Avast WEBforum
Other => Viruses and worms => Topic started by: SirAlleyCat on June 19, 2005, 05:22:30 PM
-
This trojan has many other names, but they all do the same thing.
What it does is infects the search bar area of windows/IE explorer, and begins generating a multitude of adware viruses that eat up your memory, change your IE home page, registry, and change your search engine. While Avast will prevent this virus from installing, if you already have it, Avast and other anti-virus programs will get rid of the generated viruses, but they keep coming back as the main host is well hidden.
After giving up on several computers and just reformatting the hard drive, I finally found a simple free program that erases this annoying virus. I hope the link below solves your problem as it did mine.
http://mypctuneup.com/
Just follow the instructions to load the web based program.
SirAlleyCat
-
Mypctuneup removes aurora because it was developed by the same company that produces Aurora, ie, Direct Revenue.
A Google search for Mypctuneup reveals some interesting results, some even suggesting that Mypctuneup installs more spyware even as it removes Aurora.
Far be it from me to suggest that these stories might be true, but personally I would trust a spyware removal program from a spyware company about as far as I could spit a dead rat into a high wind. ;)
-
Hi SirAlleyCat,
This is one of the nasties from a renowned malware BHO spreader , also known as the Transponder gang. People who have IEHelper.dll, VX2.dll, TPS108.dll, MSView.dll, Host.dll, VoiceIP.dll, BTGrab.dll, DLMax.dll, Pynix.dll, ZServ.dll, Ceres.dll, Speer.dll, Speer2.dll, Speeryox.dll. Bolger.dll, Aurora.exe, imGiant.dll, Buddy.exe all fell victim to transponder malware. In the light of the new upcoming anti-spyware acts, the distributors are starting to clear up their act, but as far as we know they are still at it. Think first, click later.
Have a nice day,
Yours truly,
polonus
-
Quote from Spyware Warrior:
MyPCTuneUp was originally listed on these pages because of concerns regarding its connection with DirectRevenue -- a company whose software is targeted by reputable anti-malware vendors (1, 2, 3, 4, 5, 6) -- and because the MyPCTuneUp uninstaller uses a Transponder component program ("thinstaller"/"thunst.exe"), which transmits a good deal of system information to its controlling server (thinstall.abetterinternet.com) when uninstalling DirectRevenue's advertising software (1, 2). "Thinstaller" software is also capable of transmitting data about competing advertising programs and anti-malware programs that may be installed on the user's hard drive (1, 2). Indeed, DirectRevenue's software has been known to remove other software from users' PCs (1).
Limited testing with the MyPCTuneUp uninstaller indicates that it does remove DirectRevenue's software. Moreover, as it has never been the policy of this page to list vendor-supplied uninstallers for advertising software programs, we can no longer justify listing the MyPCTuneUp uninstaller in the main "Rogue/Suspect" list.
This de-listing was prompted by a letter from DirectRevenue's law firm. You can read DirectRevenue's letter to Spyware Warrior HERE and Spyware Warrrior's response HERE. Both are PDF documents.
Reading between the lines, this seems to say that Mypctuneup probably spies on you while it is cleaning up other spyware, and may even remove programs you wanted to keep, but as it is an uninstall utility provided by the people who pushed the spyware on you in the first place (and because the lawyers are on their tail) it's being removed from the list of rogue anti-spyware programs.
-
While I was not aware that the source of this program was questionable, I do know that it works where others ( including Avast ) failed. My other option was to format the hard drive, which can still be done.
Yes, it does remove other programs including your screen saver, explorer toolbars, and desktop background, but they are reinstalled with little trouble, and this time virus free. If you have another solution to get rid of this virus, I am all ears, or perhaps the programmers at Avast can enhance their cleaner program to incorporate a similar code. In any case, it has been 3 days since I have used this program on my problem computer, and I have seen no adverse effects.
Please note that having Avast in the first place would keep this from ever becoming a problem, and while I don't want to bash on Norton AV, it doesn't. Which is why I had to fix that computer at all.
-
[N.B. I'm writing here only as an avast! user: I'm not speaking for the company.]
This is more of an adware/spyware problem than a virus problem.
Some virus companies are moving towards an integrated anti-virus, anti-spyware approach: see for example these stories about eTrust anti-virus and Pest Patrol and Trend Micro and Intermute teaming up.
http://news.com.com/CA+set+to+deliver+defensive+packages/2100-7355_3-5751938.html?tag=cd.top
http://www.theregister.co.uk/2005/05/10/trend_buys_intermute/
Other anti-virus companies license a version of an anti-spyware program. Buy F-secure, for example, and you get Ad-Aware Pro.
For the moment, avast! does not offer comprehensive anti-spyware protection, but this simply leaves you free to use the best of the anti-spyware programs available to complement avast!
As most recent reviews suggest that no one anti-spyware program offers 100% protection, even if you purchase a package which provides anti-virus and anti-spyware together, the anti-spyware protection you receive would not be perfect.
To remove spyware, the best approach is to use a number of anti-spyware scanners. As there are free versions of many of the best scanners, using avast! plus these scanners is still a far better solution than most anti-virus/anti-spyware packages.
Some argue that the best result will be obtained by anti-virus companies concentrating on viruses, and anti-spyware companies concentrating on spyware. Others argue that the distinction has to end.
Of course the big advantage for an anti-virus company concentrating on viruses, Trojans etc is that the virus writers are not going to sue them for loss of business. Some of the big companies getting into fighting spyware have found that they are getting into legal arguments with the spyware pushers who claim that their programs are not malware but legitimate software. This has led to some spyware definitions being withdrawn from anti-spyware databases, but also to spyware pushers providing uninstallers for their own products so they can claim to be legitimate.
Apparently Webroot's SpySweeper works well in cleaning up Aurora. A free working trial is available. I would also recommend running it just to check that Mypctuneup has not left anything nasty behind.
By the way, if what they say about the registration process for Mypctuneup is true, you will be getting some spam in the near future as a result.
-
Hello SirAlleycat and FreewheelinFrank,
Yes you see a move to-wards the so-called total solutions. The bad thing about that is you come to rely too much on a product that cannot deliver what it promises, namely a total solution to-wards malware as such (anti-malware). Moreover it would be overheavy, like the big two already are, slowing things up I would go for the combination. In Holland on XP SP2 I would recommend AVAST + Hitman Pro (a dutch shell program with Ad-aware, Spybot S&D, SpywareBlaster Bazooka and Flister, HJT, StartupList aboard) and two or so special trojan scanners. Together with some analyzing stuff, like FileAlyzer, RegAlyzer, a BintScan (binary scan) and a hexviewer, you would be well equipped to oppose many a threat from the Internet. The 10 steps to analyze should become first, so a good text editor is also vital.
regards,
polonus
-
This is more of an adware/spyware problem than a virus problem.
No, this is a virus or worm. It changes the functionality of your IE and doesn't allow you to change it back. In addition it downloads other known viruses and adware on to your computer and possibly sends out private information. Unlike other software such as Quicktime or Real Player that spam you with ads and take over other similar program functions, this one is unremoveable until now, which IMOHO makes it one of the most nasty virus out there, with possibly the exception of one that destroys your files.
SirAlleyCat
-
Aurora was submitted to Alwil few days ago by me.
-
With respect Aurora is spyware. Worms are used to take control of your computer, often for criminal purposes, and viruses and designed to damage data on your computer or to deliver a payload designed to take control of your computer, again, increasingly, for criminal purposes.
Spyware or adware is designed for commercial purposes, although it may be devious, dishonest and even, in extreme, malicious.
To get Aurora on your system, you had to ask it to come in: to accept a EULA or click on an 'accept' button somewhere: viruses and worms don't do this.
A minor distinction perhaps: we all hate spyware here as much as viruses and worms. But avast! doesn't target spyware. It does an excellent job against viruses, worms and Trojans but you will need to use other programs to remove spyware.
Using the uninstaller provided by the creators of the spyware may be a necessary evil, but please be aware of the privacy risks.
If you want a spyware remover effective against this pest, apparently SpySweeper is very good. (Generally, it has a good reputation.)
As mentioned before, the best approach against spyware is to use all of the available options- Ad-Aware, Spybot S & D, X-Cleaner, MS AntiSpyware, Yahoo! Anti-Spy- in addition to a good anti-virus program.
-
A can't agree with you. Aurora is classified as trojan by many AV vendors.
-
Hi Rejzor,
Of course you could qualify this malware also as trojan because there is a server and client model. See what its action is, and then decide what it should be called. A transponder trojan or a transponder variant browser helper object transponds signals to its controlling server. The first is a routincheckin with a unique ID given along with the installed product to update the user's profile to an online database. The second part is the so-called Motts Chekin transmitting user information to reinstall new objects needed. This also updates ini files and cookies of theirs to offeroptimizer site. The last type is the Standard Transmission of user data to controlling server, third party ad server, transmitting surfing habits, user filled out forms and pop up ads to be generated by the optimizer.
Because the transponder distributer has provided a possibility to uninstall at a certain site, they can argue that this trojaned BHO is legit. Maybe that is why AV producers choose to call it a trojan, because technically it can be considered as such.If you called it spyware you could be sued because in the opinion of the makers it is not. The same questions came with WhenU etc. See the site of Ben Edelman for a more in-depth legal discussion for other types of malware. So you are right RejZoR in a sense, and FreewheeelinFrank is right too in a sense. To call a spade a spade, it is malware, and it should not be on your machine.
greets,
polonus
-
I realise that components of spyware are often classified as Trojans, and rightly so. In the spectrum of stuff we try to remove from computers, there are evil worms and viruses at one end, and annoying but legitimate adware at the other, the stuff that warns you it's coming and will go if asked. The Trojan horse is often somewhere in the grey area in the middle.
If spyware is nasty enough, then it's rightly lumped together with viruses and worms as malicious: because it's dishonest and sneaky and hard to remove and has negative effects on performance or even deliberately does harm.
However, I think Aurora has to go in the spyware camp because it is a commercial application: there is a company behind it willing to say that their product is a legitimate commercial product.
You can't say that about a Trojan designed to turn your computer into part of a botnet. No lawyer is going to crawl out from under a rock and threaten an anti-virus company for targeting that Trojan.
I'm quite happy for avast! to add the Aurora Trojan to its definitions, but I don't believe that avast! is attempting comprehensive removal of spyware programs. If you want that, you have to go to a specialist anti-spyware program, or indeed to use several of them.
I would be quite happy to see avast! tackle spyware in this way, but if they do, they're going to run into some lawsuits. That's a decision for the company.
I'm also quite happy to use avast! for malware protection (including spyware Trojans) and specialist spyware programs to remove spyware. I'm just saying that this is no failure on the part of avast! It has never claimed to be an anti-spyware program.
Respect and regards to all,
FF
-
Hi FreewheelinFrank,
I agree with you that Aurora is spyware in the first place, because it was designed to function in that way. The other aspects are a plus, or rather in this case a minus. What I find enlightening about the discussion in this thread that it gives us a good insight on the various angles this malware can be looked upon from the way it functions. I learn a lot here. Better is an ounce of protection and forewarn than a pound of cleansing and a compromised system. Don't you agree with me?
kind regards,
polonus.
-
Definitely, Polonus.
And if Adware/Spyware companies want to be seen as legitimate and provide an uninstall mechanism for their products, what is wrong with putting an entry in Add/Remove Programs?
According to Kephyr.com (who produce the Bazooka sanner) Aurora may in fact have an entry in Add/Remove. So anybody with a similar problem could try to uninstall it there first. They also have removal instructions on their website.
-
Hello FreewheelinFrank and other forum members,
I think people that visit this forum should install this. Bazooka is a good scanner. It is nothing more than a scanner, but it is quick, it is updated in a regular fashion. It states exactly what it does not scan for, which makes in my opinion one of the better ones. Because there are lot of scanners who have omissions but do not mention these specifically. For this reason alone, you are only safe when you have a variety of anti-spyware scanners on your box. you can find Bazooka here;
http://www.kephyr.com/spywarescanner/. Bazooka gives you information, where to go to tackle the found malware. It is only to diagnose, moreover it is fast.
Greets,
polonus
-
Bazooka is a good scanner. It is nothing more than a scanner, but it is quick, it is updated in a regular fashion.
Polunus, in the past I've tried it but the updates were not that frequently and in all my scannings it founds nothing more than Ad-aware and SpyBot haven't detected before... Was Bazooka improved?
-
Dear Forum Members and FreewheelinFrank,
With respect Aurora is spyware. Worms are used to take control of your computer, often for criminal purposes, and viruses and designed to damage data on your computer or to deliver a payload designed to take control of your computer, again, increasingly, for criminal purposes.
Spyware or adware is designed for commercial purposes, although it may be devious, dishonest and even, in extreme, malicious.
To get Aurora on your system, you had to ask it to come in: to accept a EULA or click on an 'accept' button somewhere: viruses and worms don't do this.
A minor distinction perhaps: we all hate spyware here as much as viruses and worms. But avast! doesn't target spyware. It does an excellent job against viruses, worms and Trojans but you will need to use other programs to remove spyware.
Using the uninstaller provided by the creators of the spyware may be a necessary evil, but please be aware of the privacy risks.
If you want a spyware remover effective against this pest, apparently SpySweeper is very good. (Generally, it has a good reputation.)
As mentioned before, the best approach against spyware is to use all of the available options- Ad-A
ware, Spybot S & D, X-Cleaner, MS AntiSpyware, Yahoo! Anti-Spy- in addition to a good anti-virus program.
We have to be aware of a pattern here. Do a random Google search on Nail.exe and Aurora.exe and what comes to light, while you consider the HJT logs a reoccurring btdownloadgui.exe. Then the monkey is out of the curtains and the source of the spyware is clear a download through Bittorent. They had a clean record in the past, but this is not longer so, although they claim their source code is clean. It is as clean as a baby's buttock, but the download data streams are not, and there Aurora comes in. Also handy to see what regedit does not see with Reglite from http://www.resplendence.com/download/reglite.exe.
Well keep your shields up, your scanners sharp, and stay away from spyware base that is unsafe P2P.
yours faithfully,
polonus
-
Hi FreewheelinFrank,
If you want to see where our friend RejZoR got his opinion, you read it here: http://www.liutilities.com/products/wintaskspro/processlibrary/nail/
They state that nail.exe has an unknown author and that it is a virus, while other like VitalSecurity.org has our opinion that it is spyware on behalf of DirectRevenue e.g. Aurora aka Transponder gang monstruosity.
greets,
polonus
-
Hi Polonus,
They actually call it a Trojan and say:
This program is usually installed through consent...
Nail.exe is part of a nasty piece of spyware and avast! is right to call it a Trojan and to target it.
My only argument is that it is not right to call the Aurora thing a virus or worm. Viruses and worms are not created by people with names, by companies with websites.
The people responsible for Aurora not only have a website, they are also very proud of their new product:
http://www.direct-revenue.com/news6.php
Contact Information
Jonathan Cohen
(646) 442-6366
jcohen@direct-revenue.com
When was the last time you could email the writer of a virus or worm and let them know what you think of them?
-
This is some very interesting posting in this tread…I would like to ask a question about removing a program from the add/remove….It has seemed to me that even if you remove a program it still has a folder stored on your hard drive, so it seems that it does not really remove all of the program, I always delete these folders from my hard drive, but does that get rid of all the hidden files? Thanks!!!
-
Hi Shadowhunter,
I think there are two issues here: Add/Remove entries for legitimate programs and Add/Remove entries for spyware/adware programs.
Legitimate programs may leave folders behind after removal of the program. These may contain log files, reports or configuration information. Sometimes they may contain files which may be used by other programs. Or they might just be an oversight and be empty. these can usually be deleted in a clean up process, and shouldn't contain any hidden files.
Add/Remove entries for spyware/adware programs, on the other hand, may not remove all components of the program: they may leave the sneakiest components behind to continue spying on you. These are indeed 'hidden files'. Even after uninstalling spyware/adware programs in this way, it's still a good idea to run Ad-Aware, Spybot S&D etc to remove hidden components.
But it's not a good idea to run anti-spyware programs before trying to remove the application from Add/Remove, because anti-spyware programs may remove the sneaky hidden files but break the uninstall feature of the application in Add/Remove leaving no way to remove it.
So it's always a good idea to try to uninstall programs fro Add/Remove, but never trust spyware/adware programs to go away completely with this method, and even legitimate programs may need a cleanup afterwards.
Regards,
FF
-
From the DirectRevenue website:
Direct Revenue CTO Dan Doman said, "From a technology standpoint, Aurora represents a leap forward in connecting consumers to advertisers."
Direct Revenue CEO Joshua Abram said, "Aurora and MyPCTuneUp demonstrate our commitment to providing advertising partners, clients and consumers the best possible experience in behavioral marketing and search."
Clearly these people live on a different planet. Meanwhile, the people of Earth, or Illinois USA, anyway, have taken out a class action lawsuit against the company.
Far from having the "best possible experience", they are complaining that DirectRevenue are "involved in installing “spyware” on millions of computers without the computer owners’ consent, utilizing it to track the Internet browsing habits of the owners and then send them intrusive targeted “pop-up” ads."
Anybody with experience of DirectRevenue's products is invited to give their opinions:
http://netrn.net/spywareblog/archives/2005/06/12/directrevenue-responds-to-lawsuit/
-
Thanks for the info FF.
-
I'm kind of confused why Avast doesn't recognize Nail.exe as a trojan/spyware. There are a few other files that aren't recognized by avast. Avast could be THE method for removing Aurora infections if they'd recognize all components of it. http://www.virusspy.com
Avast picks up these
download.abetterinternet.com/download/UAC/Bolger.dll
download.abetterinternet.com/download/UAC/aurora.exe
download.abetterinternet.com/download/UAC/Poller.exe
download.abetterinternet.com/download/UAC/DrPMon.dll
download.abetterinternet.com/download/UAC/svcproc.exe
Avast does NOT pick up these. Of course avast recognizing nail.exe is a huge part to being able to remove it. Though there is another file that works in conjunction with Nail.exe, that if you delete Nail.exe, it will regenerate/download/copy it and it runs even in safemode because it locks itself to explorer.exe, so since explorer.exe runs in safemode, so does nail.exe and the other file that changes its name. To kill the processes in safemode, you have to kill explorer, then you can kill the processes and delete the files. However, since avast does the virus scan outside of safemode (the scan on boot), it would be PERFECT for ridding of this nasty one if it recognized all components of it. Kaspersky does according to what I hear, so a lot of people are being told to get kaspersky though I don't know if they do the "scan on boot".
(http:// removed so they aren't clickable)
download.abetterinternet.com/download/UAC/Nail.exe
download.abetterinternet.com/download/Poller.exe
download.abetterinternet.com/download/uacupg.exe
-
Ok, I just discovered that avast does recognize the other part of aurora as a trojan. So the only remaining file they really need to detect to be a (nearly) complete remover for Aurora, besides registry entries. Spyware Removal (http://www.virusspy.com)
download.abetterinternet.com/download/UAC/Nail.exe
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NAIL.B
trend micro picks it up. Since 5-30-05
kaspersky picks it up.
panda picks it up.
bitdefender picks it up.
Rav Antivirus picks it up.
clamav does not
f-secure does not.
However, as I stated before, avast is about the only one that can actually delete nail, since they offer the boot scan.
-
Hi forum members,
This is a page with a special fix for Aurora/ nail.exe: http://forums.maddoktor2.com/index.php?showtopic=5104&hl=nail\.exe
enjoy,
polonus
-
Let it be known that Avast will now remove all the evil little files of Aurora/Nail.exe (in boot-time scan only)!!!
-
I think the only people who would object would be DirectRevenue and their lawyers, but what exactly is Alwil's policy in regard to spyware? Are they ready for some lawsuits like symantec had to fight when they started to remove spyware? Have they sat down with their lawyers and writen up a protocol for when to add spyware components?
-
Directrevenue = U.S. company
Symantec = U.S. company
Avast = Czech Republic company
See the potential problem for directrevenue?
Just about every virus scanner under the sun is picking up nail.exe as a trojan anyways. Avast, Clamav and Norton are the only ones that weren't (per jotti, though antivir per jotti too but antivir did pick it up per virustotal.com). Besides all of that, avast was picking up ALL of the other important files for Aurora/Nail.exe except for nail.exe
AntiVir Found nothing (they must have old defs or an old scanner? cause virustotal says it is a trojan with antivir)
ArcaVir Found Trojan.Nail.B3
Avast Found Win32:Adan-093
AVG Antivirus Found Generic.EA
BitDefender Found Adware.Nail.A
ClamAV Found nothing
Dr.Web Found Trojan.Nail
F-Prot Antivirus Found W32/Stervis.B@bd
Fortinet Found W32/Nailed.A-tr
Kaspersky Anti-Virus Found not-a-virus:AdWare.BetterInternet.b
NOD32 Found Win32/Adware.BetterInternet application
Norman Virus Control Found W32/BetterInternet.C
UNA Found Trojan.Win32.Nail
VBA32 Found Trojan.Nail
The virus defs I got this morning was the start of the nail.exe being recognized as trojan/adware
-
Hi sorebie,
I think the only people who would object would be DirectRevenue and their lawyers, but what exactly is Alwil's policy in regard to spyware? Are they ready for some lawsuits like symantec had to fight when they started to remove spyware? Have they sat down with their lawyers and writen up a protocol for when to add spyware components?
I think this would be in the area of definitions. The only thing unwise to do is qualify this nail.exe as spyware, pest, parasite, malware, they could oppose the terminology, because they consider their program as legit, because they say they offered an opt-out or de-installer. To call it a Trojan is a technically justified definition and they cannot oppose the working of the executable as such, because it is not working like notepad executable e.g. The halting of tackling the precious spyware, because there are real big players involved and gigantic investments, is a legal tit-tat over the definition of what spyware actually is. So you can drag on and on, and prevent real action from being taken. I am also a member of the Dutch anti spyware offensief, a forum of people that think spyware makers are an anti-social element of the internet community, there these themes are often discussed.
greets,
polonus