proven amongst the most difficult spyware/adware to remove. If you are looking to stop popups from ABI they are one in the same.

Follow thes instructions closely. In fact, you should print this page as a reference.

1. Download & Run the uninstaller (link).
2. Download & Install eWido Security Suite (link).
3. Update eWido.
4. Download nail.zip and unzip it. It contains a file 'nail.reg', leave it on your desktop for now.
5. Download killbox.zip and unzip it. It contains a file 'KillBox.exe, leave it on your desktop for now.
6. Download & Install HijackThis (Download provided by TeChico.net)
7. Reboot in 'Safe Mode'. (Press 'F8' as your computer boots and choose 'Safe Mode')
8. After you're in safe mode, bring up the task manager be either pressing 'Ctrl+Shift+Esc' or right clicking on the taskbar and choosing 'open task manager'.
9. Click the processes tab and end task 'jqngdo.exe' if it is running.
10. Goto the 'Start' menu and click 'Run' and type 'services.msc' (without the quotes) and click 'OK'.
11. In the right most pane scroll down to 'System Startup Service (SvcProc)' and stop the service and shange it's startup type to 'Disable'. Click 'Apply' and 'OK'.
12. Perform a scan with eWido and fix anything it finds. NOTE: This will take quite a while even on a fast machine so go have lunch.
13. When everything else has finished close all the windows and fix the following with HijackThis (if present):
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    • R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    • F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    • O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    • O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
    • O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    • O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    • O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
    • O4 - HKLM\..\Run: [chqrzl] c:\windows\system32\jqngdo.exe
    • O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    • O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
14. Once Hijackthis is complete, doubleclick 'nail.reg' and grant it permission to merge the registry values.
15. Start killbox and choose 'Tools' then 'Delete Temp Files'.
16. Check the following boxes: 'Unregister .dll before deleting' (if not greyed out) and 'Delete on Reboot'
17. Highlight the following and copy and paste them into killbox's top box:

    c:\windows\system32\jqngdo.exe
    C:\WINDOWS\systb.dll
    C:\WINDOWS\system32\vbrundll.dll
    c:\windows\system32\ShowWnd.exe
    C:\WINDOWS\system32\regsync.exe
    c:\windows\system32\jqngdo.exe
    C:\WINDOWS\wupdt.exe
    C:\WINDOWS\svcproc.exe
    C:\WINDOWS\Nail.exe

18. Click the red 'X' and choose 'Yes' for any confirmation dialog boxes that appear.
19. Choose 'Yes' when prompted to reboot. Ignore any messages that say the file does not exist.
20. You're Clean!

This method was originally posted to: http://castlecops.com/postp565234.html