Privacy & Security
Stubborn Malware
Remove Aurora _ Nail.exe
Are Aurora pop ups annoying the crap out of you? the bad news is Aurora software outsmarts the 'click and fix' scanners
and appears to be almost impossible to remove. Even if your security software finds it, maybe even deletes it, Aurora
comes right back, or is back on the next reboot, although it has to be said
that the security Industry is gradually catching up with them as some
scanners can now remove enough of the adware to stop the pop ups, other elements
will be left behind though..The good news is that I did say it appears almost impossible to remove.
Aurora, a product from Direct Revenue (other names used include thinkingmedia.net, ipinsight.net and the latest one, Best Offers) is a variant of their transponder adware, other variants include VX2 and abetterinternet.
Direct Revenue do offer a removal tool that does stop the pop ups, but there are a few reasons why it may not be a good idea to use it.
It is not available from their main website, they direct you instead to http://www.mypctuneup.com/evaluate.php, (owned by Direct Revenue) which raises questions like ..... why?
Surely it would be cheaper for them and more convenient for their 'customers' to have the installer in the software.
You are instructed to turn off your firewall and security products and allow the uninstaller to connect to back the internet, why would an uninstaller need to connect to a remote server?.
The uninstaller includes the component, thunst.exe it is common in most of Direct Revenue's software to send information about the users computer system.
A condition of using the uninstaller is that you have to accept that you agreed to install the software in the first place.
The installer leaves behind a component which, according to Direct Revenue, will prevent Aurora being installed again, a little puzzling as it is claimed Aurora is only installed with user consent, (as you are reading this, you probably know this is not true) if this was correct, something to prevent the installation must be totally unnecessary.
How much trust should you put in a company that uses questionable business practices and ethics?
If Direct revenue really want to be seen as a creditable company, they need to start acting like one because no matter how much Legal semantics their Lawyers produce in their attempts to shut up those who speak out, no company will ever be regarded as respectable by trying to force people into having a product they don't want..... even if it is free.
I have yet to come across anyone who has knowingly, intentionally or deliberately put it in their computers
So why do these people silently install software that is by design, difficult to remove, or will re-install if you dare try to delete it?
Their software allows them to send you pop up adverts they are paid to display, including adult content, some poor quality spyware / anti-virus scanners and a pop up blocker from stoppopupsnow.com, get this....produced and distributed by Direct Revenue !
It will also detect and remove adware from competitors of Direct Revenue and can disable some security software,
I wonder if they chant 'If you cannot beat em - delete em' at their motivational gatherings
Here is their address should you feel like hogging their phone line/mail box/Fax/E mail with your complaints.
Direct Revenue LLC
107 Grand Street
3rd Floor
New York,
NY 10013
Telephone : 8668396164
Email : http://www.direct-revenue.com/contacts.php
Manual Removal Instructions.
WARNING - If you remove Aurora software by any method other than their own remover, you are actually in breach of their cleverly worded. cover-their-ass end user license agreement that you apparently agreed to when you downloaded their software................. Remember???Although exactly how they will enforce their EULA is not known, maybe they will send the boys round, you have been warned.
The main components of this adware are -
Bolger.dll,
Aurora.exe,
Aurareco.exe
svcproc.exe,
Poller.exe,
uacupg.exe,
Nail.exe,
DrPMon.dll,
thnall1ac.html.
*******.exe Where * is up to 11 randomly generated letters.
Prepare for removal
First, whilst online, download the following.
Ewidow Removes most of the adware For the Free version, select Download Demo. Download, install and update its database but do not run yet. The 'paid for' version has a background guard and would have prevented Aurora installing in the first place.
And
Ace Utilities. 30 day Free trial of a comprehensive cleaning utility,.
And this small removal file. (This file is for Windows XP only, for other operating systems complete all other operations) Copy and Paste the contents of the box below, onto notepad.
(Click Start > All programmes > Accessories > notepad).
|
@ECHO OFF cd %windir% Nail.exe /FULLREMOVE sc config SvcProc start= disabled sc stop SvcProc sc delete SvcProc attrib -s -r -h nail.exe attrib -s -r -h svcproc.exe del nail.exe del svcproc.exe cd %windir%\system32 attrib -s -r -h DrPMon.dll del DrPMon.dll exit |
In the Save in box, select Desktop
In File name, type in killAurora.bat
In the Save as type select All types
Click Save.
You are now ready for the removal operation.
You may want to print out these instructions as you will be offline.
Reboot your PC in Safe Mode Help.
Windows XP only - Double click on the KillAurora.bat Icon on your desktop. You will get a window appear briefly. Your taskbar and icons may also flicker, this is normal.
Run the ewidow scanner and allow it to remove everything found.
Now to clean out all those registry keys.
Open Ace Utilities. Whilst we are targeting the Aurora leftovers, depending on your usual clean up routine there could be a lot of other crap to remove.
Click clean up , select remove Junk Files. Scan and delete everything found. Close the remove junk files box.
Select Clean system registry. Click options and select Thorough. Scan and delete everything found. Close the Clean system registry box.
Select Delete History, click the Windows tab and select the following-
Empty the Windows Prefetch Folder.
Delete empty folders on the Windows Temp folder.
Erase Folder streams in the Windows registry.
Click Execute Now
Click the internet Explorer/MSN tab and select the following-
Delete cookies
Delete locked URL cache file.
Delete all auto-complete Data.
Clear typed URL's of Address bar
Clear Browser History
Delete Cache (Files in temporary Internet folder)
Click Execute Now.
You can of course select any of the other options you wish to clean.
Reboot your PC in Normal mode. This will have removed nearly all of the infection, the pop ups will have stopped and your internet activities will no longer be tracked, but there may be a file still in your system that was renamed by Nail.exe each time you start your PC. Although the file in itself cannot run, obsolete files can cause or contribute to system instability.
If you wish to find and remove that randomly named file, first set Windows to show hidden files and folders. Help.
Open windows explorer and navigate to the C:\Windows\system folder.
| How to - Right click on the Start button and select Explore. In the left panel of the Windows Explorer, click on the Hard drive where your Windows is stored (usually C). In the right panel, double click on the Windows folder. Find and double click on the System folder. |
If you want to double check you have the right file, do one, or more of the following-
Copy and paste the file name into a good search engine, e.g. lfzorkd.exe. Confirmation that this is the file you are looking for will come in a 'no results found' message.
or
Submit the file here for analysis. http://virusscan.jotti.org
Once you are happy you have found the file, Right click and select delete, or as a precaution, right click, select rename and change the file extension (after the dot) from .exe to .old. If your computer has no problems after a few days, return and delete the file.
All Traces of Aurora should now be removed.
This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
Information
Viruses
hackers, crackers & firewalls
Trojans
Spyware
Keyloggers
Cookies
BHO's & Hijackers
Drive by downloads
diallers
Scams & Hoaxes
Hijack this-
automatic analysis
Free pest scan
Unwanted processes
How to-Tutorials
Clean up/repair after malware infection
Prevent malware installing
Install Hijackthis
Start in Safe mode
Show hidden files/folders
enable/disable Active X controls
Disable Messenger service pop-ups
Use the Host file
Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool
Kill E2Give
Kill MySearch
Kill Sdbot-ADD / lockx.exe
Kill seeve.exe / mediamotors pop ups
Kill Winfixer2005
Kill SysProtect
News/Articles
New Winfixer infection displays fake Blackworm warning
The real cost of Free security software
About us Contact us FAQ Links Privacy Statement Site Map WebmastersClick here to add this page to your favorites
©Internet Inspiration, 2003. All registered trademarks are observed and respected.