Results 1 to 8 of 8

Thread: Defeating Aurora & Nail.exe

  1. #1
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest

    Defeating Aurora & Nail.exe

    Defeating Aurora & Nail.exe

    A friend of ours was complaining about her computer being extremely slow and pop-ups appearing continually. She possesses very limited knowledge about such things and had used her computer online for 3 years without any of the normal layers of defense. To make matters worse, this weekend she had some young visitors over that downloaded a few additional treats. So my wife and I drove over to her house, tossed the computer in our back seat and returned home to see what we could do for her.

    The computer is a conventional home desktop:

    Dell Dimension 2350
    256 Memory
    40gb HDD
    XP Home SP1

    After setting the bugger up on the mat the first thing we noticed was pounds of dust on the screens and fan blades so we opened it up and cleaned, cleaned, cleaned, and cleaned some more, then reset all the connectors, memory etc. I gave each fan a gentle flick to make sure they rotated freely, then plugged everything in, lit it off to see if it would boot up, and whether or not all the fans worked. Well the fans worked great, so I then took a quick peek into the BIOS and everything was set at default with nothing glaringly abnormal. After exiting out of Setup, the doggone thing took forever to come up. It was like watching snail races!

    Now the fun part; granted we could have just backed up her important files on a CD, zero’d out the HDD, and did the format & reinstall etc. to clear out the feces. However that isn’t much of a challenge and our friend didn’t need the computer back right away. Besides, being very inquisitive, we were pretty sure she’d have a load of malware that might just need a looking at. This bugger had been out running around the Internet naked for 3 years!

    So with System Restore disabled and in Safe Mode we began the spring-cleaning using Ewido, AdAware, Spybot S & D, AVG, Swatit, Hijackthis and some of my other favorite utils. Since we were aware that each product might identify some malware and miss others, this variety of products should serve us well.

    Shortly after launching the programs, we were astonished by the Hundreds of Trojans, Trojan downloaders, viruses, etc., being detected. At first I was keeping a written log of them and then realized how stupid that was because of the sheer number (the darn thing must have been somebody’s playground!).

    Employing all of the programs previously mentioned the removal process was going very well and after several hours we were almost done, so we thought! But Spybot S & D continued to detect Aurora (BetterInternet) and its corresponding files, however it would not clean them out. Neither would anything else we were using.

    We tried:

    - AVG (didn’t remove it)
    - Trend Micro (didn’t remove it)
    - SpyBot S & D (didn’t remove it)
    - AdAware (didn’t remove it)
    - Ewido (didn’t remove it)
    - MS Malware Removal Tool (didn’t remove it)
    - Symantec (BetterInternet Removal Tool ver 1.1.3) (didn’t remove it)
    - CWShreader (didn’t remove it)
    - Spysweeper (didn’t remove it)
    - Removal Guide from this link. (wasn't successful)
    - Removal Guide from this link. (wasn't successful)
    - Hijackthis (deleted all the appropriate garbage & reg entrees only temporarily – because they were immediately replicated and returned to the exact spot they were removed from.)

    In reviewing the Hijackthis log closer, it appears that part of this infestation climbs into bed with Explorer as a BHO. From the Log I found this (one of the .exe’s that was being replicated) to be a real cutie:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe.


    Shell REG_SZ Explorer.exe C:\WINDOWS\Nail.exe.

    Obviously this should only read Explorer.exe

    When I deleted C:\WINDOWS\Nail.exe off that registry key, it would immediately return. The same was true while attempting to delete the file the key pointed to, C:\WINDOWS\Nail.exe.

    So it was back to the web for some ideas. While surfing I found there are currently at least 6 variants of this adware. The six critters were: A Better Internet, A Better Internet B, A Better Internet C, A Better Internet D, A Better Internet E, and A Better Internet Susp. However since all the removal instructions available for those six, and the Spyware Removal Tools we employed wouldn’t eradicate it, I’m almost convinced that there may well be another Aurora variant on the loose.

    I also found several other forums that were really complaining about and to Direct Revenue (Aurora’s parents). DR’s response was to use “mypctuneup” and it would remove it. Well being skeptical at any recommendation made by those folks, I continued searching around the Internet looking for answers. Then I stumbled across this:
    Do not, UNDER ANY CIRCUMSTANCES, use It is owned by Direct Revenue LCC, the same company that produces aurora.

    In the licensing agreement before installing mypctuneup, you allow the installation of a web bug. Also, you consent for your "non-personal information", including IP address, ISP, domain, to be recorded. Source
    Great!!! Remove some junk only to agree to the installation of more junk. As the research continued I found that there are two key parts to this malware and they are Nail.exe and aurora.exe (name varies but was always similar to aurora). And as stated before, try deleting any one of these or it’s other files and immediately another one is replicated with a new name. Additionally the constantly name changing of the .exe file, is also an attempt to fool you to permit your firewall to allow it to gain access to the Internet, send your information to their site, and to update itself.

    So where would I start in getting rid of this spawn from hell? Silly as it may seem, I simply entered “Nailfix” into google and bam! In the string of results, there it was, an article instructing us that the way to get this under control was to first disable Nail.exe by utilizing the program called “Nailfix”. After that we would need to locate and delete any unusual entries in the Registry and C:\’s directories and folders. After a quick look to make sure it wasn’t written by our friends from DR, I set her computer behind my Smoothwall to control her outbound packets (didn't want any of that phone home stuff going on), and then we downloaded and installed Nailfix on the affected machine. We immediately returned to safe mode and ran the program. Even though it was a very small program, I thought I’d see some sort of an acknowledgement that it was successful etc., but nothing was displayed. Getting a little eager for input of some sort, I jumped to HKEY_LOCAL_MACHINE/SOFTWARE/Micosoft/WindowsNT/CurrentVersion/Winlogon/ and much to my surprise no C:\WINDOWS\Nail.exe and the key looked entirely normal:

    Shell REG_SZ Explorer.exe

    With Nail.exe gone, we thought the replication would cease as well. Wrong! Just as soon as you deleted one of the .exe r files another renamed, would land right in the same location (Like they had reservations or something!). All the initial attempts to find the source file failed so we made another sweep with all the cleaners we used before. Amazingly enough eight new critters were detected. I don’t know if they were previously part of Nail.exe or part of “NailFix”. Regardless they were:


    Spybot successfully removed them on the first try. So we continued to run the other programs. Ewido now began to detect viruses in her saved restore points. Since her restore points were corrupted we flushed them all out and would create a new one later.

    Next it was time to go hunting for the source file. Couldn’t do a “Find” because I didn’t know it’s name. So I looked in C:\, C:\temporary (zapped that one into the bit-bucket) what in the heck created that? Malware? There was absolutely nothing of value in there. Then in: C:\Windows, C:\Windows\system32\, and you get the idea. Well the following files were found in several different locations, I knew they didn’t belong and would probably be part of the problem. Google proved that to be true. So delete these if you find them:

    (misc letters).exe r

    Was that the end? After we deleted those files, we ran Spybot again and it came up clean. Woot!!! We defeated the beast! Time to install WinPatrol on this thing, reboot, and let Scotty make his rounds.

    The computer rebooted much quicker this time and we were elated. Then all of a sudden it slowed down to a crawl once more. Reviewing the list of files I deleted, I did not see any file name that resembled aurora.exe. It appears I hadn’t located the source file yet (the hive if you will). Then Scotty started alerting on files ending with .exe r, coming from C:\Documents and Settings\(her name)\Local Settings\Temp. Those were the same as the replicated files we were trying to delete in C:\Windows\system32. Thanks Scotty! Using explorer, we went directly to that folder and there it was a file resembling aurora.exe and all of its replicated children. It was: aurareco.exe. They were all deleted just as fast as I could highlight them. Then we returned to C:\Windows\system32\ and all the previous locations, to delete them out of there as well. This time they didn’t come back. I completed another run with all the cleanup software - and no more alerts. Ran another Hijackthis and the log indicated no unusual entrees there either. Additionally, Scotty stopped alerting.

    We cleaned up all the other temporary folders, defragged it, installed a software firewall, SP2, set the AV, etc., on auto-update, set a new restore point, and it’s still running like it should as of today.

    Would I do this again rather than reformat? Oh Yeah! However, I’d change the sequence I followed a bit. In that I’d begin in the Registry and see which files the keys pointed to, jump in the temps, then the critical folders last because the source files were not in the locations you would normally expect. Basically do a little RECON first before running all the removal programs.

    I believe we can pretty much surmise that because of the serious infestation she experienced, that all of her personal and small business information was compromised, and that some deviants may have used her computer for illegal activities. However, she is most fortunate that she wasn’t using it for her financial records. (Yet!!)

    Thanks much! And if you have had a similar scenario in which source file replication was an issue, by all means please include it.

    Connection refused, try again later.

  2. #2
    Well I didn't read your thread yet but I ran into this today actually...

    Safe mode was broken on the machine I was working on, I don't know if it was from the malware or not.

    I haven't tried a bootdisc yet, but bartPE seems like the way. It's not worth the time while the machine is running, the malware has the advantage (safe mode wasn't an option for me unfortunately)

    The process wouldn't die without spawning a child, and I couldn't chop away at it with process explorer either. I gave up because it's not worth trying to fight the malware while it's running.

  3. #3
    Senior Member
    Join Date
    Aug 2003
    This is the canned fix we have been using for awhile now:

    Download the trial version of Ewido Security Suite here:
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    Please download Nailfix from here:
    Unzip it to the desktop but please do NOT run it yet.

    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    For additional help in booting into Safe Mode, see the following site:

    Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

    Then please run Ewido, and run a full scan. Save the logfile from the scan.

    Next please run HijackThis, click Scan, and check:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    Close all open windows except for HijackThis and click Fix Checked.

    ...that should do it.

  4. #4
    Senior Member
    Join Date
    Oct 2003
    I know that groovicus's advice work's I've been fighting it on customers systems for at least a couple weeks now. So do what he says!!! Hehe. Actually you might still have problems after you run it. my boss found that sometimes you need to run it more than once. Good Luck m8!

  5. #5
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest
    groovicus & oofki

    Nope that won't do it! I did exactly what you described and that only controls nail.exe. You must go and find the hive which contains the variant and spawned children of aurora.exe (or a name similiar to it.) If you do not, you will still have ABetterInternet. Now that's one heck of an oximoron!

    Connection refused, try again later.

  6. #6
    Senior Member
    Join Date
    Aug 2003
    VX2 (abetterInternet) is a secondary infection to the nail infection, ie, they usually go hand in hand. That fix will remove the nail.exe infection, but you then need to tackle the VX2 infection. There was a specialized fix going around that we have been using, but I heard rumor that Adaware's newest VX2 plug in is supposed to take care of it. I can't vouch for that though.

    As far as I know, there are no commercial applications that will take care of it. And each variety is sufficiently different that it usually takes the guidance of someone familiar with the removal tools to help weed the good from the bad. VX2 has become as bad as CWS used to be.. those guys have been pretty quiet lately.

  7. #7
    I had the exact same scenario two weeks ago. Nail.exe was easily removed, but 8 billable hours later I was finally able to get to the hive and clean the system.
    to SYN, or not to SYN. That is the question. -Shakespeare?

  8. #8
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest

    but 8 billable hours later I was finally able to get to the hive and clean the system.
    As much as I think those authors ought to be strung up, I do have to say that it was quite the piece of work.

    Connection refused, try again later.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts