Defeating Aurora & Nail.exe

A friend of ours was complaining about her computer being extremely slow and pop-ups appearing continually. She possesses very limited knowledge about such things and had used her computer online for 3 years without any of the normal layers of defense. To make matters worse, this weekend she had some young visitors over that downloaded a few additional treats. So my wife and I drove over to her house, tossed the computer in our back seat and returned home to see what we could do for her.

The computer is a conventional home desktop:

Dell Dimension 2350
1.7ghz
256 Memory
40gb HDD
XP Home SP1
DSL

After setting the bugger up on the mat the first thing we noticed was pounds of dust on the screens and fan blades so we opened it up and cleaned, cleaned, cleaned, and cleaned some more, then reset all the connectors, memory etc. I gave each fan a gentle flick to make sure they rotated freely, then plugged everything in, lit it off to see if it would boot up, and whether or not all the fans worked. Well the fans worked great, so I then took a quick peek into the BIOS and everything was set at default with nothing glaringly abnormal. After exiting out of Setup, the doggone thing took forever to come up. It was like watching snail races!

Now the fun part; granted we could have just backed up her important files on a CD, zero’d out the HDD, and did the format & reinstall etc. to clear out the feces. However that isn’t much of a challenge and our friend didn’t need the computer back right away. Besides, being very inquisitive, we were pretty sure she’d have a load of malware that might just need a looking at. This bugger had been out running around the Internet naked for 3 years!

So with System Restore disabled and in Safe Mode we began the spring-cleaning using Ewido, AdAware, Spybot S & D, AVG, Swatit, Hijackthis and some of my other favorite utils. Since we were aware that each product might identify some malware and miss others, this variety of products should serve us well.

Shortly after launching the programs, we were astonished by the Hundreds of Trojans, Trojan downloaders, viruses, etc., being detected. At first I was keeping a written log of them and then realized how stupid that was because of the sheer number (the darn thing must have been somebody’s playground!).

Employing all of the programs previously mentioned the removal process was going very well and after several hours we were almost done, so we thought! But Spybot S & D continued to detect Aurora (BetterInternet) and its corresponding files, however it would not clean them out. Neither would anything else we were using.

We tried:

- AVG (didn’t remove it)
- Trend Micro (didn’t remove it)
- SpyBot S & D (didn’t remove it)
- AdAware (didn’t remove it)
- Ewido (didn’t remove it)
- MS Malware Removal Tool (didn’t remove it)
- Symantec (BetterInternet Removal Tool ver 1.1.3) (didn’t remove it)
- CWShreader (didn’t remove it)
- Spysweeper (didn’t remove it)
- Removal Guide from this link. (wasn't successful)
- Removal Guide from this link. (wasn't successful)
- Hijackthis (deleted all the appropriate garbage & reg entrees only temporarily – because they were immediately replicated and returned to the exact spot they were removed from.)

In reviewing the Hijackthis log closer, it appears that part of this infestation climbs into bed with Explorer as a BHO. From the Log I found this (one of the .exe’s that was being replicated) to be a real cutie:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe.

HKEY_LOCAL_MACHINE/SOFTWARE/Micosoft/WindowsNT/CurrentVersion/Winlogon/

Shell REG_SZ Explorer.exe C:\WINDOWS\Nail.exe.

Obviously this should only read Explorer.exe

When I deleted C:\WINDOWS\Nail.exe off that registry key, it would immediately return. The same was true while attempting to delete the file the key pointed to, C:\WINDOWS\Nail.exe.

So it was back to the web for some ideas. While surfing I found there are currently at least 6 variants of this adware. The six critters were: A Better Internet, A Better Internet B, A Better Internet C, A Better Internet D, A Better Internet E, and A Better Internet Susp. However since all the removal instructions available for those six, and the Spyware Removal Tools we employed wouldn’t eradicate it, I’m almost convinced that there may well be another Aurora variant on the loose.

I also found several other forums that were really complaining about and to Direct Revenue (Aurora’s parents). DR’s response was to use “mypctuneup” and it would remove it. Well being skeptical at any recommendation made by those folks, I continued searching around the Internet looking for answers. Then I stumbled across this:
Do not, UNDER ANY CIRCUMSTANCES, use mypctuneup.com. It is owned by Direct Revenue LCC, the same company that produces aurora.

In the licensing agreement before installing mypctuneup, you allow the installation of a web bug. Also, you consent for your "non-personal information", including IP address, ISP, domain, to be recorded. Source
Great!!! Remove some junk only to agree to the installation of more junk. As the research continued I found that there are two key parts to this malware and they are Nail.exe and aurora.exe (name varies but was always similar to aurora). And as stated before, try deleting any one of these or it’s other files and immediately another one is replicated with a new name. Additionally the constantly name changing of the .exe file, is also an attempt to fool you to permit your firewall to allow it to gain access to the Internet, send your information to their site, and to update itself.

So where would I start in getting rid of this spawn from hell? Silly as it may seem, I simply entered “Nailfix” into google and bam! In the string of results, there it was, an article instructing us that the way to get this under control was to first disable Nail.exe by utilizing the program called “Nailfix”. After that we would need to locate and delete any unusual entries in the Registry and C:\’s directories and folders. After a quick look to make sure it wasn’t written by our friends from DR, I set her computer behind my Smoothwall to control her outbound packets (didn't want any of that phone home stuff going on), and then we downloaded and installed Nailfix on the affected machine. We immediately returned to safe mode and ran the program. Even though it was a very small program, I thought I’d see some sort of an acknowledgement that it was successful etc., but nothing was displayed. Getting a little eager for input of some sort, I jumped to HKEY_LOCAL_MACHINE/SOFTWARE/Micosoft/WindowsNT/CurrentVersion/Winlogon/ and much to my surprise no C:\WINDOWS\Nail.exe and the key looked entirely normal:

Shell REG_SZ Explorer.exe

With Nail.exe gone, we thought the replication would cease as well. Wrong! Just as soon as you deleted one of the .exe r files another renamed, would land right in the same location (Like they had reservations or something!). All the initial attempts to find the source file failed so we made another sweep with all the cleaners we used before. Amazingly enough eight new critters were detected. I don’t know if they were previously part of Nail.exe or part of “NailFix”. Regardless they were:

DealHelper
Delf.7x
Dyfica.3.Ai
1stbar.9D
Dyfica.3.A.G

Spybot successfully removed them on the first try. So we continued to run the other programs. Ewido now began to detect viruses in her saved restore points. Since her restore points were corrupted we flushed them all out and would create a new one later.

Next it was time to go hunting for the source file. Couldn’t do a “Find” because I didn’t know it’s name. So I looked in C:\, C:\temporary (zapped that one into the bit-bucket) what in the heck created that? Malware? There was absolutely nothing of value in there. Then in: C:\Windows, C:\Windows\system32\, and you get the idea. Well the following files were found in several different locations, I knew they didn’t belong and would probably be part of the problem. Google proved that to be true. So delete these if you find them:

adbltzun.exe
aurorahandler.dll
aurora-wise1.exe
DrPMon.dll
thnall1.html
thnall1ac.html
svcproc.exe
dsr.exe
dint.exe
(misc letters).exe r

Was that the end? After we deleted those files, we ran Spybot again and it came up clean. Woot!!! We defeated the beast! Time to install WinPatrol on this thing, reboot, and let Scotty make his rounds.

The computer rebooted much quicker this time and we were elated. Then all of a sudden it slowed down to a crawl once more. Reviewing the list of files I deleted, I did not see any file name that resembled aurora.exe. It appears I hadn’t located the source file yet (the hive if you will). Then Scotty started alerting on files ending with .exe r, coming from C:\Documents and Settings\(her name)\Local Settings\Temp. Those were the same as the replicated files we were trying to delete in C:\Windows\system32. Thanks Scotty! Using explorer, we went directly to that folder and there it was a file resembling aurora.exe and all of its replicated children. It was: aurareco.exe. They were all deleted just as fast as I could highlight them. Then we returned to C:\Windows\system32\ and all the previous locations, to delete them out of there as well. This time they didn’t come back. I completed another run with all the cleanup software - and no more alerts. Ran another Hijackthis and the log indicated no unusual entrees there either. Additionally, Scotty stopped alerting.

We cleaned up all the other temporary folders, defragged it, installed a software firewall, SP2, set the AV, etc., on auto-update, set a new restore point, and it’s still running like it should as of today.

Would I do this again rather than reformat? Oh Yeah! However, I’d change the sequence I followed a bit. In that I’d begin in the Registry and see which files the keys pointed to, jump in the temps, then the critical folders last because the source files were not in the locations you would normally expect. Basically do a little RECON first before running all the removal programs.

I believe we can pretty much surmise that because of the serious infestation she experienced, that all of her personal and small business information was compromised, and that some deviants may have used her computer for illegal activities. However, she is most fortunate that she wasn’t using it for her financial records. (Yet!!)

Thanks much! And if you have had a similar scenario in which source file replication was an issue, by all means please include it.

!~cheers~!