Good Work Andre !!!
Heres abit more info to make sure you kill this
Upon running Aurora.exe, the following items are created:
- Deletes Aurora.exe & creates
C:\WINDOWS\Nail.exe, then a chain reaction:
C:\WINDOWS\system32\Poller.exe, which creates
C:\WINDOWS\system32\magihjz.exe [random filename]
C:\WINDOWS\svcproc.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\qvbdnifharv.exe
C:\WINDOWS\dbwqis.exe
C:\WINDOWS\GGEEINPO.ini
C:\WINDOWS\system32\magihjz.exe
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\lu.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\kwv2Temp.dat
C:\WINDOWS\wupdt.exe
C:\WINDOWS\TMP_FILE_0.tmp
C:\WINDOWS\TMP_FILE_1.tmp
C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
Populates Internet Explorer cache with ads and tracking
cookies, and populates the user's Temp folder.
Creates a Run entry in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run for wupdt.exe & magihjz.exe so that it runs when
the user restarts.
Nail.exe generates "exe" files in the System folder
with random names,they will be 74kb in size and have TODO
writen when you right click and view properties.svcproc
is running as a windows sevice,bolger.dll installs as a
BHO.Dr Pmon hides in a random folder usually monitor or
driver related.
Looking at ABetterInternet's EULA :
----------------------------------------------------------
Uninstall and Remove Software - You may uninstall the
Software at any time by visiting
www.mypctuneup.com.
Visiting
www.mypctuneup.com is the primary method to
properly remove the Software. MyPCTuneUp will leave
behind a unique identifier on your computer for the sole
purpose of notifying ABI that you no longer want the
Software to operate on your computer.
This comes from BetterInternet though (makers of Aurora)
"The MyPCTuneUp uninstaller program will never collect
any personally identifiable information, it will not
install any additional programs, and it will delete
itself once it finishes the uninstall process."
Contradicts big time but if your infected you dont have
much to lose it could fix it fast for you.
And just to show how close these Two programs really are
is this press release from Direct Revenue
"Revenue today announced the launch of its newest ad
client, "Aurora" (TM).
The Aurora ad client is designed to improve product
visibility and consumer services. The roll out of the
upgrade to the DR behavioral network began on April 5th
by replacing outdated ad clients in an effort to improve
consumer awareness. Like other DR ad client brands such
as "SolidPeer", released in September '04 and "Ceres"
released in November '05, the Aurora Ad Client complies
with the branding and removal standards of all major
proposed Federal legislation relating to online
contextual ads such as HR 2929.
Direct Revenue CTO Dan Doman said, "From a technology
standpoint, Aurora represents a leap forward in
connecting consumers to advertisers."
The Aurora launch follows the January debut of Direct
Revenue's MyPCTuneUp(TM), a technical support feature
that helps Direct Revenue customers with technical issues
including removing software from their PC"
To go for this manually heres the best way:
For Aurora Use This Fix
----------------------------------------------------------
For Xp Download Nailfix
http://andymanchesta.com/Downloads/nailfix.zip
Download the Remover to your desktop
windows 2000 download nailfix2k
http://andymanchesta.com/Downloads/nailfix2k.zip
----------------------------------------------------------
Download The ABI remover (Better Internet Remover)
http://andymanchesta.com/Downloads/ABIremover.zip
Download the Remover to your desktop
----------------------------------------------------------
Download latest Hijackthis and unpack it in its own folder
(either desktop or c/drive)
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
----------------------------------------------------------
Download Ewido Security Suite
http://download.ewido.net/ewido-setup.exe
----------------------------------------------------------
Download Ccleaner
http://download.ccleaner.com/download119bin.asp
----------------------------------------------------------
Reboot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list)
start the ABIRemover.exe, press install, wait (explorer
window will disapear)
in Safe Mode, please double-click on nailfix.bat (or
nailfix2k.bat if you have Windows 2000). Your desktop and
icons will disappear and reappear, and a window should
open and close very quickly.
Next run a full scan in Ewido
In most cases this will kill it but you can check for
entries in hijack this,Reboot and run hijack this,choose
to run a scan and save the logfile,The entries related to
this are these:
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-
1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [hjnyDA] C:\WINDOWS\kkuibquo.exe (this
file changes it's name - but it will
be in the same place in the log)
O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe
If you find them put a tick beside them in hijack this
close all windows and choose fix checked
run a online virus scan to check for any other malware
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/co...n_principal.h
tm
If you are clean again you can delete nailfix,ewido and
ABI remover if not post the hijack this log either on
here or to my email
Good Luck
Andy Manc
