One of Transponder's newer variants includes a replacement to their buddy.exe called Bolger.dll and Aurora.exe. This is a nasty infection that has been up showing up everywhere in HijackThis logs around the security forum community. As such I have provided some information about this .dll and its related files to promote awareness and help avoid infection.Aurora comes from Direct Revenue LLC: aka Offeroptimizer and Abetterinternet.com.
Variant: Bolger.dll
File Name: Bolger.dll
CLSID: {302A3240-4805-4a34-97D7-1645A0B08410}
Size: 172032
Version: 0.12.4.96
CRC-32: C8D089EF
MD5: 67DA1E869864F3B17DBD66E58A3D29C5
File version: 0, 12, 4, 96
Company name: Bolger
Internal name: bolger
Components include: Aurora.exe, svcproc.exe, Poller.exe, uacupg.exe, Nail.exe, DrPMon.dll, thnall1ac.html
- Svcproc.exe is the service which does not like to be stopped.
- Aurora.exe is their replacement to their buddy.exe that was created by the ceres.dll and speer.dll files.
- Thnall1ac.html is actually their thnall1ac.exe that does the registry registering of the bolger.dll when the thnall1ac.html is called.
- Nail.exe is the main reinfestational agent that generates a random named *.exe file around 74kb in the %windows% %system% folder.
Webhelper4U has this posted on their site:
The Bolger.dll is foisted with exploits from the CWS loadcash.biz out of crackz.ws from the isearch bundled installer. Like the ceres.dll with the buddy.exe, some of their offeroptimizer ads are still peddling Spyspotter software that their own popup ads act like adware types. For Info on Spyspotter - see Eric Howes Rogue/Anti-spyware pages.
Below is the bolger.dll -Aurora.exe ad window:
"Spyware or Adware may be installed on your computer. If you are experiencing frequent computer crashes, unwanted or incessant pop-up ads or slower speeds your system may have been infected with Spyware or Adware. Click 'OK' to scan your PC."
As stated on the Rogue/Anti-spyware list, false positives work as goad to purchase some anti-spyware software and others are installed via adware drive-by-downloads.
Rule of Thumb: Pay attention to pop ups and be careful of what you click. Sometimes even clicking anywhere in the body of a message will redirect to a link or start a download without your knowledge - phishers use this a lot.
WHAT TO DO IF YOU GET INFECTED:
Please read and follow all instructions provided in the sticky at the top of the Hijack This Forum titled "READ BEFORE POSTING HIJACK THIS LOGS" found here.
When you have done that, follow the instructions for posting a log into the Hijack This Forum [not here] for evaluation.
