Malicious Spyware Information
Informational Update - 11 August 2005
We received information today that Symantec had posted very informative
and useful information at the following site:
http://securityresponse.symantec.com/avcenter/venc/data/adware.betterinternet.html
Informational Update - 28 June 2005
Before reading further, we invite you to visit the following site
(about which we received information this date) for background information about
who is responsible for the problems you're having:
http://www.pcpitstop.com/news/drnotice.asp).
Informational Update - 20 June 2005
In the past several weeks (beginning on Friday, 8 April 2005) we have
received numerous e-mail messages regarding malicious popup windows appearing on
user machines worldwide that contain ''Aurora'' somewhere in the window.
Neither Aurora Networks nor any of its employees are in any way
associated with this obnoxious behavior or the miscreants responsible for their
creation.
Thanks to astute users who were kind enough to provide additional
information and our own additional research, we have now identified the
responsible organization(s) and the means of removing this software from your
system and have documented this information below.
We strongly encourage you to read through all of the information
provided on this page, despite its length, before taking any further action to
solve your problem.
One user noted a question mark next to the ''X'' gadget to close
one of the pop-up windows. Clicking on the question mark caused the following
text to be displayed:
"You are seeing these ads because you have received
software free of charge through an Aurora distributor. To support your free software and to
help keep the product free, please do not uninstall Aurora. Aurora is not ''spyware,''
does not collect any personal information about you, and is not malicious.
"If you do choose to uninstall Aurora contextual
advertising software, it can be safely and completely removed by going to
http://www.mypctuneup.com/aurora to get the uninstall
tool."
This link is incorrect. If you click on
this link you will receive a web page that informs you ''Forbidden - You don't have permission
to access /aurora on this server.'' While this link was functional at one point,
apparently the company responsible for these ads cannot (or will not) even maintain correctly
operating code with a link to the site with a tool for their removal. However, if you
instead use the following link, you can load the web page they (may) wish you to see:
http://www.mypctuneup.com
A link named ''EULA'' in small type appeared at the end of the above quoted
text. We, too, have visited this link (to find and read an End User License Agreement
for ''Aurora Advertising Software'' at http://www.abetterinternet.com/policies/aurora.htm).
This EULA states, in part, that it comprises a contract between you
(the end user) and ''BetterInternet, LLC, a Delaware corporation with a mailing address
of 2711 Centerville Road, Suite 400, Wilmington DE 19808-1660.''
We strongly encourage any of you who have been infected with this
software to read the entire EULA - you may find, as did we, some of the descriptions and
stipulations rather surprising. For example, Section 12 states:
"12. Termination and Removal of Software - By
entering into this Agreement, you represent to BetterInternet that you have intentionally
chosen to install the Software and that you will personally uninstall the Software from
your computer if you no longer wish the application to be present on your computer by
going to http://mypctuneup.com.
"While you may choose to delete the Software from
your computer at anytime by following the instructions herein, some third party applications
may attempt to delete, disable or modify the Software with or without notice to you. You
further represent to BetterInternet that BetterInternet may store a cookie, computer file
or other unique identifier on your computer to identify you and automatically repair or reinstall
the Software if any third party application attempts to delete, disable or modify the Software.
BetterInternet may terminate this Agreement or your right to continue to use the Software
at any time.
"Further, you agree that you will not initiate, permit,
authorize or assist any third party or application to remove the Software from your computer,
or disrupt its operation or the operation of any other user. You agree that removal of the
Software from your computer will only be performed by you pursuant to the instructions set forth
herein."
Finally, the EULA also notes that:
"If you have further questions about BetterInternet’s
privacy practices, you may contact us at contact@abetterinternet.com."
(Note: The above e-mail address has been implemented here as a working link so
that you may write to them, if you so choose, directly from this web page. It may also be
noted that if you click on the link named ''EULA'' at the bottom of any of the web pages on
the www.abetterinternet.com site, you will not be taken to the page displaying the
EULA for the ''Aurora Advertising Software,'' but rather one that displays the EULA for an
earlier incarnation of similarly functioning adware by this same organization. Furthermore,
clicking the ''Contact Us'' link at the bottom of any page presents a different postal address
than the one embedded within the EULA, to wit: BetterInternet, Inc., 107 Grand Street,
3rd Floor, New York, NY 10013, albeit with the same e-mail address as noted above.)
Based on link information provided in the EULA and additional information provided
by several users in e-mail to us, there are suggestions that the spyware uninstaller available
as a download from the site below (at mypctuneup.com) may successfully remove the subject
adware. However, no one at Aurora Networks has actually downloaded and tested this utility,
and your doing so will necessarily be ''at risk'':
http://www.mypctuneup.com.
Here is a screen capture of the top
portion of the above web page that may be of particular interest to our readers. Given the contents
of that web page, perhaps it would not surprise our readers to find that the owner of record of the
mypctuneup.com web site is the same as that for direct-reveue.com (of which abetterinternet.com -
the perpetrator of ''Aurora'' adware - is a division as noted on their own web site), that being
Thinking Media LP at 275 Madison Avenue, New York, NY 10016 as revealed by a ''whois'' search of
domain registrations. In other words, take note that the site that offers the uninstaller is directly
affiliated with the site maintained by the organization responsible for the pop-ups in the first place.
Again, while some reader feedback suggests that this uninstaller will, in fact,
remove related adware files from your system, we have also received feedback that an additional
step may be prudent (despite the terms of the EULA as stipulated above). One reader wrote:
"The mypctuneup uninstaller works but it sends out information
about your PC also. What information it is or how it will be used, I don't know. I found a solution
that worked for me." [The user then provided a link to a web site.]
"This fix removes the file C:\WINDOWS\Nail.exe, which is impossible to
delete otherwise. After doing this the problem was gone."
We received an e-mail message today (20 June 2005) from one of the authors of the
''aurora nailfix.zip'' file at NoIdea.US (alluded to above) in which the author writes, in part,
"I have posted an article on my site with instructions on how to USE the nailfix.zip program."
The writer requested that we post the following link here so that you may read a thorough description
of the steps required to remove also the Nail.exe program from your system. We are most pleased to do so
and thank the author for his contribution.
http://www.noidea.us/article.php/nailfix
In addition to the step-by-step instructions, you will find a link to the downloadable
''Nail/Aurora Spyware Fix from NoIdea.US'' in about the fourth paragraph from the top of the page; it and
other needed links are clearly identified.
Another user also wrote, after downloading and running the uninstaller software from
the mypctuneup.com site described earlier, that:
"It's very simple, takes about 3 minutes, and removes the adware.
Warning, will also remove the display of recent used applications from the windows start display,
but they are easy to rebuild."
Lastly, in the spirit of providing a full disclosure of the information that we discovered
regarding ''Aurora'' adware and its promoters, we offer the following additional information.
First, here is the link to the Direct Revenue press release of April 26, 2005 announcing
the launch of Aurora ''Ad Client'' software: http://www.direct-revenue.com/news6.php.
The press release denotes ''Aurora'' as a trademarked term (''word mark'') of Direct Revenue, and
provides the following point of contact information for further details: Jonathan Cohen, (646) 442-6366,
jcohen@direct-revenue.com. This press release is well
worth the time to read for a statement of their business view of this ''ad client.''
Perhaps also worth visiting is the site top for Direct Revenue at http://www.direct-revenue.com if you are interested in the learning more
about this organization and its statements of intent.
Additional information about Direct Revenue from an admittedly rather different perspective
may be found at the following links:
http://forums.maddoktor2.com/index.php?showtopic=3601,
http://www.webhelper4u.com/directrevenue/directrevenuenews1.html and
http://www.freedomlist.com/forum/viewtopic.php?t=20334&highlight=,
and a complete Internet ''whois'' history of the direct-revenue.com domain may be found at:
http://www.webhelper4u.com/twhois/wdirect-revenue_com.html,
while the current whois information for abetterinternet.com (with same data for technical and
administrative contacts) is: BetterInternet, Reg Services, 459 Broadway - 4th floor, New York, NY 10013,
Phone: 646-613-0376, Email: domain@abetterinternet.com.
We wish to thank everyone who has taken the time to provide feedback and
additional information about these pop-ups and trust that you will find a satisfactory
solution to this problem.
Our Original Posting - 16 May 2005
In the past few weeks (beginning on Friday, 8 April 2005) we have
received numerous e-mail messages regarding malicious popup windows appearing on
user machines worldwide that contain ''Aurora'' somewhere in the window.
Neither Aurora Networks nor any of its employees are in any way
associated with this obnoxious behavior or the miscreants responsible for their
creation.
While we have no direct experience of this malware, we are posting
here both the above disclaimer and the following information (culled from a
Google search using the string ''aurora spyware'') that may prove useful in
finding a solution for this problem. The following links were considered to be
the most informative on this topic, though we cannot offer any opinion regarding
either their level of expertise or credibility with respect to solutions described
by the authors.
''Aurora Removal'' offers a helpful ''how-to'' message posted to
Bullguard's Antivirus Forum on 25 April 2005:
http://www.bullguard.com/forum/12/Aurora-Removal_13640.html.
''Aurora Spyware'' is another helpful message posted to Bullguard's
Antivirus Forum on 16 April 2005, with a response from another registered forum
member on 23 April at the bottom of the thread:
http://www.bullguard.com/forum/12/Aurora-Spyware_13085.html.
''Aurora? Sypware or Adware'' is a thread of responses on another forum related to this same subject:
http://castlecops.com/postitle115899-0-0-.html.
Another thread regarding this spyware appears on a Computing.Net forum board:
http://www.computing.net/windowsxp/wwwboard/forum/132409.html.
And a related thread on another forum board:
http://forums.techguy.org/archive/t-353323.html.
We strongly recommend reading through both of the last two above threads
before visiting the following site. There are suggestions in the above threads that the
spyware uninstaller available as a download from the site below (at mypctuneup.com) may
successfully remove the subject malware. However, no one at Aurora Networks has
actually downloaded and tested this utility, and your doing so will necessarily be ''at risk'':
http://www.mypctuneup.com/evaluate.php?b=aurora.
More generally, ''CompareSpywareRemovers'' [updated 25 April] is a site that
appears to offer side-by-side comparisons of a number of spyware removal tools:
http://www.comparespywareremovers.com/.
From the web site of Aurora Computer Technologies (a Canadian company - and one also
notes the company name), an informational page regarding spyware and ad-ware:
http://www.auroracomputer.ca/Spyware.htm.
Finally, a general information resource site regarding spyware, with links
to additional resources, may be found at:
http://www.homenethelp.com/web/explain/spyware.asp.
If you do happen to find a good, generic solution (i.e., one that could
be readily understood and implemented by the average user with low risk to their system), we would
be most appreciative and, with your permission, would offer to post it here for other victims. Please
send any such information with your contact information to webmaster@aurora.com.
Informational Update - 16 May 2005
We have received a number of courteous and informative replies from visitors who read
the above information and then proceeded to find solutions to this maddening problem. A representative
selection of visitor comments have been provided below for your consideration. Again, we cannot offer
an opinion or recommend one approach over another, but are sharing these for the benefit of anyone
who may be considering a solution. We would also like to gratefully acknowledge the contributions of
everyone who wrote; your feedback is sincerely appreciated. Finally, we continue to hope that the
perpetrators of this mischief will soon be caught and severely prosecuted.
Message 1:
"I have AOL. They have a free AOL Spyware program. The pop ups were so bad on all of our screennames
that I couldn't even get to a webpage. I am on dialup so it made it EXTREMELY frustrating. If you have AOL
you do not have to download anything just type in the keyword ''spyware'' and run it. The pop ups have stopped.
I hate these companies that do this, it is very unfair to you as a legitimate company. Thanks for you concern
and dedication to helping online users on your site."
Message 2:
"The fix for the Aurora spyware at www.mypctuneup.com/aurora is easy to manage - and so far works!
Key files with the adware are aurareco.exe, dc1.exe, dc2.exe, dc3.exe, nail.exe (the tough one!)
appqq*.exe."
Message 3:
"I really appreciated the suggestions on your site. I used myPCtuneup.com freeware and the Aurora pop
ups went away. Really easy to use too."
Message 4:
"I had tried everything. I purchased multiple adware, malware, and virus removal software and programs.
Until now, nothing helped. I have been getting numerous pop ups titled ''Aurora'' for weeks. It tracked the
things I was interested in and slammed one ad after another at me. At times, I couldn't click fast enough to
keep up with the piling windows on my screen. I was about to give up and hire the ''Geek Squad'' or some other
computer maintenance company to come and have a look inside my computer to see if they could rid me of the
annoying adware. I had even notified several companies to credit my account for their software because it
just didn't do what I needed done. (And frankly, it seemed the pop ups intensified when these programs were in
use: NoAdware and Xoftspy.) Then, I happened to read your assessment of the virus. I decided--just for the sake
of trying-- to use the link you offered: www.lavasoftusa.com/. It's only been about an hour, but so far, no
pop ups. That's amazing, being as the pop ups have been starting immediately upon booting up my computer and
every couple of minutes thereafter. I don't know how it worked, I simply installed an ''uninstaller'' which
worked immediately, no waiting, no scanning, it just worked. After a few seconds it informed me all the adware
in my computer had been uninstalled. My fingers are crossed. This seems to be the answer I and others have been
looking for. Best of all: It was FREE! Thank YOU!"
Message 5:
"I have AOL. I got warning of Trojan which was Abetterintrnt v2 type & a TopDownload Trojan. I tried
AOL spyzapper, McAfee virus scan, Ad-Aware se, & Spybot Search & Destroy 1.5 & none of these
stopped ''Aurora'' malicious adware. Virus scan found, deleted, & quarantined programs but they kept
coming back. I then got tech support technician who told me to go to Webroot.com & download Spy Sweeper
30 day free trial. I went to site & found new version Spy Sweeper 3.5 & downloaded it. Then I downloaded
updates & ran sweep. It did the Job, I had to run 2 scans but it picked up the reinstaller & denied it
execution as well as quarantined the TopDownload Trojan & then deleted it. I did have to rebuild AOL
adapter which was easy. I am 43 & this is my 1st computer which we bought in Feb. 05. So if I can do it
anyone can, I was computer illiterate until March of 05 so it can be done. Good Luck! Reply if you need more
specifics. The program can be purchased for $29.95 per yr. which is $2.50 per month. Has protection for
100,000 known spywares etc. Has a start up shield to protect against anything put on your computer without your
knowledge. Great Program! There is also a 4.0 version. WEBROOT.COM / SPY SWEEPER OR SPY SWEEPER 3.5 DOWNLOAD &
THEN DOWNLOAD UPDATES & THEN RUN TO GET RID OF ''AURORA'' MALICIOUS ADWARE."
|
