No problem Andre.
The Nailfix you posted is the best way for Aurora in my
view,Run it in safe mode Then use Ad-aware SE ,clear the
prefetch folder and run Ccleaner to remove any other
traces.
Thanks to Robert Cooper & Spywareinfo for the fix
Ive tested the unistaller from mypctuneup on Aurora and
it left alot of files on my pc.One random named file in
the system folder another in the windows/lastgood
folder,It left alot of thnall1ac.html. files in my
prefetch folder and didnt remove Bolger.dll,
It did stop the Aurora Process and made it easier to
clean up but its very suspicious it didnt remove the
random files as this is where the re-infection comes
from.Nail.exe makes the random system files that are
exactly the same as the main Aurora.exe file you
downloaded to get infected.So if you miss the random file
it will do a fresh install when you reboot,To make it
even more fun the random file deletes its file and
replaces itself with a new random file each time you
reboot
You can see that if you scan the Aurora.exe and the
random system files for malware
Aurora.exe (Main Aurora Installer)
INFECTED/MALWARE
MD5 1f5cb7887de415347034735cc05480be
Packers detected: PE_PATCH
Scanner results
AntiVir Found nothing
Avast Found Win32:Trojano-1373
AVG Antivirus Found nothing
BitDefender Found Trojan.Spybi
ClamAV Found Trojan.W32.Spybi
Dr.Web Found Trojan.Spybi
F-Prot Antivirus Found nothing
Fortinet Found Adware/Abetterintrnt
Kaspersky Anti-Virus Found not-a-
virus:AdWare.BetterInternet.c
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found Sandbox: W32/Malware; [
General information ]
* File length: 217088 bytes.
[ Changes to filesystem ]
* Deletes file C:\WINDOWS\dvrszibcpua.exe.
* Creates file C:\WINDOWS\jwfbcd.exe.
[ Process/window information ]
* Creates a mutex amanlcprhxjgmhnuuyfbkxhmp.
* Enumerates running processes.
* Enumerates running processes several parses....
* Modifies other process memory.
* Creates a remote thread.
VBA32 Found AdWare.BetterInternet.c
Then scan the random file and you will see the MD5 is
different but there isnt any difference in the file
itself.
xyrlydht.exe (random filename)
Status: INFECTED/MALWARE
MD5 2173316d0b1da50219daf85545e85add
Packers detected: PE_PATCH
Scanner results
AntiVir Found nothing
Avast Found Win32:Trojano-1373
AVG Antivirus Found nothing
BitDefender Found Trojan.Spybi
ClamAV Found Trojan.W32.Spybi
Dr.Web Found Trojan.Spybi
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-
virus:AdWare.BetterInternet.c
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found Sandbox: W32/Malware; [
General information ]
* File length: 217088 bytes.
[ Changes to filesystem ]
* Deletes file C:\WINDOWS\dvrszibcpua.exe.
* Creates file C:\WINDOWS\jwfbcd.exe.
[ Process/window information ]
* Creates a mutex amanlcprhxjgmhnuuyfbkxhmp.
* Enumerates running processes.
* Enumerates running processes several parses....
* Modifies other process memory.
* Creates a remote thread.
VBA32 Found AdWare.BetterInternet.c
With the mypctuneup site leaving files on my pc I
wouldn't trust the unistaller and I think they may just
be making it easier to infect people with the next
Transponder when it gets released,Thats just my view
though and there really isnt any proof of the uninstall
site doing anything malicious, im just suspicious of the
reason for leaving bolger and the random files on my pc,
Download These with the Nailfix File Andre posted and it
will remove Aurora without having to use their site:
Ad-Aware SE
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022_4-10399602.html?tag=sptlt_s
Ccleaner :
http://download.ccleaner.com/download119bin.asp
Regards
Andy
