_____________________________
UPDATE – 07-06…
Symantec have made a tool for removing Nail.exe, the tool and some more info can be found here…
http://www.symantec.com/security_response/writeup.jsp?docid=2003-110817-5810-99&tabid=3
_____________________________
The Aurora spyware (also known as Nail.exe) is VERY difficult to remove!
I hope the following helps….
The way to tell if you have Aurora is two-fold:
First, check for Nail.exe in the C:\Windows directory. If it's there, delete it. If it reappears, Aurora is at work on your system.
The other place to check is in the
registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon.
The Shell key will have the value "Explorer.exe c:\windows\nail.exe".
If you try to modify this setting back to c:\windows\explorer.exe, the aurora software automatically renames it back to include the reference to nail.exe.
To stop the behaviour noted above, PRINT THIS PAGE and take following steps:
|
Action |
Note |
Done |
|
Login as a user with Admin rights |
|
|
|
Start Task Manager and find the 8 character .exe process that is running under your login name Kill that process and note that another 8 character process starts immediately! – Note the name of this new process |
|
|
|
Turn off system restore on Me and XP |
|
|
|
From a command prompt change the contents of nail.exe so that it can’t function. |
Click ‘Start’ – ‘Run’, Type ‘command’ and click ‘OK’ In the command window type CD C:\Windows then type dir>nail.exe |
|
|
Reboot and login as a user with Admin rights |
You can ignore the error – were about to fix it! |
|
|
At the command prompt do the following…. Change to the Windows folder Delete Svcproc.exe Delete DrPmon.DLL Delete Nail.exe (as this is really the file YOU made, you could leave it and it ‘might’ stop Aurora from infecting your PC at a later time!) |
Type… CD C:\Windows Del svcproc.exe Del drpmon.dll Del nail.exe |
|
|
Start the registry editor and do the following… Navigate to… HK_C_U\Software\Microsoft\Windows\CurrentVersion\Run HK_L_M\Software\Microsoft\Windows\CurrentVersion\Run HK_L_M\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon |
Type… Regedit.exe Check for the 8 character .exe file – select it and delete Check for the 8 character .exe file – select it and delete Remove the ending to leave only Explorer.exe |
|
|
Login as a user with Administrator rights Install and Run Cleanup40.exe Install and Run Spybot Install and Run Ad-aware |
http://www.safer-networking.org/en/index.html
|
|
Turn back on System Restore |
DON’T FORGET THIS BIT!! |
|
|
Thank Microsoft for building such a secure system J Thank Direct Revenue for writing a tool that targets you with popups! L |
|
|
Other links that might help…
Help from Dell… http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=6790
Download Nailfix – run this
from Safe mode
Go here for
additional help in booting into Safe Mode
Direct
Revenue – the
company that gave us Aurora, has a removal tool on this site.. http://www.mypctuneup.com/evaluate.php
NOTE
– This seems to work for some.. BUT you have to agree to let them collect information
about you and your PC BEFORE you can install this removal tool – use at your
own risk! – But no users have reported problem after using this tool.
Read what
other users are doing to fight back at Direct Revenue.. http://netrn.net/spywareblog/archives/2005/05/10/got-aurora-nailexe/