I do this over and over. And still a new one always comes up. I have been doing some research and found that the Nail.exe file has to be deleted, but if it is not done in a certain sequence, it will automatically refresh itself. I modified the registry file (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\WinLogon) the Key "Shell" to c:\windows\explorer.exe. where it was showing c:\windows\Nail.exe. The instructions to permanently delete Nail.exe are as follows:
1. Create a new TXT document and remane it XXXX.exe
2 Copy the name of the file (example Nail.exe)
3. shift + delete the file
4. Rename xxxx.exe by pasting the text Nail.exe before Nail.exe remakes itself
5 Right click the new Nail.exe and click read only. Leave this file in plasce, it is not harmful, it contains no code. Confirm this by checking the size of the file. It should read 0 bytes. Repeat these steps for all five of the reciprocating files.
The other files are as follows:
c:\Documents and Settings\(user name)\ Local Settings\Temp\toc_0032. exe (main installer
c:\Docuemnts and Settings\(user name)\Local Settings\Temp\tp7543.exe
C:\Windows\System32\adlinstallwin32.exe
c:\adlinstallwin32.exe
I could not find the other four files listed above on my pc.
The other problem I am having is instructions 2, 3, & 4. I have tried everything to copy and paste the file name, but I am obviously not doing it right.
It also says to delete the main aurora registry directory:
HKCU\Software\Aurora
I don't know what the HKCU is.
It says that once all this is done the files will no longer exist.
Here are the complete instructions I have on removing the aurora virus.
I have followed them the best I can with the exception of what I listed above. I have also used Symantec's full instructions on how to remove the wupdt.exe, but I don't think it worked either. I will past another hijack log at the bottom of this as well.
Instructions for aurora removal:
To make this process earier, follow these two steps:
1) Boot to safe mode
1a) Restart you computer
1b) Press the F8 key continuously until the Safe Mode screen appears
1c) Choose: Safe mode, with networking (If you need the references of the internet)
2) Show hidden and system files
Start > MyComputer > Tools Menu > FOlder Options > View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
It is not necessary, but if you wish to disable the annoying popup: "Windows File Protection" (which will appear many times during this process), navitgate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and modify the key "SFCDisable" from 0 to ffffff9d. If you would like to turn it back on later, just change the value back to 0.
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe could possibly be the aurora installer, delete this ASAP. (it could also be in your Temporary Internet Files folder)
Deleting Harmful Files
1) Clear temp dirs (temp AND temp internet files) and cookies
2) Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run using regedit.exe or reglite (Some of the entries in this directory are required for certain programs to start when Windows starts (example: antivirus) I prefer to have only require Windows files load at startup, so I deleted these registry entries. If you wish to have the programs start when Windows does (which will take up CPU cycles and RAM) leave them there.
It take you a while to figure out which entries are harmful, and which are not. (If you see any random numbers or letters (example: alsh2lhjasl), they are harmful. Some of the malicious processes will be masked with names that look ligitimate such as "rundll32.exe". Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run there will be some registry keys that are dlls, not exes. If you modify the key, you will see: 1) a mask (example: rundll32.exe) 2) the actual dll name to delete (located in c:\windows\system32)
3) Once you figure out which entries are harmful, right click them, select "modify" to find out where they are located.
4) After locating the files, delete them, then go back and delte the registry entries they were linked to. You must be in safe mode to delete some of the files, however, there is an alternative. Killbox will allow you to delete them in normal mode, but I will not provide instructions.
5) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Modify key: "Shell", Remove "C:\WINDOWS\Nail.exe" from "Explorer.exe C:\WINDOWS\Nail.exe" (There is a major vulnerability in windows' registry. Many executables listed in the registry do not contain the full pathname. The registry entry could therefore be point to a "fake" explorer.exe. To fix this change the "Shell" key from: "Explorer.exe" to "C:\WINDOWS\explorer.exe" Now you know for a surety that it points to the right executable.)
The following files are on a reciprocal duplicating system (meaning, when you delete one, the other one recreates it)
C:\WINDOWS\Nail.exe
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe (main installer)
C:\Documents and Settings\(User Name)\Local Settings\Temp\tp7543.exe (main installer)
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe
To permanently delete these files, follow these steps:
1) Create new text document and rename it to XXXX.exe or whatever you choose.
2) copy the the name of the file (example: Nail.exe)
3) shift+delete the file
4) Rename xxxx.exe by pasting the text Nail.exe before Nail.exe remakes itself
5) Right click the new Nail.exe and click read only
Leave this file in place, it is not harmful, it contains no code. Confirm this by checking the size of the file. It should be 0 bytes.
Repeat these steps for all five of the reciprocating files.
Delete these directories (if they exist):
C:\temporary
c:\windows\browserxtras
Delete the main aurora registry directory:
HKCU\Software\aurora
Once you are finished, none of these files or directories should exist:
Files:
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe (main installer)
C:\Documents and Settings\(User Name)\Local Settings\Temp\tp7543.exe (main installer)
C:\WINDOWS\vwzailkubk.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\elitealp32.exe
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe
C:\WINDOWS\TASKMAN.exe
C:\WINDOWS\ilaijn.exe
C:\WINDOWS\ieuninst.exe
C:\WINDOWS\Q330994.exe
Directories:
C:\temporary
c:\windows\browserxtras
C:\WINDOWS\EliteToolBar
Main registry directory:
HKCU\Software\aurora
The file that Windows File Protection keeps saying was replaced was Windows Media Player. If, after you have removed all of the harmful files, WMP doesn't work run the following program:
C:\Program Files\Windows Media Player\setup_wm.exe
If that doesn't update and fix WMP, then go to the Add/Remove Programs list and uninstall WMP. Once you restart your computer WMP should be reinstalled. If not insert your windows cd and install it.
Logfile of HijackThis v1.99.1
Scan saved at 11:55:50 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Cathy's\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://education.dellnet.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://education.dellnet.com/F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mjdsok] c:\windows\system32\qhjfiv.exe r
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
http://www.symantec....trl/tgctlsi.cabO16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
http://www.symantec....trl/tgctlsr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....204&clcid=0x409O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) -
http://photo.walmart...ploadClient.cabO16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) -
https://a248.e.akama...ol/SymDlBrg.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.s...rl/SymAData.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcaf...514/mcfscan.cabO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe