Hey Alan,
I just delete the whole contents of the prefetch folder
when cleaning malware as the genuine entries as soon
replaced there's tons left in there for all the parts to
Aurora, (Nail, Banner, rramcx, ffsnvqmgpiy, Poller,
Svcproc,Epolvy,drpmon etc..) so its easier to just do
away with the contents of the folder,
MSAS cannot remove Aurora and doesnt block it entering
the system with real time enabled. It doesnt detect
Nail,Svcproc,rramcx,ffsnvqmgpiy(This one is the pop up
window for Aurora) or the Epolvy random named entry but
does detect drpmon.dll but that just gets replaced when
MSAS deletes it,
Its debatable if it ever deletes it Im not convinced
myself but either way Epolvy is the main infectant and
replaces the others if they get removed so that needs
suspending and everything removing at the same time if
you try delete Epolvy(Random named file in the system
folder)it will be instantly replaced even in safe mode
its maybe called from prefetch or temp folders as there
is poller entries there which do not appear anywhere else
on the system but could be just written to replace itself
if it gets removed,
Nail cannot be removed in normal mode because its hooked
into explorer.exe so explorer needs suspending to remove
the infection, Its nasty stuff and Ive not seen any
remover that can do this fully except Adaware's new VX2
cleaner that works excellent, There is also nailfix that
kills explorer then removes the files and starts explorer
again but that doesnt target Epolvy so safe mode is
needed followed by Ewido and Ccleaner to remove all the
temp files for this but it still doesnt repair the
explorer=nail entry , Then there's Kill Epolvy that uses
the process suspend method and replaces the file on
reboot but that doesnt target the rest.
Spybot,Ewido,MSAS fails on Aurora , Adaware couldnt
remove it with thier scanner but the VX2 cleaner works
great as its all done on reboot after explorer.exe ends
then running Adaware's scanner gets the reg entries when
the machine reboots.
I think Aurora got changed towards the end of July as it
got abit harder to remove it and MSAS used to remove nail
and svcproc but doesnt now so they are trying to keep
ahead of the spyware scanners in my view. Its getting
bundled with other junk now as well and they can all
protect each other from being removed so things can get
difficult if it brings its mates
For now though Adaware's new beta cleaner is the easiest
fix for this and Ive infected a machine with Aurora over
40 times in the last few weeks to try out different fixes
and batch files so I dont think Im being unfair to any
remover, Ive checked them all in detail and know how much
of a pain it can be. Kill Epolvy and Nailfix took many
hours of work for everyone involved but I'm not sure they
are needed now Lavasoft have come up with this cleaner,
MSAS fell behind when Aurora changed and still hasnt
started detecting it fully again but Im sure it will not
take them long to add it to thier definitions when they
realize its not being removed anymore.
Regards Andy
