aurora spyware

  • Thread starter Thread starter ongakusuki
  • Start date Start date
O

ongakusuki

The new antispyware program detects Aurora and tries to
remove it (better than most competing programs which
can't even detect it) but is unable to do so. Aurora --
"a betterinternet" (hah) is about the most pernicious
spy progra/spamware ever. I hope Microsoft can find
a "final solution" to this monster soon. We also have
tried all sorts of brute force approaches with the
registry but it comes back. Next step may be buying a
Macintosh!
 
1) Open up AntiSpyware
2) Click Tools at the top
3) Click "Submit a Suspected Spyware Report"
4) Fill out the form with as much detail so they can
analyze quickly, Feel free to say what you've got in place
and have tried, and that it didn't work


http://webhelper4u.com/tnewswritigs/bolger_aurora.html

Ewido seems to detect and remove one version which can
also be removed by disabling its service, booting into
Safe Mode and using HijackThis to get rid of the nail and
exe (with Explorer and Iexplore turned off) then Killbox
to remove nail on reboot. but there is another version
with a TODO file that requires a repair console delete or
you can go to the maker www.mypctuneup.com/aurora and run
their uninstall which gets rid of aurora but may install
something else. They make you fill out a form and then
will send you a code to use with the uninstaller. Use a
throwaway email address if you do and lie like crazy on
the form.

http://www.webhelper4u.com/tnewswritigs/mypctuneupmain.html

OR

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you saved the log then send
it to Ron Kinner as an attachment. He can probably
identify the problem and tell you how to get rid of it for
good.

Ron email address. (e-mail address removed)
He will tell you what to do next. Put Hijack in the
subject so he will know it's not spam.

For information
HijackThis tutorial:
http://www.bleepingcomputer.com/forums/index.php?
showtutorial=42
 
The detection is good news. Did you try cleaning in safe mode?
Unfortunately, I know from experience that Aurora runs in safe mode--but I
do wonder whether mutiple cleaning runs in safe mode might succeed, give
that it is identified.
 
Then its best Onga disables System Restore to prevent Aurora from restoring
itself with System Snap shots. Right click My Computer on the desktop or
Start Menu > click "Properties" > System Restore (tab) > check "Turn Off
System Restore", then restart in safe mode and run the scan again.
 
Andre--what does SR have to do with a bug that is running in safe mode? I
certainly didn't disable SR on the machine I cleaned Aurora from by hand. I
cleaned it by identifying all the pieces and booting to the recovery
console. System Restore had nothing to do with it. Once the machine was
stable and clean, I did wipe the old SR points and create a new one--but not
during the cleaning process.
 
No one Anti-Spy Anti-ad program does it all
I found there are a number of Spy / ad ware that need to
be Manually removed.

The tough ones that run as a service that can't be shut
down. I use a Boot CD called BartPE.
http://www.nu2.nu/pebuilder/

This lets me boot from a CD to a clean enviorment.
Use the supplyed explorer to find and delete the files.
Then I can reboot and Manually remove the registry
entries.

It should be noted that Turning off System Restore, has
nothing to do with stopping this type of infection. The
re-infection does not come from the SR. It is from hidden
files. Files that even though you have Display Hidden and
system files enabled, you still can't see them.

The only way to find them is to Boot from a CD to a clean
OS. For developers and OEM's MS has a version called PE.
This isn't available to us IT people.

So BART PE fills that Gap.
http://www.nu2.nu/pebuilder/

However, once I have the system Cleaned, I do purge the
system restor of old restore points, and then create a
New one.
WHY? because I don't want the user to revert to an old
infected restore point.

Tools I use
MSAS
Aluria 4.0 - http://www.aluriasoftware.com/
Hijackthis - http://www.merijn.org/downloads.html
itty bitty process manager -
http://www.merijn.org/downloads.html
Regmon -
http://www.sysinternals.com/ntw2k/source/regmon.shtml
Active Ports - http://www.protect-me.com/freeware.html
Bart PE - http://www.nu2.nu/pebuilder/
 
This would be helpful with Aurora which is active in safe mode. I am not
sure that I ever dug through the services list to be sure that it wasn't
listed there, but I suspect that I did.

I used the recovery console instead, but Barts would be simpler.
 
By the way, you can see them from a CMD window. As long
as you know the filename, you can do a DIR /a [filespec]
and they will appear. They are only hidden from Explorer.
-Dan

[deletia]
The re-infection does not come from the SR. It is from
hidden files. Files that even though you have Display
Hidden and system files enabled, you still can't see them.
The only way to find them is to Boot from a CD to a clean
OS. For developers and OEM's MS has a version called PE.
This isn't available to us IT people.
[deletia]
 
Back
Top