 redxiiPremium,Mod
join:2001-02-26
Battle Creek, MI
 ·Clear Wireless
 ·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
1 edit | ABetterInternet: The EULA, Removing Aurora I was investigating ABetterInternet's EULA, and found the following:
quote:
3. Uninstall and Remove Software - You may uninstall the Software at any time by visiting www.mypctuneup.com. Other attempts to uninstall the
Software, such as via anti-spyware software, will not effectively uninstall the Software, and may result in the Software re-installing itself.
Visiting www.mypctuneup.com is the primary method to properly remove the Software. MyPCTuneUp will leave behind a unique identifier on your
computer for the sole purpose of notifying ABI that you no longer want the Software to operate on your computer.
I haven't actually been infected and don't know as to mypctuneup.com's effectiveness.
I hope this helps someone.
Also:
"5. Security - ABI is dedicated to helping to ensure the security of your computer."
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD. Windows Security Blog |
|
 dadkinsCan you do Blu?Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18
1 edit | "Software re-installing itself."
Isn't that what Malware does? A virus? Trojan? Worm? 
Uhhh...
"Save any work from programs you may already be running and close all programs. These include email programs, Internet browsers, and all others. Please keep in mind, however, that you will still need to be connected to the Internet.
Close all 3rd-party firewalls, such as Norton Antivirus or McAfee Firewall. These might interfere with MyPCTuneUp connecting to the Internet. You can always turn these programs back on later."
Why does this sound sketchy? |
|
redxiiPremium,Mod
join:2001-02-26
Battle Creek, MI Reviews:
·Clear Wireless
·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
| I would think so. For god's sake, when is a million EXEs required to be a simple ad server? Here is a short list of files it can create (my test computer):
Upon running Aurora.exe, the following items are created:
- Deletes Aurora.exe & creates C:\WINDOWS\Nail.exe, then a chain reaction:
C:\WINDOWS\system32\Poller.exe, which creates C:\WINDOWS\system32\magihjz.exe [This may be a random filename]
C:\WINDOWS\svcproc.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\qvbdnifharv.exe
C:\WINDOWS\dbwqis.exe
C:\WINDOWS\GGEEINPO.ini
C:\WINDOWS\system32\magihjz.exe
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\lu.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\kwv2Temp.dat
C:\WINDOWS\wupdt.exe
C:\WINDOWS\TMP_FILE_0.tmp
C:\WINDOWS\TMP_FILE_1.tmp
C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
Populates Internet Explorer cache with ads and tracking cookies, and populates the user's Temp folder.
Creates a Run entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for wupdt.exe & magihjz.exe so that it runs when the user restarts.
ALL THAT, for a measly ad serve.
If you look closely: C:\WINDOWS\wupdt.exe. That looks an awful lot like "Windows Update".
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD. Windows Security Blog |
|
 CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13 | reply to redxii
said by redxii:MyPCTuneUp will leave behind a unique identifier on your computer for the sole purpose of notifying ABI that you no longer want the Software to operate on your computer. Something to remember them by. How sweet.
But if you're naughty will put it back, we did it once
Cudni
--
When you have eliminated all which is impossible, then whatever remains, however improbable, must be the truth.
Help yourself so God can help you..it does exactly what it says on the sig |
|
dadkinsCan you do Blu?Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18 | Ok, how do we remove that "Unique Identifier"? It's still crap I don't want on my machine... |
|
|
|
redxiiPremium,Mod
join:2001-02-26
Battle Creek, MI Reviews:
·Clear Wireless
·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
| »netrn.net/spywareblog/archives/2···nailexe/
the Aurora Ad Client is compliant with the branding and removal standards of all major proposed Federal legislation relating to online contextual ads such as HR 2929.
So our government is making it so damn hard to remove?
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD. Windows Security Blog |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to redxii
said by redxii:Upon running Aurora.exe, the following items are created: - Deletes Aurora.exe & creates C:\WINDOWS\Nail.exe, then a chain reaction: C:\WINDOWS\system32\Poller.exe, which creates C:\WINDOWS\system32\magihjz.exe [This may be a random filename] It is. I just got done cleaning a box infected with this...if you kill that particular program while it is running, one of the other components of the malicious application creates another random file name and reinstalls the autostart entries for it.
But the infection is a bit more widespread than that, including some protection DACLs on the executables and the svcproc.exe was running on the system as a "hidden" service (although the Registry backing on the SCM settings was visible).
And by the time I saw the box, it had at least a couple of other trojans running on it (a Randex variant being one).
(This is with NAV 2005 supposedly up to date, too.)
Sadly, cleanup would have been much faster in person with a BartPE CD...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
 TheJokerPremium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5 | reply to redxii
said by redxii:I was investigating ABetterInternet's EULA, and found the following: quote:
3. MyPCTuneUp will leave behind a unique identifier on your computer for the sole purpose of notifying ABI that you no longer want the Software to operate on your computer.
Hmmmm, over in »Is this a setup for more Aurora Problems?, Hank Roberts claimed to work for Direct Revenue and also claimed the uninstaller "removes Aurora and other Direct Revenue apps without installing anything new"
So much for that claim.
--
TheJoker |
|
CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13
1 edit | Maybe his claim is true in case the identifier was placed initially with software and left behind by un-installer
edit: made some sense
Cudni |
|
 novaflareThe Dragon Was HerePremium
join:2002-01-24
Barberton, OH | reply to dadkins
said by dadkins:"Software re-installing itself." Isn't that what Malware does? A virus? Trojan? Worm? Uhhh... "Save any work from programs you may already be running and close all programs. These include email programs, Internet browsers, and all others. Please keep in mind, however, that you will still need to be connected to the Internet. Close all 3rd-party firewalls, such as Norton Antivirus or McAfee Firewall. These might interfere with MyPCTuneUp connecting to the Internet. You can always turn these programs back on later." Why does this sound sketchy? Damn right its sketchy. While ive yet to accidently infect my self or be infected by any thing untill recently about 6 months ago i had not installed any service packs on xp. As we all know no service pack and sasser can infect you as can blaster.
Say new user with dell pc gets hit by abi. They follow these removal instruction and have no router. They turn off fire wall go to my pc tune up while removing this crap ware they are hit by sasser. Now not only will they not likly ever get abi removed they are also infected by sasser.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
novaflareThe Dragon Was HerePremium
join:2002-01-24
Barberton, OH | reply to redxii
check this out
"The MyPCTuneUp uninstaller program will never collect any personally identifiable information, it will not install any additional programs, and it will delete itself once it finishes the uninstall process." Yet the eula says
"Visiting www.mypctuneup.com is the primary method to properly remove the Software. MyPCTuneUp will leave behind a unique identifier on your computer for the sole purpose of notifying ABI that you no longer want the Software to operate on your computer."
Contradicts big time. My pctuneup may not collect any information but they plant crap on your computer so that abi can track you. Im not about to install this crap ware on my comp. So does any one know what they use to do this?
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
| reply to redxii
thanks so much for finding that info that piece of garbage was annoying the hell out of me until your advice helped me get it off my machine thank you |
|
| reply to redxii
so how does one remove the aurora thing? ive tried numerous times but cant get it off my machine. thanks. |
|
| the website works... no more aurora  |
|
LS MikeWPremium
join:2005-03-23
Broadway, NC | reply to redxii
Hello RedXII1234,
Can you submit these files and any others you have noticed using our on-line submission page (»www.lavasofthelp.com/submit/)? |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6
3 edits | reply to redxii
Hello RedXII1234,
I infected a winxp and a win98 this AM with Aurora and used the mypctuneup..without blocking its action with any firewall or other "Anti" program running..it cleaned all of it off and did not leave any calling cards when finished.
As psloss pointed out in his experience..I have the same with regard to the majority of PC's with Aurora..because of their surfing and download habits..they are infected also with other malware bundled packages.
When you investigate with those users first hand..you will understand how they got some of them or all of them..not just the Aurora in the first place.
I help them curb that activity. It is not worth it. 
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 Reviews:
 ·Verizon FiOS
 ·Verizon Online DSL
| reply to redxii
said by redxii:So our government is making it so damn hard to remove? No, the actual situaton is that your government is not making it not so damned hard to remove.
That's a serious comment. All Aurora is saying is that they're not breaking any laws.
There are no laws compelling Aurora to make your life difficult.
--
back from the shadows again... |
|
redxiiPremium,Mod
join:2001-02-26
Battle Creek, MI | reply to LS MikeW
I'm gonna try reinfecting my test computer and upload the files. My attempts to do so have been futile because Aurora is conflicting with itself, making it near impossible to get most of those files back. |
|
dadkinsCan you do Blu?Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18 | LMAO! Aurora is conflicting with itself? That's rich! |
|
| reply to redxii
I got infected with it, and it was truly fun removing it. Eventually I learned well enough to hit it in all directions at one time by scanning with KAV, Microsoft Anti-spyware, Spybot S&D, and HiJackThis!
That combo took it down finally. But it was a painful process. |
|
