The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

.NET Buzz Forum
Aurora (Nail.exe) spyware fix

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Steve Hebert

Posts: 218
Nickname: sdhebert
Registered: Apr, 2005

Steve Hebert is a .NET developer who has created the .Math compiler library.
Aurora (Nail.exe) spyware fix Posted: Jul 18, 2005 12:52 PM
Reply to this message Reply

This post originated from an RSS feed registered with .NET Buzz by Steve Hebert.
Original Post: Aurora (Nail.exe) spyware fix
Feed Title: Steve Hebert's Development Blog
Feed URL: /error.htm?aspxerrorpath=/blogs/steve.hebert/rss.aspx
Feed Description: .Steve's .Blog - Including .Net, SQL Server, .Math and everything in between 		Latest .NET Buzz Posts
Latest .NET Buzz Posts by Steve Hebert
Latest Posts From Steve Hebert's Development Blog

Advertisement

I ran into a system infected with the Aurora spyware a couple of weeks ago.  The company maintains that it is not spyware, but it has no removal tool, it throws popups like crazy and it monitors the system and moves itself around using random file names.  As of today, Norton Anti-Virus identifies it but can't get rid of it. Symatec provides a removal tool, but that didn't work either.  I've used two separate spyware checkers and they can't delete it either. You can get more information on Aurora here... http://netrn.net/spywareblog/archives/2005/05/10/got-aurora-nailexe/

The way to tell if you have Aurora is two-fold:

First, check for Nail.exe in the C:\Windows directory.  If it's there, delete it.  If it reappears, Aurora is at work on your system.  The other place to check is in the registry under  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.  The Shell key will have the value "Explorer.exe c:\windows\nail.exe".  If you try to modify this setting back to c:\windows\explorer.exe, the aurora software automatically renames it back to include the reference to nail.exe.

The latest Symatec definition identifies this virus as "BetterInternet" and provides a remover that doesn't stop the behavior noted above.  To stop the behavior noted above, I took the following steps:

(1) From a command prompt, go to the Windows/System directory and type dir>nail.exe   (this changes the contents of nail.exe and their software doesn't try to remedy this situation)

(2) Reboot.  Upon startup you'll get an error message, but ignore it.  You can now delete Nail.exe and it will not reappear.

(3) Finally, using RegEdit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and change the shell key to "c:\windows\explorer.exe"

Reboot and your system is now clean.

 

 

Read: Aurora (Nail.exe) spyware fix

Topic: Longhorn beta will have near-complete Indigo Previous Topic   Next Topic Topic: Of Strategic Languages, Java’s Adoption Is Highest - Forrester Report
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use