Click Computer Services

Views of Computer News

May 13, 2005

Aurora Spyware

May 13th 2005 Posted to Spyware

Ran into the Aurora popup spyware last week. Very difficult to remove using normal spyware cleanup procedures.

This spyware creates a file called Nail.exe in Windows\System32 and is impossible to delete as it recreates itself almost immediately.

Used this program in Safemode to clear out the Aurora popup. http://www.mypctuneup.com/

Needed to run it twice. After that it looks like Aurora was removed.

Comments

  1. Administrator
    June 28th, 2005 | 5:54 pm

    In the version of Nail.exe that I encountered, it wasn’t enough to just boot into safe mode and run the basic cleaners like AdAware and Spybot. This Aurora popup spyware — or at least the variant I encountered — needed specialized cleaning tools.
    ================
    Although I didn’t find any problems with the mypctuneup.com program when I ran it initially, some postings on the net are indicating that it may also install spyware. They may have changed their cleaner program.

    On tek-tipsI found this posting:

    Download the Nail/aurora fix

    http://www.noidea.us/easyfile/index.php?folder=2

    * Download the trial version of Ewido Security Suite here

    http://www.ewido.net/en/

    * Install ewido.
    * During the installation, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.

    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.

    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:

    * Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will
    disappear and reappear, and a window should open and close very quickly —
    this is normal.

    * Now run Ewido:

    * Click on scanner
    * Put a check by the following before you scan:
    o Binder
    o Crypter
    o Archives
    * Click the Start Scan button to start the scan.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop

    download and run ccleaner.

    http://www.ccleaner.com/