Aurora...new file discovery

[CarolineS]

Here is a file belonging to "Aurora" that NO spyware prgm has been able to
detect. I found it by accident in my windows folder ( hovering over file
shows Aurora) the file is: "dxjovmisas.exe" I have been trying to remove
"abetterinternet" files like nail.exe, drMon.dll, and various other files
(which all of the spyware pgms DID find and remove...but they allllllllllll
came back (
I have been through more than a dozen recommended procedures to rid myself
of these MONSTERS...I installed Adaware add-on vx2 remover and it DID remove
vx2... I have been at this for almost a week now. I "may" have gotten it
all with the manual removal of "dxjovmisas.exe"...only time will tell.
Is anyone else here familiar with this problem???? I'd like to hear some
more comments.
Thank you,
CarolineS

 

[Bill Sanderson]

Aurora uses random names for some of its components, so the name of the file
isn't a useful guide.

If you still have this executable available to you, you might try submitting
it to:

http://virusscan.jotti.org

Some of the vendors there target spyware and may give a reading on a spyware
executable.

Submit via the Browse window at the top right.

 

[CarolineS]

I will do just that Bill, thank you.
CarolineS

| Aurora uses random names for some of its components, so the name of the
file
| isn't a useful guide.
|
| If you still have this executable available to you, you might try
submitting
| it to:
|
| http://virusscan.jotti.org
|
| Some of the vendors there target spyware and may give a reading on a
spyware
| executable.
|
| Submit via the Browse window at the top right.
|
| --
|
| | > Here is a file belonging to "Aurora" that NO spyware prgm has been able
to
| > detect. I found it by accident in my windows folder ( hovering over
file
| > shows Aurora) the file is: "dxjovmisas.exe" I have been trying to
| > remove
| > "abetterinternet" files like nail.exe, drMon.dll, and various other
files
| > (which all of the spyware pgms DID find and remove...but they
| > allllllllllll
| > came back (
| > I have been through more than a dozen recommended procedures to rid
myself
| > of these MONSTERS...I installed Adaware add-on vx2 remover and it DID
| > remove
| > vx2... I have been at this for almost a week now. I "may" have gotten
it
| > all with the manual removal of "dxjovmisas.exe"...only time will tell.
| > Is anyone else here familiar with this problem???? I'd like to hear
some
| > more comments.
| > Thank you,
| > CarolineS
| >
| >
|
|

 

[CarolineS]

Bingo!!!!! Bill:
Results:

File: dxjovmisas.exe
Status: INFECTED/MALWARE


NOD32 Found a variant of Win32/Adware.BetterInternet application.

NOD32 was the ONLY one to find it...
CarolineS


| Aurora uses random names for some of its components, so the name of the
file
| isn't a useful guide.
|
| If you still have this executable available to you, you might try
submitting
| it to:
|
| http://virusscan.jotti.org
|
| Some of the vendors there target spyware and may give a reading on a
spyware
| executable.
|
| Submit via the Browse window at the top right.
|
| --
|
| | > Here is a file belonging to "Aurora" that NO spyware prgm has been able
to
| > detect. I found it by accident in my windows folder ( hovering over
file
| > shows Aurora) the file is: "dxjovmisas.exe" I have been trying to
| > remove
| > "abetterinternet" files like nail.exe, drMon.dll, and various other
files
| > (which all of the spyware pgms DID find and remove...but they
| > allllllllllll
| > came back (
| > I have been through more than a dozen recommended procedures to rid
myself
| > of these MONSTERS...I installed Adaware add-on vx2 remover and it DID
| > remove
| > vx2... I have been at this for almost a week now. I "may" have gotten
it
| > all with the manual removal of "dxjovmisas.exe"...only time will tell.
| > Is anyone else here familiar with this problem???? I'd like to hear
some
| > more comments.
| > Thank you,
| > CarolineS
| >
| >
|
|

 

[AndyManchesta]

They are changing things abit over at Direct Revenue, The
Recent Pop Ups all say "The Best Offers" and the
Add/Remove screen entry also shows as "The Best Offers"
and displays a uninstall address on The Best Offers
Domain, So its the same As Aurora with
nail,svcproc,drpmon.dll & the random file but its clear
they are changing things abit so there may be a new
infection soon , The VX2 cleaner still works great for
now but Like you say it does leave a Random named file in
the Windows folder, which also have changed icons to
match "The Best Direct" logo, The good thing is that it
displays Aurora still when you mouse over it and shows
Direct Revenue in the name, On mine its always called
ffsnvqmgpiy.exe so like Bill says its a Random Name.

There is usually another file called:

C:\WINDOWS\rramcx.exe

Here's the results from Jotti for that file :

rramcx.exe

Status: INFECTED/MALWARE

MD5 db3273b1d3cf46350b6d6d9f179a7e06

Scanner results

AntiVir Found Trojan/ExplorerHijack.A
ArcaVir Found Trojan.Rbot.Hp
BitDefender Found BehavesLike:Win32.ExplorerHijack
(probable variant)
NOD32 Found a variant of Win32/Adware.BetterInternet
application
Norman Virus Control Found Sandbox: W32/Malware

Mixed views there but it is a ABI installer file so also
delete that if its present, Ewido does well at detecting
the leftovers after running the VX2 cleaner Plugin

I suspect with them changing the name on the pop up from
Aurora to The Best Offers and the uninstall address from
mypctune up to bestoffers then the next step may be
changing the files but we will have to wait and see what
they are planning,

The random file you found is responsible for the Pop up
windows as it installs just before you receive the first
pop up and then contacts out each time a few seconds
before a pop up appears on the screen so its good you was
able to identify this file and remove it

All the best

Andy

 

[Josh]

The only way they could keep coming back are if processes
by them are running and are monitoring for any changes to
the files, or if there is a registry entry that "requires"
that those files be there and re-instates them. I would do
research as to whether processes are running that pertain
to the spyware or if they enter any malicious registry key
entries. Hope this helps!

 

[CarolineS]

Andy and Josh: Thank you...



Can I delete ALL of these svchost files???
shadoe



| The only way they could keep coming back are if processes
| by them are running and are monitoring for any changes to
| the files, or if there is a registry entry that "requires"
| that those files be there and re-instates them. I would do
| research as to whether processes are running that pertain
| to the spyware or if they enter any malicious registry key
| entries. Hope this helps!
|
|
|
|
|
|
| >-----Original Message-----
| >Here is a file belonging to "Aurora" that NO spyware prgm
| has been able to
| >detect. I found it by accident in my windows folder (
| hovering over file
| >shows Aurora) the file is: "dxjovmisas.exe" I have been
| trying to remove
| >"abetterinternet" files like nail.exe, drMon.dll, and
| various other files
| >(which all of the spyware pgms DID find and remove...but
| they allllllllllll
| >came back (
| >I have been through more than a dozen recommended
| procedures to rid myself
| >of these MONSTERS...I installed Adaware add-on vx2 remover
| and it DID remove
| >vx2... I have been at this for almost a week now. I "may"
| have gotten it
| >all with the manual removal of "dxjovmisas.exe"...only
| time will tell.
| >Is anyone else here familiar with this problem???? I'd
| like to hear some
| >more comments.
| >Thank you,
| >CarolineS
|

 

[Bill Sanderson]

Interesting. Nod32 has a pretty good reputation for detections, I believe,
and this seems to bear that out.

 

[Bill Sanderson]

NO--chances are none.

do a search of your drive for svchost.exe and see what you find. Under \windows you should find one in \system32 and an identical one in \servicepackfiles\i386, and no others. If you find others, consider renaming them.

Having 5 or more of these is normal:

http://support.microsoft.com/?kbid=314056

--

Andy and Josh: Thank you...



Can I delete ALL of these svchost files???
shadoe



| The only way they could keep coming back are if processes
| by them are running and are monitoring for any changes to
| the files, or if there is a registry entry that "requires"
| that those files be there and re-instates them. I would do
| research as to whether processes are running that pertain
| to the spyware or if they enter any malicious registry key
| entries. Hope this helps!
|
|
|
|
|
|
| >-----Original Message-----
| >Here is a file belonging to "Aurora" that NO spyware prgm
| has been able to
| >detect. I found it by accident in my windows folder (
| hovering over file
| >shows Aurora) the file is: "dxjovmisas.exe" I have been
| trying to remove
| >"abetterinternet" files like nail.exe, drMon.dll, and
| various other files
| >(which all of the spyware pgms DID find and remove...but
| they allllllllllll
| >came back (
| >I have been through more than a dozen recommended
| procedures to rid myself
| >of these MONSTERS...I installed Adaware add-on vx2 remover
| and it DID remove
| >vx2... I have been at this for almost a week now. I "may"
| have gotten it
| >all with the manual removal of "dxjovmisas.exe"...only
| time will tell.
| >Is anyone else here familiar with this problem???? I'd
| like to hear some
| >more comments.
| >Thank you,
| >CarolineS
|

 

[CarolineS]

Thank you Billl, I'm trying to figure all angles (
shadoe



NO--chances are none.

do a search of your drive for svchost.exe and see what you find. Under
\windows you should find one in \system32 and an identical one in
\servicepackfiles\i386, and no others. If you find others, consider
renaming them.

Having 5 or more of these is normal:

http://support.microsoft.com/?kbid=314056

--

Andy and Josh: Thank you...



Can I delete ALL of these svchost files???
shadoe



| The only way they could keep coming back are if processes
| by them are running and are monitoring for any changes to
| the files, or if there is a registry entry that "requires"
| that those files be there and re-instates them. I would do
| research as to whether processes are running that pertain
| to the spyware or if they enter any malicious registry key
| entries. Hope this helps!
|
|
|
|
|
|
| >-----Original Message-----
| >Here is a file belonging to "Aurora" that NO spyware prgm
| has been able to
| >detect. I found it by accident in my windows folder (
| hovering over file
| >shows Aurora) the file is: "dxjovmisas.exe" I have been
| trying to remove
| >"abetterinternet" files like nail.exe, drMon.dll, and
| various other files
| >(which all of the spyware pgms DID find and remove...but
| they allllllllllll
| >came back (
| >I have been through more than a dozen recommended
| procedures to rid myself
| >of these MONSTERS...I installed Adaware add-on vx2 remover
| and it DID remove
| >vx2... I have been at this for almost a week now. I "may"
| have gotten it
| >all with the manual removal of "dxjovmisas.exe"...only
| time will tell.
| >Is anyone else here familiar with this problem???? I'd
| like to hear some
| >more comments.
| >Thank you,
| >CarolineS
|

 

[AndyManchesta]

I assume you mean the "svcproc.exe" file that is part of
Aurora ? If so this enters itself into the windows folder
and should of been removed by the VX2
cleaner, "svchost.exe" is an essential windows file in
the area's Bill has listed.

The main files for Aurora are

C:\Windows\nail.exe,
C:\Windows\svcproc.exe
C:\Windows\system32\drpmon.dll

and then a random named file in the system32 folder and a
random file in the Windows folder which was the one you
deleted. The others should of all been removed by
Lavasofts VX2 Cleaner.

Andy

 

[Bill Sanderson]

This one is a common misunderstanding, and there are definitely BAD
svchost.exe's--but they won't be in \system32. I can see you are trying to
be thorough, and that's good.

 

[CarolineS]

Andy and Bill:
You guys have been great. Thank you both so much.
I did the search and renamed several files (not the win32 or the i386)
files...when I renamed them I just put an extra s in front in case I need to
"un-rename" them LOL.
FYI:
eHarmony. com
United Airlines
priceline.com
Orchard Bank
Chase Bank
Spirit Airlines
Travelocity
T Mobile (phones)
These are only 8 of their customers.
I'm going to make a webpage with these names on it explaining what is
happening and promote the hell out of it. It may not help but it'll make me
feel better )) I believe in "REVENGE"
I got these names from Direct Revenue...Tomorow I will phone the Corporate
Offices of each of these companies and will try to speak to their Marketing
Directors...
shadoe




|
| I assume you mean the "svcproc.exe" file that is part of
| Aurora ? If so this enters itself into the windows folder
| and should of been removed by the VX2
| cleaner, "svchost.exe" is an essential windows file in
| the area's Bill has listed.
|
| The main files for Aurora are
|
| C:\Windows\nail.exe,
| C:\Windows\svcproc.exe
| C:\Windows\system32\drpmon.dll
|
| and then a random named file in the system32 folder and a
| random file in the Windows folder which was the one you
| deleted. The others should of all been removed by
| Lavasofts VX2 Cleaner.
|
| Andy

 

[Bill Sanderson]

I definitely like the idea of taking this out on the customers.
Unfortunately, I'm taking a rather long flight soon on one of those, but
maybe I can write them a letter or something.....

 

[CarolineS]

ROTFL.......





|I definitely like the idea of taking this out on the customers.
| Unfortunately, I'm taking a rather long flight soon on one of those, but
| maybe I can write them a letter or something.....
|
| --
|
| | > Andy and Bill:
| > You guys have been great. Thank you both so much.
| > I did the search and renamed several files (not the win32 or the i386)
| > files...when I renamed them I just put an extra s in front in case I
need
| > to
| > "un-rename" them LOL.
| > FYI:
| > eHarmony. com
| > United Airlines
| > priceline.com
| > Orchard Bank
| > Chase Bank
| > Spirit Airlines
| > Travelocity
| > T Mobile (phones)
| > These are only 8 of their customers.
| > I'm going to make a webpage with these names on it explaining what is
| > happening and promote the hell out of it. It may not help but it'll
make
| > me
| > feel better )) I believe in "REVENGE"
| > I got these names from Direct Revenue...Tomorow I will phone the
Corporate
| > Offices of each of these companies and will try to speak to their
| > Marketing
| > Directors...
| > shadoe
| >
| >
| >
| >
| > | > |
| > | I assume you mean the "svcproc.exe" file that is part of
| > | Aurora ? If so this enters itself into the windows folder
| > | and should of been removed by the VX2
| > | cleaner, "svchost.exe" is an essential windows file in
| > | the area's Bill has listed.
| > |
| > | The main files for Aurora are
| > |
| > | C:\Windows\nail.exe,
| > | C:\Windows\svcproc.exe
| > | C:\Windows\system32\drpmon.dll
| > |
| > | and then a random named file in the system32 folder and a
| > | random file in the Windows folder which was the one you
| > | deleted. The others should of all been removed by
| > | Lavasofts VX2 Cleaner.
| > |
| > | Andy
| >
| >
|
|