Sunday, August 21, 2005

Corrupt files in Microsoft Windows

The SFC tool
I have found that you have a built in tool that may be helpful to you. It is called the System File Checker (sfc.exe). This is a great tool for troubleshooting Windows XP problems. So when you suspect that your problem is with Windows XP system files all you have to do is run this tool.

For example, you get a dialog box informing you of a problem with a
.dll file, or your program will just not load anymore. This would be a good time to run the System File Checker and rule out corrupt system files.
To do this:
Go to the Run box on the Start Menu and type in:
sfc /scannow
This command will immediately open the Windows File Protection service and scan all protected files. It will go through all your windows system files and verify their integrity, replacing any files with which it finds a problem. It does not fix anything but your windows system files so don’t be disappointed if your problem is not fixed. It will just mean that it is not you windows system files.
Now in some instances I have had it prompt me for the CD for it has not cached all .dll files on your hard drive or they are missing. And in some instances this may be because the cached files are corrupt.
I like to keep a copy of the I386 folder on my hard drive, why not, they are huge now days. To copy the I386 file to your hard drive you need to find this folder on your Windows CD and do a copy and paste to your C:\ drive. So after it copies the folder to your hard drive the path will be C:\I386.
Now that you have done this you will need to tell your PC that you have the files on your PC and to changed the path for which it looks for presently.
To do this you need to run regedit and go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
You will see various entries on the right hand side. The one we want is called:
SourcePath
It is probably pointing to your CD-ROM drive, and that is why it is asking for the XP CD. All you need to do is change it to the drive letter you have pasted the I386 file in. Which in this case we have copied it to:
C:\
To do this just double click the SourcePatch setting and a new box will pop up allowing you to make your changes.
Now restart your computer and try running the sfc /scannow again!
Remember to backup your registry before making any changes. If you don’t know what you are doing I suggest you let a professional do it.

Disclaimer:
Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved but I know that is has worked for me. Use the information provided at your own risk.


Computer Repair Lakeland, FL
863-521-1079
      

Wednesday, August 10, 2005

Aurora...Nail.exe

AURORA...GRRR
People are FURIOUS!
__________________________________
I have to say this will be my longest article yet.
I will give you all I know about this parasite and how to get rid of it.

Aurora, AKA:
• Aurora popups
• Aurora adware
• Abi network
Aurora is adware which is malware. It is an adware parasite, that displays undesirable commercial advertisements using your Internet Explorer web browser. It also tracks & gathers user activity on the Internet & then sends it to a web server. It will also install additional malicious components on your computer. This bugger can then get into the system along with some ad-supported software. It also can be manually installed, but installing it is HIGHLY NOT recommended. Once executed, Aurora creates several files (I have experienced random names) and modifies the registry, so that the threat runs on every Windows startup.

Properties:
• Shows commercial adverts
• Connects itself to the internet
• Hides from the user
• Stays resident in background
Related files: nail.exe, svcproc.exe, drpmon.dll, iddjhjm.ini
Where did I get this nasty bugger from? You get Aurora from free downloads. As we all know too well, free is the most expensive item you will ever receive. If you must download so called FREE application, make SURE you know what you are getting yourself into.
Who can WE thank for this lovely free gift?
http://www.direct-revenue.com/news6.php
Direct Revenue Launches Aurora
New Ad Client Affords Greater Brand Visibility, More Efficient Distribution
New York, New York – April 26, 2005 – Direct Revenue today announced the launch of its newest ad client, Aurora™.
The Aurora ad client is designed to improve product visibility and consumer services. The roll out of the upgrade to the DR behavioral network began on April 5th by replacing outdated ad clients in an effort to improve consumer awareness. Like other DR ad client brands such as “SolidPeer�, released in September ‘04 and “Ceres� released in November ‘05, the Aurora Ad Client is compliant with the branding and removal standards of all major proposed Federal legislation relating to online contextual ads such as HR 2929.
Direct Revenue, LLC., (2005). Direct revenuedirect revenue launches aurora . Retrieved Aug. 10, 2005, from Direct Revenue Web site: http://www.direct-revenue.com/news6.php.
Removal of Aurora
The first time I came across this little crapper, there where NOOOO, reports or forums and it took me 6hrs to get rid of it. How I did the first time without help is left for Ripley to Believe it or Not. After this I have experienced it differently on 3 other PC’s and it has gotten easier with the help of some great removal tools. All instances where the same pest but with different random names & different ways of removal. I have to say that the last removal tool I uses was fantastic and was painless. I found the nailfix to be the best but there are other ways to remove it you have trouble.
*NOTE FOR DOMAIN USERS:
I found that in order to remove this you must be in SAFE MODE and logged in to the local machine as the administrator. It will not work when you are logged into the domain and it took me 3 tries to see the error of my way.
Aurora automatic removal:
As with most virus removals, you should be in SAFE MODE.
>Try this fix first:
>Other Tools that I have used:
>This tool is great for stopping processes.
Advance Process Termination
Windows 2000/XP/2003

Copyright (C) 2003-2004,
Diamond Computer Systems Pty. Ltd.
http://www.diamondcs.com.au

Aurora manual removal:

Kill processes:
nail.exe, svcproc.exe

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe %Windir%\nail.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[ra
ndom name]
HKEY_CURRENT_USER\Software\aurora
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Z
epMon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta
ll\abi-1

Unregister DLLs:
Start > Run > type CMD & hit enter
change the directory to exact DLL location path for drpmon.dll
regsvr32 /u drpmon.dll

Delete files:
nail.exe
svcproc.exe
drpmon.dll
iddjhjm.ini
Start > Search > For Files and Folders > More Advanced Options >
Type each file in and hit search, delete them when you find them and don't forget to empty the Recycle Bin when you are done. If an error message appears saying that file is in use and cannot be removed, try to terminate the associated process and then delete the file using the Windows Task Manager (press CTRL + ALT + DEL or CTRL + SHIFT + ESCAPE), in the Process tab select the corresponding process and click End Process. Most processes will restart immediately after you terminate them. If this happens, you will then have to reboot your PC into *SAFE MODE by restarting and hitting the F8 OR F5 key upon reboot.
*In Safe Mode, many system services are disabled and programs do not run automatically on startup. Practically any file can be easily removed, but there are those exceptions.

Misc:
Files nail.exe, svcproc.exe and iddjhjm.ini are located in
C:\Windows or C:\Winnt.
File drpmon.dll can be found in the default system directory C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32.
Maybe this looks familiar to some of you.
FasterXP?
VitalSecurity’s Paperghost says Direct-Revenue is BUSTED again
Cross referenced
127.0.0.1 direct-revenue.com
127.0.0.1 www.direct-revenue.com
Check out what other sites have to say:
Other ways to remove from different postings.
A Browser You Can Trust


Computer Repair Lakeland, FL
863-521-1079