Trifster's Flickr Feed

Created with Admarket's flickrSLiDR.

Thursday, October 13, 2005

Spyware-Aurora/ABI/Nail and others removal

This post is not complete, but cannot delay due to the threat that exist

Hello. In this long overdue posting, its time to write a step by step approach to virus/spyware removal for the masses.

To begin, first some explanation. Let's define spyware (source):
Spyware is similar to a Trojan horse in that users unwittingly install the product when they install something else. A common way to become a victim of spyware is to download certain peer-to-peer file swapping products that are available today. Aside from the questions of ethics and privacy, spyware steals from the user by using the computer's memory resources and also by eating bandwidth as it sends information back to the spyware's home base via the user's Internet connection. Because spyware is using memory and system resources, the applications running in the background can lead to system crashes or general system instability. Because spyware exists as independent executable programs, they have the ability to monitor keystrokes, scan files on the hard drive, snoop other applications, such as chat programs or word processors, install other spyware programs, read cookies, change the default home page on the Web browser, consistently relaying this information back to the spyware author who will either use it for advertising/marketing purposes or sell the information to another party. Licensing agreements that accompany software downloads sometimes warn the user that a spyware program will be installed along with the requested software, but the licensing agreements may not always be read completely because the notice of a spyware installation is often couched in obtuse, hard-to-read legal disclaimers. Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.
Now that that is settled, lets get into the nitty gritty. Visit here for the top spyware infections as listed by computer associates.

One of the latest threats is a spyware that is known as Aurora. This pop-up producing spyware behaves very much like a virus. It is very hard to remove as it invades Windows(r) Safe Mode as well as normal boot. Suprisingly, through careful test (use friends comps as guiena pigs), the fools responsible for the Aurora make a removal tool that is actually your easiest way out of their mess. I know the sketchy are leery, but post scans with the right tools show little ills.

So lets get started with our removal. I think a procedural approach is the best. So to outline the overall process, we will detect, quarintine/eradicate, re-detect, analye the unique, then be gone of the pests. Forward note, if your IE is so messed up you cannot get to the links above and below, print this

1. We need tools to do this. While manual deletion and registry editing may be needed, its more wise to let the professional tools do their job. We sometimes have to help them along with that task. The first is an updated and functioning antivirus solution. I highly recommend Symantec Antivrus products. However, whatever AV product you have, its worthless if not updated. Take the time to update the software and spend the few bucks for the virus updates; its chump change well spend.

Now with that AV all updated. Do a FULL SYSTEM scan of your comptuer. Virii and Adware/Spyware will be detected. Delete and/or Quarintine if possible. May take multiple scans. If the same ones get detected, don't fret, we will get to them. For now, lets move on to spyware

2. Again, tools tools tools. There are some great anti-spyware tools out there but no single one is the end all solution. Spybot, Webroot and MS Antispyware are my favorites. Get Microsoft AntiSpyware here. Do install, update, and run scan.

After the scan completes, you may have a list of threats that need to be addressed. I suggest going down the entire list and chooseing remove for all the threats. Continue with the removal of all threats. Now please run another scan and note any repeat offenders.

3. At this point we have a list of persistant threats from your AV and AS programs. Now we need to reboot into safemode to try better to rid ourselves of those problems. So reboot your comptuer. Before you get the Windows "splash"/logo screen during boot. Press F8 to get the boot menu. From there choose "Safe Mode" only. That means NOT safe mode with netowork or other options.

Yes your way into the diagnostic safe mode and choose Owner or Administrator if prompted with a login screen. Once in open your AntiVirus program and do a full system scan. Delete threats found and if you cannot delete the threats use quarintine on them.

Repeat with your Antispyware program. Also remove all threats where possible.

Do both again. Check to see whose left on your repeat offender list.

4. Now we need to address the repeat offenders. Visit the removal tool list for more help on your left over threats. For AS threats, google them for removal help. Many message boards have specific removal instructions. I will detail the one that was very hard for me the Aurora/ABInetwork/DirectRevenue spyware.

Reboot so we are in windows normal mode.

SurfSideKick Removal
Aurora/ABI/Nail.exe Removal

5. Please post comments with your spyware names and links to removal resources!