windows/nail.exe - Aurora spyware

  • Thread starter Thread starter Adina
  • Start date Start date
A

Adina

Everytime I run a spy check this application in
c:\windows\nail.exe keeps popping up as an Aurora
transponder. I have tried to delete it and it keeps
popping back up, I finally quaranteened. What is this
thing and how can I get rid of it?
 
1) Open up AntiSpyware
2) Click Tools at the top
3) Click "Submit a Suspected Spyware Report"
4) Fill out the form with as much detail so they can
analyze quickly, Feel free to say what you've got in place
and have tried, and that it didn't work

Boot to Safe Mode.
http://tinyurl.com/pfca

Empty your IE cache and your other temporary file
folders, eg: c:\temp, c:\windows\temp or C:\Documents and
Settings\<name>\Local Settings\Temp (the path to your temp
folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for
mysterious *.exe files or *.dll files in those folders.

Have you tried scanning with Microsoft Antispyware in safe
mode?
Run a FULL SYSTEM SCAN, check the 3 boxes

If you are running SP2, open IE--->Tools--->Manage Add-
ons, and uncheck any BHO's that you don't recognize.

Run your updated antivirus

Reboot.
 
This is a nasty new infection which can be very difficult
to get rid of,This thing seems to be the latest from the
same People who brought us Vx2. The Transponder
gang.Deleting the filenames related to this often make
new ones appear with random names plus theres usually a
part of this running as a windows service.The windows
service file could be C:\WINDOWS\svcproc.exe but posting
a hijack this log would show the name if its not this.

To check for this go to the run command and type
services.msc.

In the services window that opens,press name to sort into
alphabetical order,check for System Startup Service,if
you find it right click it and choose disable in the
dropdown box. Then hit the Stop button.


Download and run MWavScan(From Microworld):

http://www.mwti.net/antivirus/free_utilities.asp

Choose to scan all files and folders it will produce a
log in the lower section... Scroll down to the part with
bad files left click and scroll over text and use Ctrl-C
to copy it and then paste it here to show the other
filenames running with this.Typically they will be
similar to these but could be a random filenames.

Registry Entry

HKLM\..\Run: [kmajdf] c:windows\system32\eccclq.exe

This is a random name and will change each time you
delete it

System Startup Service (SvcProc)
C:\WINDOWS\svcproc.exe

c:\windows\system32\wvobdmu.exe
c:\windows\system32\eccclq.exe
C:\WINDOWS\hliytirdjmo.exe
C:\WINDOWS\htstgki.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\nse37.dll
C:\WINDOWS\system32\nsk43.dll
C:\WINDOWS\system32\nsl49.dll
C:\WINDOWS\system32\nso4F.dll
C:\WINDOWS\system32\nss3D.dll
C:\WINDOWS\system32\nsx69.dll
C:\WINDOWS\system32\rtneg.dll


The other way to do this is by running hijack this and
posting the logfile to reveal the same entries but
microworlds escan would be the best start as that will
also scan for any virus entries.Once you know the
filenames connected to this you can use killbox to delete
the files or hijack this in safe mode.

Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip


Post the microworld scan results or a hijack log and then
we can take it from there

Regards

Andy
 
Another tool worth trying is the Aurora remover ,you
might still need hijack this though to remove this fully .

Download the Remover to your desktop

ABIremover:

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3240.0;id=292

Download (if not already done) latest Hijackthis and
unpack it in its own folder(either desktop or c/drive)

http://www.spywareinfo.com/~merijn/files/hijackthis.zip


Reboot into safemode

start the ABIRemover.exe, press install, wait (explorer
window will disapear)

reboot again into safemode


fix the random key in the registry with hijackthis
(normaly
HKLM\Software\Microsoft\Windows\CurrentVersion\Run )

Probably will look like this but the filename could be
changed

HKLM\..\Run: [kmajdf] c:windows\system32\eccclq.exe


Remember the random name and delete it in your system32
directory


reboot into normal mode and run at least one online virus
scanner


Trend Micro http://housecall.antivirus.com/

Panda
http://www.pandasoftware.com/activescan/co...n_principal.h
tm

Symantecs Security Check & Virus scanner

http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym


Good Look if you need any help let me know

Regards Andy
 
Thanks Andy--I've cleaned this one by hand awhile back, and it is indeed
slippery--those are good tips, and I'm glad the cleaner tool is available
now.
 
Back
Top