Monday, October 03, 2005

aurora popup removal

I spent the better part of the weekend trying to prise this utter mongrel of a random popup generator out of a friend's pc. the fiendish thing about it is that, regardless of your knowing which programme is running it (NAIL.EXE) it's nigh-impossible to delete because of the way it's been configured to run on the back of another programme that's integral to the system bootup. so, although I think there are some legitimate custom uninstall downloads out there, I also know there are a few (including, not surprisingly, the free uninstall programme that you can get from the originating site) which are just substituting one set of malware for another, so here's how to get rid of it.

(some geek-skills required: how to reveal hidden files, how to modify files in the key registry, and how to reboot in safe mode and run a command prompt)

1. Reboot in Safe Mode with Command Prompt
2. Delete NAIL.EXE from root directory
3. Reboot in Safe Mode (there'll be a message about not being able to find 'Nail.exe' which you can safely ignore, of course)
4. Run regedit.exe
5. Delete all references to the dropper files in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run
(they'll be obvious as they're the only ones with random filenames like zghhhrt.exe)
6. Go to HKEY_LOCAL_MACHINE\Software\WindowsNT\WINLOGON\ and locate the 'shell' command in the right pane
7. (*EXTREME CAUTION*) Double-click on 'shell' and delete the path and file name after 'Explorer.exe' in the 'Modify' sub-menu. (Do not delete the whole command - if you do you'll have trouble rebooting)
8. Reboot

that's it, basically - there's a whole mass of associated files if you can be bothered finding 'em, and whatever minor problems they might leave you with can be relatively easily dealt with later, but these (above) are the critical ones - they'll do the job.

how Aurora works is by using the Winlogon functions to spawn the shell (the Explorer interface) that appends the executable file to Explorer - thereby making it impossible to delete in any mode that calls Explorer - which includes Safe Mode as well as 'Normal' Mode.

as I said - fiendish.

the guys who wrote it (it first appeared in May this year) made - I'd a thought - the serious mistake of making it available as a direct marketing ploy to all those advertisers who - if you're plagued with it - keep popping up on your desktop, thereby - unusually for virus writers - making themselves easily traceable to those who know how to trace.

so, if you happen to live in New York:

Direct Revenue LLC
107 Grand Street
3rd Floor
New York, NY 10013
V: 646.613.0376
F: 646.613.0386

go say hello.

(and if you don't have those geek skills, don't despair - your first stop for legitimate help should be here)

better still - trade in that heap of eternally vulnerable Microsoft-dependent pc shit for a Mac.

nobody listens.

No comments: