Did another spyware cleanup today. User reported that a spyware cleanup tool appeared immediately after running Windows Update. Guess: the update process changes some Internet Explorer settings back to defaults (known), and at that point, a third-party toolbar sitting in the “c:\winnt\downloaded program files” was able to run a delayed install.

Moral of the story: Empty the downloaded program files before running Windows Update. Easy method: use Drive Cleanup, from My Computer, Control Panel, right-click on the drive, choose Properties, Tools (tab), and Drive Cleanup. Or just navigate to the folder and wipe out the contents manually.

Yes, indeed. Very clever, these spyware authors. Working on a cleanup, found a spyware component, turned out to be part of Aurora, that the usual cleanup tools could find, but only could remove on restart. Restarted, and amazingly, it’s gone. Only not; it has a new name. Seems this one randomly renames itself on shutdown, so the only way to delete that file is to cut power, restart in safe mode, and delete it. Got Aurora? (It pops up ad messages with ‘Aurora’ on the task bar.) Don’t do it–there are also some other self-repair features involved in Aurora, and it’s not enough just to get that file. Do a Google search for ABIremover.zip and the instructions that go with it.

On the same system, found viruses galore, mostly trojans. And Bube, and Home Search Assistant, and a few other self-healing malware delights. Truly a combo platter. Took multiple passes to turn the doorstop into a computer again.