I popped in to see a friend (and coder for my company) today. He had this Aurora adware rubbish on his machine. Now, I don’t know how the rest of you feel about adware, but as far as I am concerned these people should be arrested and the key thrown away. I hear a lot about things being “done” against these companies / coders that write this crap, but as of yet I do not see any real action…. If you want to know who released this adware, well they are here: http://www.direct-revenue.com/news6.php – I have never read so much crap in my life! Grrrrrr….
Anyway…. I would consider both my friend and I resonably good technical people. We run the latest patches, the latest antivirus, the latest spyware scanners…. but since my friend shares his machine with others, obviously a site was visited by another user and this stuff got on the machine. Probably something like “Your machine is infected with blah blah blah…. click here to save yourself” Click….. Ummm urrr…. whats this new casino software? (I am sure the user probably clicked on the X and it still installed….)
So, I before I give you some info on removing this Aurora (nail.exe) rubbish, let me pose a question…… If people like me, and people like my coder friend can get infected, and can have 4 hours of our lives destroyed trying to remove this adware, what hope has the average home user got? The answer is of course simple…. They have NO hope.
The Nail.exe process loads on the back of explorer.exe in the Winlogon Shell registry entry. Therefore removal is a disaster. Basically you must crash the explorer to remove the process… how can this be allowed to happen? What can Microsoft / Antispyware companies do about this? Hell… I don’t know, I install servers….
I managed to get this spyware off the machine after many hours, but some key points you should know are:
- MS Antispyware, Adaware, Spybot and some other antispyware programs did not remove it, even though they reported they had. All they did was get rid of the registry entries and older EXE’s the adware had created.
- There is a service that you need to kill called “System Startup Service” c:windowssvcproc.exe
- There is an EXE that you need to kill called c:windowsnail.exe
- This program, even when you kill the process or RANDOM exe it creates will keep reloading because it is “tagged” on the back of explorer.exe
- You will need to reset the shell entry in the Winlogon registry key to “explorer.exe”, but to do this, you must be in safe mode and AFTER loading your tool to clean and scan end the explorer.exe process using CTRL-ALT-DEL.
As well as the antispyware scanners, the other tools I used were ProcessExplorer and Autoruns from www.sysinternals.com as well as HiJackThis.
Oh, and by the way…. I just found this blog post on the same subject where you can get the telephone numbers and contact details for the CEO of this company and tell him how annoyed you are directly.
There is yet more on this blog… http://netrn.net/spywareblog/archives/2005/07/31/aurora-explodes-again/
I tell you… I REALLY hope that some other big corporation, like Microsoft, helps us users fight and destroy these companies… it is so annoying!