AURORA pop up...and others

  • Thread starter Thread starter Evan
  • Start date Start date
E

Evan

No matter how many different anti-spyware type programs i
run and no matter how many times I delete everything,
these pop ups show up all the time.

ads1.revenue.net

Aurora

www.loadingwebsite.com

The one that is the most annoying is the one that is
titled AURORA. I always get random pop ups and the blue
bar on top of the pop up always says Aurora for the
title. I dont think any program I have ran (and I have
tried at least 8 different programs) this doesnt go
away. The latest program I have tried is Spy Doctor and
although it finds many different things everytime and
says that it deletes almost all of it, when I run it
again, most of the stuff gets detected again. Here are
all the programs I have tried so far which haven't worked:

1. Microsoft Anti-Spyware
2. Spy Sweeper
3. Spybot
4. Ad Aware
5. Crap Cleaner
6. Spy Doctor
7. Virtual Bouncer (turns out this is adware in itself)
8. Defender Pro 5-In-1

I know there are more I have tried but deleted and
uninstalled but I forget them all because I have tried so
many damn programs. Please don't recommend running
anything in safe mode because I have done all that also.
What else should I try?
 
From Steve Wechsler:
The victims of Aurora (VX2, Transponder, betterinternet,etc.) might like
to contact the purveyors of this "product" and express their "appreciation".

Direct Revenue LLC
107 Grand Street
3rd Floor
New York, NY 10013
V: 646.613.0376
F: 646.613.0386

This page shows which companies have invested in Direct Revenue :
http://www.benedelman.org/spyware/investors/

This page exposes their previous practices with the "uninstaller" :

Direct-Revenue - Vx2 Transponder Gang Fifth Columnists with Adware
Sleeper Agents
http://www.webhelper4u.com/directrevenue/directrevenue2.html

Their latest "uninstaller" is still being analyzed. I do ***NOT***
recommend using it at this point in time.


Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005
--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm


===============
*-343-* FDNY
Never Forgotten
===============
 
Check out the .announcements group--there's a thread there on this one.

In my experience, aurora has three parts.

One part is named nail.exe--I think in \windows, but perhaps
\windows\system32.

You can defang this piece in safe mode by copying an empty file to it and
setting it as read-only.

The other two pieces are tougher. One or both of them may be named
randomly. One of them gets a new name each time its process is
restarted--and any attempt to interfere with the program will restart this
piece.

You can see this one in Microsoft Antispyware's Process Explorers--look for
process names starting with TODO: (In looking for other information about
this critter, nail.exe, aurora, and todo are all good search terms.)

You will see that if you kill this process--easy to do in Microsoft
Antispyware, and refresh the window, it will come right back with a new
name. So--for this one, take some note of the location and characteristics
of the name--'cause when you get around to looking for it, it may have a
different name.

The third piece was the one I found hardest to find. In my case, I used an
online scan from Trend Micro: http://housecall.trendmicro.com

This spotted the main .EXE as a virus--unfortunately I don't recall which
one. I hadn't been able to see that listed in any of the system explorers
in Microsoft Antispyware, nor with RootKitRevealer, or other tools that I
tried.

So--once you know the names of all three pieces, you need to kill them all
at once.

My approach to that, once I had nailed nail.exe, was to use the Recovery
Console. This is a command line facility which may be daunting for some,
though. The other approach likely to work is Killbox:

http://www.bleepingcomputer.com/files/killbox.php

The thread in announcements also details a couple of registry entries that
will need to be edited that start up these items. You don't need to do that
right away--better to get rid of the executables, but they'll give error
messages once the executables are gone.
 
Back
Top