[The_Egg]

Because AcaCandy (admin here) said it works, and so does everyone else who's tried it :/

[dvk01]

They are the partbers wit the scum who develop this

the company that has done the developing is very well known in the malware field as scumbags but the uninstallers do work and all tests done haven't found any ill effects from it

This site http://www.webhelper4u.com/ deals entirely with these transponder/direct revenue scumbags and the author of the site is widely acknowledged as the expert on these pests. I have been in contact with him and he has confirmed that the uninstaller does work and in all his tests nothing has been extra installed

there are some cases where it doesn't get it all but we can normally clean those up once the uninstaller has got ris of the worse

THe main problem is that this one also gets bundled with other adware/spyware that the uninstaller doesn't fix

[Smitty21]

OK, I took your word for it & tried the uninstaller. It appears to have worked. I ghosted the hard drive first to find out what changes were made to the Registry. One of the pop-ups I got asked for my eBay information. That's a little worse than just simple advertising. I'm going to report them to eBay.

[dvk01]

Smitty21


do you use Zonealarm as one of the things that can be aafected by this pest is Zonealarm and as ZA can maintain an ebay password.
If the infection is gone - perhaps fry the contents of the C:\WINDOWS\Internet Logs where ZA keeps it's config and reconfigure it ? -- or reinstall ZA

[OBP]

dvk01, this poster couldn't get the Un-install to work.
http://forums.techguy.org/t354356.html

[Smitty21]

No I don't use Zone Alarm. The eBay pop-up had Aurora on the Title Bar. I took a screen shot & sent it to eBay. Thanks for the help though everyone.

[dvk01]

can you also send a screenshot to me please so I can pass it on to the people who are really keeping an eye on these aurora/direct revenue scum so it can be added to the list of bad behaviour that this causes

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files

[Smitty21]

ok, dvk01, it's done. Hopefully eBay will bust em because I doubt eBay would approve that. Its not asking for my current eBay info like I thought, its asking me to register and asking for my date of birth, etc.

[dvk01]

I've passed it on and this is the reply

Quote:

That is their aurora.exe which is the same as their buddy.exe for their offeroptimizer ads. It is an online form to join ebay. Now, during the uninstall process, the transponder will still send out a routine checkin which can then kick in a transmission from their offeroptimizer ad server which can popup an ad at the same time they are online to uninstall the transponder and components.

After the uninstall it will still send one or more transmissions until the dll or exe is not loaded as a process and that means users would have to click the YES to restart the computer when the box is shown or you will still get transmissions because the files are still loaded into memory.

It seems that ebay do have an affiliate scheme whereby people can get a small payment for referring a new user to ebay. Obviously these scum have got an affiliate account and are making monewy from ebay sign ups

Complaints to ebay and keep complaining is the only way to have their affiliate account removed

Edit: it looks like there is a LOT of money in the ebay affiliate scheme http://affiliates.ebay.com/?ssPageName=home:f:f:US

[Smitty21]

That's good info. Hopefully, I'm not the only one that's complained and hopefully there's some kind of fine print in the affiliate agreement they abused. But then they'll probably just sign up under another DBA name and start over.

[maddspd]

Well, I got this same thing too... I was on limewire and downloaded some file with the name "keygen" in it. I work at a computer shop, so i know what I'm doing, and have McAfee, SpySweeper, Adaware, SpyBot, SpySubtrack, CWS, and XoftSpy; all of which have current updates.

Upon running this file called keygen, nothing happened, so i double clicked again... still nothing. So I scanned that directory for viruses. Nothing. Use all of the above software to scan for adware/spyware. Nothing. Preformed a full system scan using each one of the above pieces of software. Still nothing except a few cookies SpySweeper wanted to delete.

I had the same randomly named .EXE file in my task list, and every time I ended it, it was renamed and restarted... no matter how fast I tried to delete the file before it got renamed, I just couldn’t do it. I also found out that "Nail.exe", "pohoignlfyy.exe", and "svcproc.exe" were related to this, so I went into safe mode and deleted everything I could find. I also cleaned out the registry where it said the shell was "Explorer.EXE nail.exe" and everything else that people have mentioned before this post.

Well, tonight, at a friend's house, I noticed that same darn aurora thing on his CPU when he opens mozilla. So now I'm back... I wanna figure this out! I've been getting random lockups, and I just reinstalled windows on here a couple weeks ago...although the lockups could be related to my cooling... 2 days ago, my room was 90 degrees because the AC doesn’t work upstairs and because of the pollen, I could not open the Window, so my Athlon XP 2600+ was running at about 56-60 degrees C.

Next, I sent those files (Nail.exe", "pohoignlfyy.exe", and "svcproc.exe") and the randomly named file in the system32 folder to COMPUTER ASSOCIATES for analysis. I got an email back from some guy telling me it was related to VX2 transponder, another site told me it was related to ABetterInternet. Computer Associates also told me "The file has been identified as Win32.SillyDl.LR trojan. Aliases reported by other Antivirus products are listed here: (Trojan.Win32.Agent.cp) (BackDoor-CQQ) (Trojan Horse)"
After submitting it to McAfee's AVERT Labs in Tokyo, they told me: "These files are being considered for inclusion in our potentially unwanted program (PUP) definition files. If the sample meets our PUP criteria, detection and removal will be supported in a future DAT release for qualifying products I also got the idea from somewhere that this was related to something called "Buddy" virus.... don't remember where I got that info from...

About a week ago, SpySweeper came up and told be that it detected "ABetterInternet" running--this was like right after I had updated definitions from SpySweeper... After doing a full scan, SpySweeper removed it. I then downloaded the plug-in for Adaware (it think it was called VX2) and some other VX2 fix tool from Symantec and ran those, which found nothing. I thought that maybe I had gotten rid of it, but as I was using Adobe Premiere yesterday, I noticed the Aurora in the taskbar... I’m thinking that if you have a fast computer, you will see that task bar less, because it comes and goes so fast. But since my CPU was bogged down converting video, I was able to see that task bar icon for a good 10 seconds.
Anyways, I just did another REGEDIT and deleted some folder named "aurora"

Now I'm stuck... there's really nothing left I can think of to do... The file with the random name is no longer running in the task manager, and all of the "svchost" are either "SYSTEM", "LOCAL SERVICE", or "NETWORK SERVICE"... none with my user name, like a regular program would have... BUT, I still see this aurora sometimes... I'm not getting any pop-ups, although come to think of it, I did get one popup a couple of seconds after I click that original "keygen" file when I opened internet explorer, but none after then...

I have not tried the uninstall link that was provided because those usually contain more crap and are fake... PLUS, the person who was told to try it seems to be having the trouble still...as you can tell by his response with that eBay scam that popped up.


Anyways, just wondering if anyone had any other insight to this nasty thing... I might just give up for once and reformat again, since I just reformatted a couple weeks ago!

Talk to ya later,
Andrew Bucklin
Manager of Technical Service, MicroHelp, Inc.

[dvk01]

Andrew

The uninstall link does work and is the easiest way to deal with this one

[maddspd]

Well, I just downloaded the "uninstall" from that website, http://www.mypctuneup.com/evaluate.php and ran it. At first, it asked to access the internet, so I blocked it, but it then gave an error message, so I went back and allowed it... Then another window asked for internet access so I allowed that one too... I typed in some verification code and then told it to go ahead... It shut down all internet explorer windows and deleted this Browser Page:

"CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/s................"

and then it re-added the above entry...
Also, while doing this, Webroot's SpySweeper got some updates and told me it found ABetterInternet running in memory... I skipped the scan for now and I'm about to go ahead and let the uninstalled reboot my system...

BRB...

[maddspd]

Well, it seems as thoguh that worked.... So far...
I did a quick scan of the registry to see if "aurora" was found but nothing... Still no weird task running and I'm not seeing that quick taskbar flash of "aurora"...

I have yet to do more scans using all the adware/pryware/virus software, but I doubt I'll find anyithng... However, if I do, I promise to come back and post something... but if you don't hear from me again, my advice would be to use that uninstalled.... probably the fist uninstaller I've seen that actually uninstalls it!

Later,
Andrew

[fox37]

You legends... i'd been getting an increasing number of empty Aurora popups for a few days before i considered them malicious. i'm using Firefox and run spyware scans once a week.

after reading the first part of your thread, i thought i'd need to wipe and reload my PC, cos i got lost in the techie instructions.

BUT when i dubiously followed the uninstall link it worked!!
here it is for anyone who missed it:
http://www.mypctuneup.com/evaluate.php