Wednesday, August 10, 2005

Aurora...Nail.exe

AURORA...GRRR
People are FURIOUS!
__________________________________
I have to say this will be my longest article yet.
I will give you all I know about this parasite and how to get rid of it.

Aurora, AKA:
• Aurora popups
• Aurora adware
• Abi network
Aurora is adware which is malware. It is an adware parasite, that displays undesirable commercial advertisements using your Internet Explorer web browser. It also tracks & gathers user activity on the Internet & then sends it to a web server. It will also install additional malicious components on your computer. This bugger can then get into the system along with some ad-supported software. It also can be manually installed, but installing it is HIGHLY NOT recommended. Once executed, Aurora creates several files (I have experienced random names) and modifies the registry, so that the threat runs on every Windows startup.

Properties:
• Shows commercial adverts
• Connects itself to the internet
• Hides from the user
• Stays resident in background
Related files: nail.exe, svcproc.exe, drpmon.dll, iddjhjm.ini
Where did I get this nasty bugger from? You get Aurora from free downloads. As we all know too well, free is the most expensive item you will ever receive. If you must download so called FREE application, make SURE you know what you are getting yourself into.
Who can WE thank for this lovely free gift?
http://www.direct-revenue.com/news6.php
Direct Revenue Launches Aurora
New Ad Client Affords Greater Brand Visibility, More Efficient Distribution
New York, New York – April 26, 2005 – Direct Revenue today announced the launch of its newest ad client, Aurora™.
The Aurora ad client is designed to improve product visibility and consumer services. The roll out of the upgrade to the DR behavioral network began on April 5th by replacing outdated ad clients in an effort to improve consumer awareness. Like other DR ad client brands such as “SolidPeer�, released in September ‘04 and “Ceres� released in November ‘05, the Aurora Ad Client is compliant with the branding and removal standards of all major proposed Federal legislation relating to online contextual ads such as HR 2929.
Direct Revenue, LLC., (2005). Direct revenuedirect revenue launches aurora . Retrieved Aug. 10, 2005, from Direct Revenue Web site: http://www.direct-revenue.com/news6.php.
Removal of Aurora
The first time I came across this little crapper, there where NOOOO, reports or forums and it took me 6hrs to get rid of it. How I did the first time without help is left for Ripley to Believe it or Not. After this I have experienced it differently on 3 other PC’s and it has gotten easier with the help of some great removal tools. All instances where the same pest but with different random names & different ways of removal. I have to say that the last removal tool I uses was fantastic and was painless. I found the nailfix to be the best but there are other ways to remove it you have trouble.
*NOTE FOR DOMAIN USERS:
I found that in order to remove this you must be in SAFE MODE and logged in to the local machine as the administrator. It will not work when you are logged into the domain and it took me 3 tries to see the error of my way.
Aurora automatic removal:
As with most virus removals, you should be in SAFE MODE.
>Try this fix first:
>Other Tools that I have used:
>This tool is great for stopping processes.
Advance Process Termination
Windows 2000/XP/2003

Copyright (C) 2003-2004,
Diamond Computer Systems Pty. Ltd.
http://www.diamondcs.com.au

Aurora manual removal:

Kill processes:
nail.exe, svcproc.exe

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe %Windir%\nail.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[ra
ndom name]
HKEY_CURRENT_USER\Software\aurora
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Z
epMon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta
ll\abi-1

Unregister DLLs:
Start > Run > type CMD & hit enter
change the directory to exact DLL location path for drpmon.dll
regsvr32 /u drpmon.dll

Delete files:
nail.exe
svcproc.exe
drpmon.dll
iddjhjm.ini
Start > Search > For Files and Folders > More Advanced Options >
Type each file in and hit search, delete them when you find them and don't forget to empty the Recycle Bin when you are done. If an error message appears saying that file is in use and cannot be removed, try to terminate the associated process and then delete the file using the Windows Task Manager (press CTRL + ALT + DEL or CTRL + SHIFT + ESCAPE), in the Process tab select the corresponding process and click End Process. Most processes will restart immediately after you terminate them. If this happens, you will then have to reboot your PC into *SAFE MODE by restarting and hitting the F8 OR F5 key upon reboot.
*In Safe Mode, many system services are disabled and programs do not run automatically on startup. Practically any file can be easily removed, but there are those exceptions.

Misc:
Files nail.exe, svcproc.exe and iddjhjm.ini are located in
C:\Windows or C:\Winnt.
File drpmon.dll can be found in the default system directory C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32.
Maybe this looks familiar to some of you.
FasterXP?
VitalSecurity’s Paperghost says Direct-Revenue is BUSTED again
Cross referenced
127.0.0.1 direct-revenue.com
127.0.0.1 www.direct-revenue.com
Check out what other sites have to say:
Other ways to remove from different postings.
A Browser You Can Trust


Computer Repair Lakeland, FL
863-521-1079