Aurora Trojan / Virus

This trojan has many other names, but they all do the same thing.

What it does is infects the search bar area of windows/IE explorer, and begins generating a multitude of adware viruses that eat up your memory, change your IE home page, registry, and change your search engine. While Avast will prevent this virus from installing, if you already have it, Avast and other anti-virus programs will get rid of the generated viruses, but they keep coming back as the main host is well hidden.

After giving up on several computers and just reformatting the hard drive, I finally found a simple free program that erases this annoying virus. I hope the link below solves your problem as it did mine.

http://mypctuneup.com/

Just follow the instructions to load the web based program.

SirAlleyCat

Mypctuneup removes aurora because it was developed by the same company that produces Aurora, ie, Direct Revenue.

A Google search for Mypctuneup reveals some interesting results, some even suggesting that Mypctuneup installs more spyware even as it removes Aurora.

Far be it from me to suggest that these stories might be true, but personally I would trust a spyware removal program from a spyware company about as far as I could spit a dead rat into a high wind. :wink:

Hi SirAlleyCat,

This is one of the nasties from a renowned malware BHO spreader , also known as the Transponder gang. People who have IEHelper.dll, VX2.dll, TPS108.dll, MSView.dll, Host.dll, VoiceIP.dll, BTGrab.dll, DLMax.dll, Pynix.dll, ZServ.dll, Ceres.dll, Speer.dll, Speer2.dll, Speeryox.dll. Bolger.dll, Aurora.exe, imGiant.dll, Buddy.exe all fell victim to transponder malware. In the light of the new upcoming anti-spyware acts, the distributors are starting to clear up their act, but as far as we know they are still at it. Think first, click later.

Have a nice day,

Yours truly,

polonus

Quote from Spyware Warrior:

MyPCTuneUp was originally listed on these pages because of concerns regarding its connection with DirectRevenue -- a company whose software is targeted by reputable anti-malware vendors (1, 2, 3, 4, 5, 6) -- and because the MyPCTuneUp uninstaller uses a Transponder component program ("thinstaller"/"thunst.exe"), which transmits a good deal of system information to its controlling server (thinstall.abetterinternet.com) when uninstalling DirectRevenue's advertising software (1, 2). "Thinstaller" software is also capable of transmitting data about competing advertising programs and anti-malware programs that may be installed on the user's hard drive (1, 2). Indeed, DirectRevenue's software has been known to remove other software from users' PCs (1).

Limited testing with the MyPCTuneUp uninstaller indicates that it does remove DirectRevenue’s software. Moreover, as it has never been the policy of this page to list vendor-supplied uninstallers for advertising software programs, we can no longer justify listing the MyPCTuneUp uninstaller in the main “Rogue/Suspect” list.

This de-listing was prompted by a letter from DirectRevenue’s law firm. You can read DirectRevenue’s letter to Spyware Warrior HERE and Spyware Warrrior’s response HERE. Both are PDF documents.

Reading between the lines, this seems to say that Mypctuneup probably spies on you while it is cleaning up other spyware, and may even remove programs you wanted to keep, but as it is an uninstall utility provided by the people who pushed the spyware on you in the first place (and because the lawyers are on their tail) it’s being removed from the list of rogue anti-spyware programs.

While I was not aware that the source of this program was questionable, I do know that it works where others ( including Avast ) failed. My other option was to format the hard drive, which can still be done.

Yes, it does remove other programs including your screen saver, explorer toolbars, and desktop background, but they are reinstalled with little trouble, and this time virus free. If you have another solution to get rid of this virus, I am all ears, or perhaps the programmers at Avast can enhance their cleaner program to incorporate a similar code. In any case, it has been 3 days since I have used this program on my problem computer, and I have seen no adverse effects.

Please note that having Avast in the first place would keep this from ever becoming a problem, and while I don’t want to bash on Norton AV, it doesn’t. Which is why I had to fix that computer at all.

[N.B. I’m writing here only as an avast! user: I’m not speaking for the company.]

This is more of an adware/spyware problem than a virus problem.

Some virus companies are moving towards an integrated anti-virus, anti-spyware approach: see for example these stories about eTrust anti-virus and Pest Patrol and Trend Micro and Intermute teaming up.

http://news.com.com/CA+set+to+deliver+defensive+packages/2100-7355_3-5751938.html?tag=cd.top

http://www.theregister.co.uk/2005/05/10/trend_buys_intermute/

Other anti-virus companies license a version of an anti-spyware program. Buy F-secure, for example, and you get Ad-Aware Pro.

For the moment, avast! does not offer comprehensive anti-spyware protection, but this simply leaves you free to use the best of the anti-spyware programs available to complement avast!

As most recent reviews suggest that no one anti-spyware program offers 100% protection, even if you purchase a package which provides anti-virus and anti-spyware together, the anti-spyware protection you receive would not be perfect.

To remove spyware, the best approach is to use a number of anti-spyware scanners. As there are free versions of many of the best scanners, using avast! plus these scanners is still a far better solution than most anti-virus/anti-spyware packages.

Some argue that the best result will be obtained by anti-virus companies concentrating on viruses, and anti-spyware companies concentrating on spyware. Others argue that the distinction has to end.

Of course the big advantage for an anti-virus company concentrating on viruses, Trojans etc is that the virus writers are not going to sue them for loss of business. Some of the big companies getting into fighting spyware have found that they are getting into legal arguments with the spyware pushers who claim that their programs are not malware but legitimate software. This has led to some spyware definitions being withdrawn from anti-spyware databases, but also to spyware pushers providing uninstallers for their own products so they can claim to be legitimate.

Apparently Webroot’s SpySweeper works well in cleaning up Aurora. A free working trial is available. I would also recommend running it just to check that Mypctuneup has not left anything nasty behind.

By the way, if what they say about the registration process for Mypctuneup is true, you will be getting some spam in the near future as a result.

Hello SirAlleycat and FreewheelinFrank,

Yes you see a move to-wards the so-called total solutions. The bad thing about that is you come to rely too much on a product that cannot deliver what it promises, namely a total solution to-wards malware as such (anti-malware). Moreover it would be overheavy, like the big two already are, slowing things up I would go for the combination. In Holland on XP SP2 I would recommend AVAST + Hitman Pro (a dutch shell program with Ad-aware, Spybot S&D, SpywareBlaster Bazooka and Flister, HJT, StartupList aboard) and two or so special trojan scanners. Together with some analyzing stuff, like FileAlyzer, RegAlyzer, a BintScan (binary scan) and a hexviewer, you would be well equipped to oppose many a threat from the Internet. The 10 steps to analyze should become first, so a good text editor is also vital.

regards,

polonus

This is more of an adware/spyware problem than a virus problem.

No, this is a virus or worm. It changes the functionality of your IE and doesn’t allow you to change it back. In addition it downloads other known viruses and adware on to your computer and possibly sends out private information. Unlike other software such as Quicktime or Real Player that spam you with ads and take over other similar program functions, this one is unremoveable until now, which IMOHO makes it one of the most nasty virus out there, with possibly the exception of one that destroys your files.

SirAlleyCat

Aurora was submitted to Alwil few days ago by me.

With respect Aurora is spyware. Worms are used to take control of your computer, often for criminal purposes, and viruses and designed to damage data on your computer or to deliver a payload designed to take control of your computer, again, increasingly, for criminal purposes.

Spyware or adware is designed for commercial purposes, although it may be devious, dishonest and even, in extreme, malicious.

To get Aurora on your system, you had to ask it to come in: to accept a EULA or click on an ‘accept’ button somewhere: viruses and worms don’t do this.

A minor distinction perhaps: we all hate spyware here as much as viruses and worms. But avast! doesn’t target spyware. It does an excellent job against viruses, worms and Trojans but you will need to use other programs to remove spyware.

Using the uninstaller provided by the creators of the spyware may be a necessary evil, but please be aware of the privacy risks.

If you want a spyware remover effective against this pest, apparently SpySweeper is very good. (Generally, it has a good reputation.)

As mentioned before, the best approach against spyware is to use all of the available options- Ad-Aware, Spybot S & D, X-Cleaner, MS AntiSpyware, Yahoo! Anti-Spy- in addition to a good anti-virus program.

A can’t agree with you. Aurora is classified as trojan by many AV vendors.

Hi Rejzor,

Of course you could qualify this malware also as trojan because there is a server and client model. See what its action is, and then decide what it should be called. A transponder trojan or a transponder variant browser helper object transponds signals to its controlling server. The first is a routincheckin with a unique ID given along with the installed product to update the user’s profile to an online database. The second part is the so-called Motts Chekin transmitting user information to reinstall new objects needed. This also updates ini files and cookies of theirs to offeroptimizer site. The last type is the Standard Transmission of user data to controlling server, third party ad server, transmitting surfing habits, user filled out forms and pop up ads to be generated by the optimizer.
Because the transponder distributer has provided a possibility to uninstall at a certain site, they can argue that this trojaned BHO is legit. Maybe that is why AV producers choose to call it a trojan, because technically it can be considered as such.If you called it spyware you could be sued because in the opinion of the makers it is not. The same questions came with WhenU etc. See the site of Ben Edelman for a more in-depth legal discussion for other types of malware. So you are right RejZoR in a sense, and FreewheeelinFrank is right too in a sense. To call a spade a spade, it is malware, and it should not be on your machine.

greets,

polonus

I realise that components of spyware are often classified as Trojans, and rightly so. In the spectrum of stuff we try to remove from computers, there are evil worms and viruses at one end, and annoying but legitimate adware at the other, the stuff that warns you it’s coming and will go if asked. The Trojan horse is often somewhere in the grey area in the middle.

If spyware is nasty enough, then it’s rightly lumped together with viruses and worms as malicious: because it’s dishonest and sneaky and hard to remove and has negative effects on performance or even deliberately does harm.

However, I think Aurora has to go in the spyware camp because it is a commercial application: there is a company behind it willing to say that their product is a legitimate commercial product.

You can’t say that about a Trojan designed to turn your computer into part of a botnet. No lawyer is going to crawl out from under a rock and threaten an anti-virus company for targeting that Trojan.

I’m quite happy for avast! to add the Aurora Trojan to its definitions, but I don’t believe that avast! is attempting comprehensive removal of spyware programs. If you want that, you have to go to a specialist anti-spyware program, or indeed to use several of them.

I would be quite happy to see avast! tackle spyware in this way, but if they do, they’re going to run into some lawsuits. That’s a decision for the company.

I’m also quite happy to use avast! for malware protection (including spyware Trojans) and specialist spyware programs to remove spyware. I’m just saying that this is no failure on the part of avast! It has never claimed to be an anti-spyware program.

Respect and regards to all,

FF

Hi FreewheelinFrank,

I agree with you that Aurora is spyware in the first place, because it was designed to function in that way. The other aspects are a plus, or rather in this case a minus. What I find enlightening about the discussion in this thread that it gives us a good insight on the various angles this malware can be looked upon from the way it functions. I learn a lot here. Better is an ounce of protection and forewarn than a pound of cleansing and a compromised system. Don’t you agree with me?

kind regards,

polonus.

Definitely, Polonus.

And if Adware/Spyware companies want to be seen as legitimate and provide an uninstall mechanism for their products, what is wrong with putting an entry in Add/Remove Programs?

According to Kephyr.com (who produce the Bazooka sanner) Aurora may in fact have an entry in Add/Remove. So anybody with a similar problem could try to uninstall it there first. They also have removal instructions on their website.

Hello FreewheelinFrank and other forum members,

I think people that visit this forum should install this. Bazooka is a good scanner. It is nothing more than a scanner, but it is quick, it is updated in a regular fashion. It states exactly what it does not scan for, which makes in my opinion one of the better ones. Because there are lot of scanners who have omissions but do not mention these specifically. For this reason alone, you are only safe when you have a variety of anti-spyware scanners on your box. you can find Bazooka here;
http://www.kephyr.com/spywarescanner/. Bazooka gives you information, where to go to tackle the found malware. It is only to diagnose, moreover it is fast.

Greets,

polonus

Polunus, in the past I’ve tried it but the updates were not that frequently and in all my scannings it founds nothing more than Ad-aware and SpyBot haven’t detected before… Was Bazooka improved?

Dear Forum Members and FreewheelinFrank,

We have to be aware of a pattern here. Do a random Google search on Nail.exe and Aurora.exe and what comes to light, while you consider the HJT logs a reoccurring btdownloadgui.exe. Then the monkey is out of the curtains and the source of the spyware is clear a download through Bittorent. They had a clean record in the past, but this is not longer so, although they claim their source code is clean. It is as clean as a baby’s buttock, but the download data streams are not, and there Aurora comes in. Also handy to see what regedit does not see with Reglite from http://www.resplendence.com/download/reglite.exe.
Well keep your shields up, your scanners sharp, and stay away from spyware base that is unsafe P2P.

yours faithfully,

polonus

Hi FreewheelinFrank,

If you want to see where our friend RejZoR got his opinion, you read it here: http://www.liutilities.com/products/wintaskspro/processlibrary/nail/
They state that nail.exe has an unknown author and that it is a virus, while other like VitalSecurity.org has our opinion that it is spyware on behalf of DirectRevenue e.g. Aurora aka Transponder gang monstruosity.

greets,

polonus

Hi Polonus,

They actually call it a Trojan and say:

This program is usually installed through consent...

Nail.exe is part of a nasty piece of spyware and avast! is right to call it a Trojan and to target it.

My only argument is that it is not right to call the Aurora thing a virus or worm. Viruses and worms are not created by people with names, by companies with websites.

The people responsible for Aurora not only have a website, they are also very proud of their new product:

http://www.direct-revenue.com/news6.php

Contact Information
Jonathan Cohen
(646) 442-6366
jcohen@direct-revenue.com

When was the last time you could email the writer of a virus or worm and let them know what you think of them?