It keeps coming back because there are three parts to this critter, and you
are only getting one, or perhaps two of them
Nail.exe is one piece. A second is a randomly named .exe
Take a look at running processes using the system explorers in Microsoft
Antispyware--you can spot the randomly named one--I forget what it calls
itself--there's something distinctive and unchanging in the left column, and
a random name on the right. If you end the process and refresh, it'll come
right back with a new name.
I found the third piece only by scanning with an antivirus tool. I used
Trend Micro's online housecall scanner.
This critter is active even in safe mode, so you need tools like killbox,
perhaps, to kill the active pieces. I did it by booting from the OS CD and
using the recovery console.
I cleaned this by hand, but there are now more automated methods. Ron
Kinner has a favorite tool, but I can't immediately find his post about it.
Here's a post from announcements which looks like it has a good set of
steps, though:
-----------------------------------------------------------------------
If you haven't had any luck with with Aurora heres how to get rid of it
without using that "my pc tuneup" (which I trust as far as I can throw it).
I've had success removing Aurora from customer's computers with this
process.
1)Before starting download a copy of NailFix, Hijack This, and either RegOCX
or Killbox which will help unregister stubborn files that do not want to
delete
2) Boot into Safe Mode
3) Run Nailfix. You icons will disappear for a second or two. This is
normal.
4) Next search for and delete the following files; nail.exe, bolger.dll,
aurora.exe, svcproc.exe, thnall1ac.html, poller.exe, uacupg.exe, DrPmon.dll.
Use Killbox or RegOCX to unregister any dlls that will not delete then try
them again. Stop any exe files that will not delete with Task Manager then
try them again.
5) Run Hijack This. check and remove any entries associated with nail.exe or
any of the other files listed above. Also check and remove these entries if
they exist:
BHO 549B5CA7-4A86-11D7-A4DF-000874180BB3
BHO FDD3B846-8D59-4ffb-8758-209B6AD74ACC
Toolbar ACB1E670-3217-45C4-A021-6B829A8A27CB
6) If you are comfortable with the registry you can also navigate to
HKEY_CurrentUser/Software/Aurora key and delete that key (if it still
exists) though it should not be absolutely necessary to do so.
Once you reboot it should be gone. Run Hijack This again to make sure that
the entries you removed are still gone. Check Task Manager to make sure none
of the programs you deleted are back and running. Check your Internet
connection. If you can surf for 15 minutes without an Aurora popup then it
is gone. Good luck.
--
