The new antispyware program detects Aurora and tries to
remove it (better than most competing programs which
can't even detect it) but is unable to do so. Aurora --
"a betterinternet" (hah) is about the most pernicious
spy progra/spamware ever. I hope Microsoft can find
a "final solution" to this monster soon. We also have
tried all sorts of brute force approaches with the
registry but it comes back. Next step may be buying a
Macintosh!

1) Open up AntiSpyware
2) Click Tools at the top
3) Click "Submit a Suspected Spyware Report"
4) Fill out the form with as much detail so they can
analyze quickly, Feel free to say what you've got in place
and have tried, and that it didn't work


http://webhelper4u.com/tnewswritigs/bolger_aurora.html

Ewido seems to detect and remove one version which can
also be removed by disabling its service, booting into
Safe Mode and using HijackThis to get rid of the nail and
exe (with Explorer and Iexplore turned off) then Killbox
to remove nail on reboot. but there is another version
with a TODO file that requires a repair console delete or
you can go to the maker www.mypctuneup.com/aurora and run
their uninstall which gets rid of aurora but may install
something else. They make you fill out a form and then
will send you a code to use with the uninstaller. Use a
throwaway email address if you do and lie like crazy on
the form.

http://www.webhelper4u.com/tnewswrit...uneupmain.html

OR

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you saved the log then send
it to Ron Kinner as an attachment. He can probably
identify the problem and tell you how to get rid of it for
good.

Ron email address. (E-Mail Removed)
He will tell you what to do next. Put Hijack in the
subject so he will know it's not spam.

For information
HijackThis tutorial:
http://www.bleepingcomputer.com/forums/index.php?
showtutorial=42

>-----Original Message-----
>The new antispyware program detects Aurora and tries to
>remove it (better than most competing programs which
>can't even detect it) but is unable to do so. Aurora --
> "a betterinternet" (hah) is about the most pernicious
>spy progra/spamware ever. I hope Microsoft can find
>a "final solution" to this monster soon. We also have
>tried all sorts of brute force approaches with the
>registry but it comes back. Next step may be buying a
>Macintosh!
>.
>

The detection is good news. Did you try cleaning in safe mode?
Unfortunately, I know from experience that Aurora runs in safe mode--but I
do wonder whether mutiple cleaning runs in safe mode might succeed, give
that it is identified.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"(E-Mail Removed)" <(E-Mail Removed)> wrote in message
news:0f1701c55895$cc5aeed0$(E-Mail Removed)...
> The new antispyware program detects Aurora and tries to
> remove it (better than most competing programs which
> can't even detect it) but is unable to do so. Aurora --
> "a betterinternet" (hah) is about the most pernicious
> spy progra/spamware ever. I hope Microsoft can find
> a "final solution" to this monster soon. We also have
> tried all sorts of brute force approaches with the
> registry but it comes back. Next step may be buying a
> Macintosh!

Then its best Onga disables System Restore to prevent Aurora from restoring
itself with System Snap shots. Right click My Computer on the desktop or
Start Menu > click "Properties" > System Restore (tab) > check "Turn Off
System Restore", then restart in safe mode and run the scan again.

--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Bill Sanderson" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> The detection is good news. Did you try cleaning in safe mode?
> Unfortunately, I know from experience that Aurora runs in safe mode--but I
> do wonder whether mutiple cleaning runs in safe mode might succeed, give
> that it is identified.
>
> --
> FAQ for Microsoft Antispyware:
> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
>
> "(E-Mail Removed)" <(E-Mail Removed)> wrote in
> message news:0f1701c55895$cc5aeed0$(E-Mail Removed)...
>> The new antispyware program detects Aurora and tries to
>> remove it (better than most competing programs which
>> can't even detect it) but is unable to do so. Aurora --
>> "a betterinternet" (hah) is about the most pernicious
>> spy progra/spamware ever. I hope Microsoft can find
>> a "final solution" to this monster soon. We also have
>> tried all sorts of brute force approaches with the
>> registry but it comes back. Next step may be buying a
>> Macintosh!
>
>

Andre--what does SR have to do with a bug that is running in safe mode? I
certainly didn't disable SR on the machine I cleaned Aurora from by hand. I
cleaned it by identifying all the pieces and booting to the recovery
console. System Restore had nothing to do with it. Once the machine was
stable and clean, I did wipe the old SR points and create a new one--but not
during the cleaning process.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Andre Da Costa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Then its best Onga disables System Restore to prevent Aurora from
> restoring itself with System Snap shots. Right click My Computer on the
> desktop or Start Menu > click "Properties" > System Restore (tab) > check
> "Turn Off System Restore", then restart in safe mode and run the scan
> again.
>
> --
>
> Andre
> http://spaces.msn.com/members/adacosta
> FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
>
> "Bill Sanderson" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> The detection is good news. Did you try cleaning in safe mode?
>> Unfortunately, I know from experience that Aurora runs in safe mode--but
>> I do wonder whether mutiple cleaning runs in safe mode might succeed,
>> give that it is identified.
>>
>> --
>> FAQ for Microsoft Antispyware:
>> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
>>
>> "(E-Mail Removed)" <(E-Mail Removed)> wrote in
>> message news:0f1701c55895$cc5aeed0$(E-Mail Removed)...
>>> The new antispyware program detects Aurora and tries to
>>> remove it (better than most competing programs which
>>> can't even detect it) but is unable to do so. Aurora --
>>> "a betterinternet" (hah) is about the most pernicious
>>> spy progra/spamware ever. I hope Microsoft can find
>>> a "final solution" to this monster soon. We also have
>>> tried all sorts of brute force approaches with the
>>> registry but it comes back. Next step may be buying a
>>> Macintosh!
>>
>>
>
>

No one Anti-Spy Anti-ad program does it all
I found there are a number of Spy / ad ware that need to
be Manually removed.

The tough ones that run as a service that can't be shut
down. I use a Boot CD called BartPE.
http://www.nu2.nu/pebuilder/

This lets me boot from a CD to a clean enviorment.
Use the supplyed explorer to find and delete the files.
Then I can reboot and Manually remove the registry
entries.

It should be noted that Turning off System Restore, has
nothing to do with stopping this type of infection. The
re-infection does not come from the SR. It is from hidden
files. Files that even though you have Display Hidden and
system files enabled, you still can't see them.

The only way to find them is to Boot from a CD to a clean
OS. For developers and OEM's MS has a version called PE.
This isn't available to us IT people.

So BART PE fills that Gap.
http://www.nu2.nu/pebuilder/

However, once I have the system Cleaned, I do purge the
system restor of old restore points, and then create a
New one.
WHY? because I don't want the user to revert to an old
infected restore point.

Tools I use
MSAS
Aluria 4.0 - http://www.aluriasoftware.com/
Hijackthis - http://www.merijn.org/downloads.html
itty bitty process manager -
http://www.merijn.org/downloads.html
Regmon -
http://www.sysinternals.com/ntw2k/source/regmon.shtml
Active Ports - http://www.protect-me.com/freeware.html
Bart PE - http://www.nu2.nu/pebuilder/


>-----Original Message-----
>1) Open up AntiSpyware
>2) Click Tools at the top
>3) Click "Submit a Suspected Spyware Report"
>4) Fill out the form with as much detail so they can
>analyze quickly, Feel free to say what you've got in
place
>and have tried, and that it didn't work
>
>
>http://webhelper4u.com/tnewswritigs/bolger_aurora.html
>
>Ewido seems to detect and remove one version which can
>also be removed by disabling its service, booting into
>Safe Mode and using HijackThis to get rid of the nail
and
>exe (with Explorer and Iexplore turned off) then Killbox
>to remove nail on reboot. but there is another version
>with a TODO file that requires a repair console delete
or
>you can go to the maker www.mypctuneup.com/aurora and
run
>their uninstall which gets rid of aurora but may install
>something else. They make you fill out a form and then
>will send you a code to use with the uninstaller. Use a
>throwaway email address if you do and lie like crazy on
>the form.
>
>http://www.webhelper4u.com/tnewswrit...ctuneupmain.ht
ml
>
>OR
>
>Get HijackThis.exe from
>http://tomcoyote.org/hjt/hjt199//HijackThis.exe
>
>Save it to C:\hjt (new folder) then Open it and select
>Scan and Save Log. Note where you saved the log then
send
>it to Ron Kinner as an attachment. He can probably
>identify the problem and tell you how to get rid of it
for
>good.
>
>Ron email address. (E-Mail Removed)
>He will tell you what to do next. Put Hijack in the
>subject so he will know it's not spam.
>
>For information
>HijackThis tutorial:
>http://www.bleepingcomputer.com/forums/index.php?
>showtutorial=42
>
>>-----Original Message-----
>>The new antispyware program detects Aurora and tries to
>>remove it (better than most competing programs which
>>can't even detect it) but is unable to do so. Aurora --
>> "a betterinternet" (hah) is about the most pernicious
>>spy progra/spamware ever. I hope Microsoft can find
>>a "final solution" to this monster soon. We also have
>>tried all sorts of brute force approaches with the
>>registry but it comes back. Next step may be buying a
>>Macintosh!
>>.
>>
>.
>

This would be helpful with Aurora which is active in safe mode. I am not
sure that I ever dug through the services list to be sure that it wasn't
listed there, but I suspect that I did.

I used the recovery console instead, but Barts would be simpler.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"WyldAnimal" <(E-Mail Removed)> wrote in message
news:2e7701c5597b$6d84db00$(E-Mail Removed)...
> No one Anti-Spy Anti-ad program does it all
> I found there are a number of Spy / ad ware that need to
> be Manually removed.
>
> The tough ones that run as a service that can't be shut
> down. I use a Boot CD called BartPE.
> http://www.nu2.nu/pebuilder/
>
> This lets me boot from a CD to a clean enviorment.
> Use the supplyed explorer to find and delete the files.
> Then I can reboot and Manually remove the registry
> entries.
>
> It should be noted that Turning off System Restore, has
> nothing to do with stopping this type of infection. The
> re-infection does not come from the SR. It is from hidden
> files. Files that even though you have Display Hidden and
> system files enabled, you still can't see them.
>
> The only way to find them is to Boot from a CD to a clean
> OS. For developers and OEM's MS has a version called PE.
> This isn't available to us IT people.
>
> So BART PE fills that Gap.
> http://www.nu2.nu/pebuilder/
>
> However, once I have the system Cleaned, I do purge the
> system restor of old restore points, and then create a
> New one.
> WHY? because I don't want the user to revert to an old
> infected restore point.
>
> Tools I use
> MSAS
> Aluria 4.0 - http://www.aluriasoftware.com/
> Hijackthis - http://www.merijn.org/downloads.html
> itty bitty process manager -
> http://www.merijn.org/downloads.html
> Regmon -
> http://www.sysinternals.com/ntw2k/source/regmon.shtml
> Active Ports - http://www.protect-me.com/freeware.html
> Bart PE - http://www.nu2.nu/pebuilder/
>
>
>>-----Original Message-----
>>1) Open up AntiSpyware
>>2) Click Tools at the top
>>3) Click "Submit a Suspected Spyware Report"
>>4) Fill out the form with as much detail so they can
>>analyze quickly, Feel free to say what you've got in
> place
>>and have tried, and that it didn't work
>>
>>
>>http://webhelper4u.com/tnewswritigs/bolger_aurora.html
>>
>>Ewido seems to detect and remove one version which can
>>also be removed by disabling its service, booting into
>>Safe Mode and using HijackThis to get rid of the nail
> and
>>exe (with Explorer and Iexplore turned off) then Killbox
>>to remove nail on reboot. but there is another version
>>with a TODO file that requires a repair console delete
> or
>>you can go to the maker www.mypctuneup.com/aurora and
> run
>>their uninstall which gets rid of aurora but may install
>>something else. They make you fill out a form and then
>>will send you a code to use with the uninstaller. Use a
>>throwaway email address if you do and lie like crazy on
>>the form.
>>
>>http://www.webhelper4u.com/tnewswrit...ctuneupmain.ht
> ml
>>
>>OR
>>
>>Get HijackThis.exe from
>>http://tomcoyote.org/hjt/hjt199//HijackThis.exe
>>
>>Save it to C:\hjt (new folder) then Open it and select
>>Scan and Save Log. Note where you saved the log then
> send
>>it to Ron Kinner as an attachment. He can probably
>>identify the problem and tell you how to get rid of it
> for
>>good.
>>
>>Ron email address. (E-Mail Removed)
>>He will tell you what to do next. Put Hijack in the
>>subject so he will know it's not spam.
>>
>>For information
>>HijackThis tutorial:
>>http://www.bleepingcomputer.com/forums/index.php?
>>showtutorial=42
>>
>>>-----Original Message-----
>>>The new antispyware program detects Aurora and tries to
>>>remove it (better than most competing programs which
>>>can't even detect it) but is unable to do so. Aurora --
>>> "a betterinternet" (hah) is about the most pernicious
>>>spy progra/spamware ever. I hope Microsoft can find
>>>a "final solution" to this monster soon. We also have
>>>tried all sorts of brute force approaches with the
>>>registry but it comes back. Next step may be buying a
>>>Macintosh!
>>>.
>>>
>>.
>>

By the way, you can see them from a CMD window. As long
as you know the filename, you can do a DIR /a [filespec]
and they will appear. They are only hidden from Explorer.
-Dan

[deletia]
The re-infection does not come from the SR. It is from
hidden files. Files that even though you have Display
Hidden and system files enabled, you still can't see them.
The only way to find them is to Boot from a CD to a clean
OS. For developers and OEM's MS has a version called PE.
This isn't available to us IT people.
[deletia]