Failure to Remove Aurora

[South Ocean Drive]

Transponder.ABetterInternet.Aurora continually reloads. MSAS detects it
only when I initiate a scan -- and then it apparently cannot remove the
spyware, though it indicates it does.

I have run CC Cleaner. I have restarted in SAFE mode, run the MSAS scan
twice, and Norton Antivirus -- and the Transponder.ABetterInternet.Aurora
just reappears.

MSAS says it is usually residing in C:\windows\nail.exe, though occasionally
it is in other locations a well. I've seen it in as many as three diffrent
locations after one scan.

How do I get rid of this thing?

 

[Andre Da Costa]

From JohnF:
Look at your own post - those files are in your temporary internet files.
One thing we have emphasized MANY TIMES here is to completely clean out your
temporary internet files and your temporary files located under your profile
and under windows.

ccleaner can do a good job of that. You'll find the link below:

--
If you are under attack and MSAS does not seem to help:

*Submit suspected spyware report in the tools menu of MSAS*

PREP YOUR MACHINE FIRST!
- IF you are using Spybot S/D, UN-Immunize your computer
- IF you are using Adaware, turn off AD-Watch
- Disable all other active anti-spy applications
- Dump all temporary file locations and Internet files

1. Download:
lspfix.exe www.cexx.org/lspfix.htm
winsockxpfix.exe www.snapfiles.com/get/winsockxpfix.html
ccleaner.exe www.ccleaner.com
killbox.exe www.bleepingcomputer.com/files/killbox.php

2. Clean out all temp file locations with ccleaner.exe

3. Install and use killbox to delete stubborn files

4. Reboot into safe mode - http://tinyurl.com/pfca
5. Run MSAS at least twice in full/deep mode
6. Run a robust, updated antivirus software scan
7. Reboot into normal mode,see if problem has been corrected

8. If you think something is there but can't see it, download:
- Blacklight by F-Secure
www.europe.f-secure.com/exclude/blacklight/blbeta.exe
- RootKitRevealer by SysInternals
www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

9. If your problem is Virus or Security patch related:
In the United States or Canada, call 1-866-PCSAFETY
MS will provide free support for those issues.

Battle Notes:
- If you have trojans (files that won't go away),
you may have to disable System Restore on XP:
http://tinyurl.com/movy

- If your Internet connectivity quits:
http://support.microsoft.com/kb/892350
http://support.microsoft.com/kb/811259
LSPFix - www.cexx.org/lspfix.htm
Winsockxpfix - www.snapfiles.com/get/winsockxpfix.html

- Install SpywareBlaster to block malware apps from
installing on your machine. Does not actively run
on your machine, you run it, it makes changes that
protect you.
http://www.javacoolsoftware.com/

- This program will not detect or remove viruses
http://www.microsoft.com/athome/security/viruses/default.mspx

*** For assistance in battling infestations***
- Get HijackThis.exe from:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
- Save it to C:\hjt (new folder)
- Open it and select "Scan and Save Log"
- Send it to Ron Kinner as an attachment
- Ron's email address is (e-mail address removed)
- Put Hijack in the subject so he knows it's not spam

Application Notes:
Registering a VB6 dll seems to fix missing agents:
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware
4) If that fails, install VB6 runtime files:
http://www.softwarepatch.com/windows/vbrun6download.htm

- To report false positives:
www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx
- To submit disputes or requests:
www.microsoft.com/athome/security/spyware/software/isv/cdform.aspx
- To learn more about how MS analyzes suspected spyware:
www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx
- To Run MSAS in passive mode:
http://support.microsoft.com/kb/892375

Alternative Anti-Spyware Applications:
- Spybot Search and Destroy
http://www.majorgeeks.com/download2471.html
- LavaSoft AdAware
http://www.majorgeeks.com/download506.html
- AdAware VX2 Cleaner Plugin
http://www.majorgeeks.com/download4283.html
- BHODemon
http://www.majorgeeks.com/download3550.html
- CWShredder (CoolWWWSearch)
http://www.majorgeeks.com/download3019.html
- PestPatrol
http://www.majorgeeks.com/download1187.html
- Webroot Spysweeper
http://www.majorgeeks.com/download3263.html
- Ewido Security Suite
http://www.ewido.net/en/
- CounterSpy (Same Giant Company Engine as MSAS)
- http://www.sunbelt-software.com

Recommended Software to help protect you:
- Windows XP Service Pack 2
http://www.microsoft.com/windowsxp/sp2/default.mspx
- SpywareBlaster
http://www.javacoolsoftware.com
- Outpost Firewall Pro
http://www.agnitum.com/products/outpost

 

[South Ocean Drive]

I followed JohnF's instructions, though my problems are NOT with tempy
internet files.

As I mentioned, I ran CCleaner, ran killbox, giving it the name where MSAS
indicated the spyware resided, then rebooted into SAFE mode, ran MSAS twice,
then Norton Antivirus. I did his steps 1-8.

None of that eliminated the problem. I'm unable to 'submit suspected
spyware report' because MSAS insists I have a proxy problem, and will not
allow the report to upload.

How good is MSAS if you have to run four or five other programs to make it
work?

 

[Andre Da Costa]

It is a possibility that this spyware is restoring itself with system
snapshots, I would recommend disabling System Restore then start back in
safe mode and run the scan again.

Right click My Computer on the desktop or Start menu (depending on which
version of Windows you are running) > click Properties > System Restore >
Turn Off System Restore.

 

[AndyManc]

Hi there you possibly are mising some of the components
for this,I appreciate your view about MS Antispy and why
you should need 5 other programs to fix things but thats
the nature of adware/spyware these days the makers are
sometimes 2 steps ahead of the antispy programs and the
only option is to manually remove every part or wait
untill the antispy products are updated to include
whatever the adware is.

The Aurora has only been around for 4 or 5 weeks and has
started causing alot of problems,One part of this is a
windows sevice,one part a BHO and one part a random file
in the system folder which is 74kb and will say TODO when
you right click it and view properties.

As you can see this isnt a easy thing to remove because
it will just keep regenerating when you remove one part
and if you remove the system file which will have a
random name it will just put another one back in with a
new name.This can even change the system file name when
you reboot so its proving to be abit of a nightmare for
people


See page 2 of this forum where i posted a fix for this,
The Topic names are:

need HELP removing Transponder.ABet.

Jewelry.com popup will not stop.



These fixes just try to take all the files out at the
same time,it requires extra programs though such as
Ccleaner/Hijack This/Killbox and then could need even
more should you have problems finding the random files
programs like Microworlds escan and Findit's would help
but the random files are usually easy to spot using
hijack this as its just garbage thats typed such as

[iMiDA] C:\WINDOWS\jjmjuuyuo.exe


See the two topics on page 2 for more details but the
entries for this in hijack this will look like this:


F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe


O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\jjmjuuyuo.exe


O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe


I know the fixes are not easy for this but running MS
Antispy/Spybot Search & Destroy and Ad-aware SE in safe
mode are usually the first steps when you know you are
infected then run a online virus scan(Theres loads you
can choose from Panda,Trends Housecall,Symantec & more)
then programs like hijack this and killbox are really
there to help when the other cannot remove the promlem.



Good Luck

 

[South Ocean Drive]

Andy --

Thanks for the help and advice, but . . .

I followed your instructions posted earlier, and rebooted into SAFE mode.
Then I ran ABI
Remover, then HijackThis. HijackThis's logfile did not list any F2 listing,
did not list an O4 listing of the changed name file, nor did it list an O23
listing for the System Startup Sevice. This made running Killbox sorta
useless, but it confirmed that the missing files did not exist.

I bailed out of SAFE mode, and ran CCleaner when the system was restored.
Find-It reveals:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/17/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE
MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE
UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is DC82-293C

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is DC82-293C

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».

Bottom line is -- I still got it!

Tim

Hi there you possibly are mising some of the components
for this,I appreciate your view about MS Antispy and why
you should need 5 other programs to fix things but thats
the nature of adware/spyware these days the makers are
sometimes 2 steps ahead of the antispy programs and the
only option is to manually remove every part or wait
untill the antispy products are updated to include
whatever the adware is.

The Aurora has only been around for 4 or 5 weeks and has
started causing alot of problems,One part of this is a
windows sevice,one part a BHO and one part a random file
in the system folder which is 74kb and will say TODO when
you right click it and view properties.

As you can see this isnt a easy thing to remove because
it will just keep regenerating when you remove one part
and if you remove the system file which will have a
random name it will just put another one back in with a
new name.This can even change the system file name when
you reboot so its proving to be abit of a nightmare for
people


See page 2 of this forum where i posted a fix for this,
The Topic names are:

need HELP removing Transponder.ABet.

Jewelry.com popup will not stop.



These fixes just try to take all the files out at the
same time,it requires extra programs though such as
Ccleaner/Hijack This/Killbox and then could need even
more should you have problems finding the random files
programs like Microworlds escan and Findit's would help
but the random files are usually easy to spot using
hijack this as its just garbage thats typed such as

[iMiDA] C:\WINDOWS\jjmjuuyuo.exe


See the two topics on page 2 for more details but the
entries for this in hijack this will look like this:


F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe


O4 - HKLM\..\Run: [iMiDA] C:\WINDOWS\jjmjuuyuo.exe


O23 - Service: System Startup Service (SvcProc) - Unknown
owner - C:\WINDOWS\svcproc.exe


I know the fixes are not easy for this but running MS
Antispy/Spybot Search & Destroy and Ad-aware SE in safe
mode are usually the first steps when you know you are
infected then run a online virus scan(Theres loads you
can choose from Panda,Trends Housecall,Symantec & more)
then programs like hijack this and killbox are really
there to help when the other cannot remove the promlem.



Good Luck

 

[AndyManc]

Hi Again Tim Can you post your hijack log if its not
showing the nail.exe/svcproc.exe or any random files then
you must of cleared it the nail.exe part would keep
returning otherwise.

Is there anything else showing in the log,like you say
running killbox is useless if you cant find any entries
for this.The ABI Remover or MS Antispy could of cleaned
this but if its still being detected in the scans there's
possible a reg entry left,if you can post the log it
would be easier to comment but if you havent got the
c:windows/nail.exe or c:windows/svcproc.exe or the random
file then you cant be still infected

The findits log is showing clean even though it say SAH
Files found and Aurora Files found,these are just the
names of whats being searched for and its not showing any
aurora or sah agent files or even any suspect files so
hopefully you've cleaned it posting a hijack log would
show that though.

Regards Andy