how-to block ads
|
Comments on news posted 2005-05-12 18:48:55: Spyware vendor Direct Revenue last month launched Aurora, a new piece of scumware their PR department says: "is compliant with the branding and removal standards of all major proposed Federal legislation relating to online contextual ads. ..
| |
page: 1 · 2 · 3  |
 
MrSauga
@cable.rogers | norton? Norton shows the IP addresses of these betterinternet computers. Do you think there are too many computers to block? | |
|
StewartFromSydney
@net.au
| Stopping this Nail.exe Crap Don't bother with replacing files either, it replaced it for me after a few hours.
Instead try this
1 right click on nail.exe
2 go to properties
3 go to security
4 go to Advanced
5 uncheck Inherit from parent the permission entries etc.
6 remove all users
7 re ad administrators/your user
8 select administrators/your user and press edit
9 make sure only "change permissions" is checked
10 press OK to all open windows
This will not let it delete replace or run itself ever!
This technique works with most crapware.
Stewart from Sydney | |
|
xvi-kyle
@dsl-w.verizon
| Till death do us part I went to the Direct-Revenue.com site and used their own tool to remove the spyware. I followed the instructions exactly. It asked me to reboot, so I did. After that, windows (xp pro) will start up and get to just before the logon screen, and then the screen goes black and my computer restarts.
Safe mode doesn't help, nor safe mode w/command, nor last known good. So, my guess is that the spyware has modified some system files. Some very important system files. Some files that should not be modified by careless, 3rd party, spyware writing, idiotic, keyboard pounding monkeys.
I have never hated a company more than I do now. Luckly, I have another computer (e-machine running 2k server), but if direct revenue can't help me out, I want someone fired.
The moral of the story. DO NOT USE DIRECT REVENUE'S SPYWARE REMOVER unless you are despirate and have backed up everything on your computer onto data tapes and have had the tapes mailed to china and locked in a fireproof safe under 24 hour military protection (marines, tanks, james bond, etc.).
Good luck fighting spyware. | |
|
crap-ware
@cgocable.ca | aurora Ive spend like 4 hours trying to trash that crap from my comp.
How is this crap suppose to help our buisiness ? seriously. | |
|
SonicDust
| Taking arms... Direct revenue, in they're End User License Agreement have covered themselves adequately... However, when this Aurora crap gets installed into your computer, u NEVER agree to any EULA.. A US based lawyer should seriously take this up. I seriously hope sum lawyer who's preparing for a big case gets hit by Aurora, gets pissed, and makes sure Direct Revenue goes down... badly.. The guy who made this up should die a terrible death.... So yeah, lawyers based in New York who read this... heres a good way to make sum money sueing them. I dont care if I dont get money... just get rid of the idiots. | |
|
josh_w
| MyPCTuneup BS I used the mypctuneup.com removal software. It got rid of the jumping name-changing .exe-file, but not the registry entry, not Nail.exe and not the pop-ups. So no mercy on Direct Revenue. Please. Now I'm trying all tricks at the same time, see what works. Thanks for the dummy file tip! | |
|
Froh
@t3.se
|  Remove the nail.exe
The Nail.exe is the malware exe that reproduce it self and makes it impossible to remove aurora key in registry and delete the file nail.exe.
You can remove nail.exe by making a textfile, rename it to nail.exe and make it read-only. Copy it into the windows dir and reboot. Remove the traces from the registry and then you are done.
Hope it works for you also.
So try this and remove it .
Good luck | |
|
KLJGASDHJ
@207.55.x.x
| =.= If you need help removing this viral infection, go to »forums.maddoktor2.com/index.php?···337&st=0
Scroll down to second to the last post. Enjoy.
By the way.. why isn't this company sent to jail yet? Is it not ilegal to distrebute viruses that cause harm to computers??? *Suprised they arn't in jail yet*  | |
|
Eddypro
@67.149.x.x
| Where did it come from??? I'm CONVINCED that I got NAIL.EXE from iTunes. I downloaded iTunes software to get my "free" songs from Pepsi. The next day I had NAIL on my PC.
I'm very regimented in where I go on the internet and don't stray very far from my known websites. This is the only non-normal thing I've done in a few weeks.
Who else here has downloaded iTUNES???? | |
|
EU_Visitor
@xs4all.nl |  Got it... And removed it...
| |
|
davideschulze
| remove »www.mypctuneup.com/evaluate.php
remove the following Advertising Software programs from your computer: BestOffers, BetterInternet, Ceres, LocalNRD, MSView, MultiMPP, MXTarget, OfferOptimizer, Twaintec, Aurora, BTGrab, DLMax, Pynix, SolidPeer, Zserv and some others. | |
|
MSimcox
@qwest.net
| Instructions for Aurora removal You don't need to reformat your computer to remove Aurora! It only took my two hours to delete aurora/nail, while I was writing this guide. Reformatting takes forever, especially replacing all of your files.
Here is a list of most of the files from the Aurora virus (If you don't know what to do with these files, see below)
(If you use windows2000, replace C:\WINDOWS with C:\WINNT)
Main executables:
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe (main installer)
C:\Documents and Settings\(User Name)\Local Settings\Temp\tp7543.exe (main installer)
C:\WINDOWS\vwzailkubk.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\elitealp32.exe
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe
These are malicious files, but I'm not positive if these are from Aurora. Either way delete them if you have them.
C:\WINDOWS\TASKMAN.exe
C:\WINDOWS\ilaijn.exe
C:\WINDOWS\ieuninst.exe
C:\WINDOWS\Q330994.exe
delete these directories (if they exist):
C:\temporary
c:\windows\browserxtras
C:\WINDOWS\EliteToolBar
main registry directory:
HKCU\Software\aurora
-------------------
The Aurora Virus (yes, it is a virus) is a quite a pest. Many people have tried ridding themselves of it by using antimalware/virus/spyware programs to no avail. The reason for this is because Aurora has a self duplicating, randomly named executable. This file is located in C:\windows\system32 and the name of it is six characters long (example: qwxogr.exe) The solution to this post is as follows.
I'm assuming you are computer literate and know how to use Microsofts's regedit.exe. If not, search this forum on how to use it.
Some files (exes, dlls) can be hidden from regedit.exe. I suggest you use Reglite instead.
Instructions for Aurora removal:
To make this process earier, follow these two steps:
1) Boot to safe mode
1a) Restart you computer
1b) Press the F8 key continuously until the Safe Mode screen appears
1c) Choose: Safe mode, with networking (If you need the references of the internet)
2) Show hidden and system files
Start > MyComputer > Tools Menu > FOlder Options > View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
It is not necessary, but if you wish to disable the annoying popup: "Windows File Protection" (which will appear many times during this process), navitgate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and modify the key "SFCDisable" from 0 to ffffff9d. If you would like to turn it back on later, just change the value back to 0.
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe could possibly be the Aurora installer, delete this ASAP. (it could also be in your Temporary Internet Files folder)
Deleting Harmful Files
1) Clear temp dirs (temp AND temp internet files) and cookies
2) Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run using regedit.exe or reglite (Some of the entries in this directory are required for certain programs to start when Windows starts (example: antivirus) I prefer to have only require Windows files load at startup, so I deleted these registry entries. If you wish to have the programs start when Windows does (which will take up CPU cycles and RAM) leave them there.
It take you a while to figure out which entries are harmful, and which are not. (If you see any random numbers or letters (example: alsh2lhjasl), they are harmful. Some of the malicious processes will be masked with names that look ligitimate such as "rundll32.exe". Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run there will be some registry keys that are dlls, not exes. If you modify the key, you will see: 1) a mask (example: rundll32.exe) 2) the actual dll name to delete (located in c:\windows\system32)
3) Once you figure out which entries are harmful, right click them, select "modify" to find out where they are located.
4) After locating the files, delete them, then go back and delte the registry entries they were linked to. You must be in safe mode to delete some of the files, however, there is an alternative. Killbox will allow you to delete them in normal mode, but I will not provide instructions.
5) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Modify key: "Shell", Remove "C:\WINDOWS\Nail.exe" from "Explorer.exe C:\WINDOWS\Nail.exe" (There is a major vulnerability in windows' registry. Many executables listed in the registry do not contain the full pathname. The registry entry could therefore be point to a "fake" explorer.exe. To fix this change the "Shell" key from: "Explorer.exe" to "C:\WINDOWS\explorer.exe" Now you know for a surety that it points to the right executable.)
The following files are on a reciprocal duplicating system (meaning, when you delete one, the other one recreates it)
C:\WINDOWS\Nail.exe
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe (main installer)
C:\Documents and Settings\(User Name)\Local Settings\Temp\tp7543.exe (main installer)
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe
To permanently delete these files, follow these steps:
1) Create new text document and rename it to XXXX.exe or whatever you choose.
2) copy the the name of the file (example: Nail.exe)
3) shift+delete the file
4) Rename xxxx.exe by pasting the text Nail.exe before Nail.exe remakes itself
5) Right click the new Nail.exe and click read only
Leave this file in place, it is not harmful, it contains no code. Confirm this by checking the size of the file. It should be 0 bytes.
Repeat these steps for all five of the reciprocating files.
Delete these directories (if they exist):
C:\temporary
c:\windows\browserxtras
Delete the main Aurora registry directory:
HKCU\Software\aurora
Once you are finished, none of these files or directories should exist:
Files:
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe (main installer)
C:\Documents and Settings\(User Name)\Local Settings\Temp\tp7543.exe (main installer)
C:\WINDOWS\vwzailkubk.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\elitealp32.exe
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe
C:\WINDOWS\TASKMAN.exe
C:\WINDOWS\ilaijn.exe
C:\WINDOWS\ieuninst.exe
C:\WINDOWS\Q330994.exe
Directories:
C:\temporary
c:\windows\browserxtras
C:\WINDOWS\EliteToolBar
Main registry directory:
HKCU\Software\aurora
The file that Windows File Protection keeps saying was replaced was Windows Media Player. If, after you have removed all of the harmful files, WMP doesn't work run the following program:
C:\Program Files\Windows Media Player\setup_wm.exe
If that doesn't update and fix WMP, then go to the Add/Remove Programs list and uninstall WMP. Once you restart your computer WMP should be reinstalled. If not insert your windows cd and install it.
--------
Prevention
Use a secure browser: Firefox or Opera (I actually prefer Opera).
Use Spybot and Ad-aware weekly. Keep the spyware definitions updated!
Use AVG Antivirus weekly. Keep the virus definitions updated!
Teach people who use your computer how to kill popups. (Clicking "yes" on popups will download malware, but so will clicking "no". Teach them to use CTRL+SHIFT+ESC to "end task".)
Further prevention
This is the best guide on prevention: »www.silentrunners.org/sr_disinfection.html
-------
Conclusion
Malware sucks! Hopefully this guide has helped you destroy the crux of your dismay, which is the sadist Aurora.
MSimcox
asatt@hotmail.com | |
|
rewrite
@cox.net
| mypctuneup Just cause I'm a cynic I did a whois on mypctuneup.com (whois.sc/mypctuneup.com). IP address is 64.95.228.122 -- belongs to Direct Revenue. Scares me that the company producing this computer feces also owns/hosts the site they recommend for removal. Don't think I trust them that far. | |
|
SpywareGuru
@71.112.x.x | Nail.exe removal GarbageClean from www.SecureMyWindows.com cleans all instances of Nail.exe
-SpywareGuru | |
|
gooner
@ac.uk
| xsoftspy and reg run i tried both of these to get rid of this virus along with many of the suggestions above (cost me about 4 hours work yesterday), but nothing worked. Support at XsoftSpy (paretologic.com) then emailed me an uninstaller which appears to have worked (nail.exe gone at least) - only problem is the the uninstaller was made by the b*stards at Direct Revenue. Anyone know if this is likely to have installed some other junk on my pc?
also I use firefox but still managed to get aurora - does this mean I've got my firefox security settings wrong and am more at risk than I should be? | |
| |
MSimcox
@qwest.net
| Re: xsoftspy and reg run That's great that you use firefox, but you didn't get Aurora from browsing the internet, you got it from Kazaa, or similar. You also probably didn't have a firewall. It's smart to use 3 forms of firewall protection: 1) Windows default 2) A hardware firewall (in router) 3) A software firewall like Zone Alarm, »www.zonelabs.com | |
| CCEternal
join:2004-03-28
Youngstown, OH
 ·Comcast
| RE EliteBar I became infected with this when I visited a torrent site searching for anime! It tooks hours using all the techniques I used to use to remove the old sub7 trojan and I couldn't make any progress...so many self replicating files! Ad Aware wouldn't do anything to it, and Avast AntiVirus would find it, but by the time it found "all" the files the first had replaced themselves!
The final working solution I found was to get "believe it or not" Microsoft's Anti Spyware! running this in conjunction with Avast, the two of them tag teamed it with one doing the initial detection, then the other would pick up the other files and stop them before they could replictae themselves. After I installed MS's antispy, it was less than an hour and just 2 reboots later I was Elitebar free.
Now normally, I would NEVER recommend Microsofts extra bs programs hehe. But this one IS worth getting especially since it's free as long as you have a real registerd copy of xp. Not only did it help me get rid of this bastage, but even better it has a resident security agent that provides realtime protection, and it WILL stop it from installing in the first place! | |
|
HEXALOT INTERLINK
@widomaker.com
| NAIL.EXE If you have the nail.exe infection and lots of very important data (personal or client based) you can at least disable the virus from running while you go through hell removing it. Create a text file on you desktop and name it nail.exe. Next copy the file to your clipboard. Go into the "C:\windows" directory and locate "NAIL.EXE". Then highlite the nail.exe file. Next hit the following quickly "DEL, then ENTER, then CTRL+V" now quickly open the properties for the new nail.exe and click read only. Next time you start windows it will give you the message "NAIL.EXE is not a valid win32 application". Now the virus will not be able to reinstall because the empty nail.exe cannot be overwritten. This gives you a window to remove this sucker. Sorry if this is an already posted process but it works so I figured id share. | |
|
Mr 15yr
@rr.com
| I have fixed the problem - no joke I have faced the similar problem that most of you are facing, this damned Aurora b.s. I spent about an hour trying to settle this using all of the suggested solutions, and decided to make my own. What I did was similar to a previous posterstated. Instead of making a new text document and naming it 'Nail.exe', I decided to take a different approach.. I deleted 'Nail.exe', grabbed another application file, smiliar tothe one that 'Nail.exe' produces, copied and pasted it into the C;/Windows folder, and renamed it 'Nail.exe', then I made it read-only. Upon doing this, I quickly when to Start -> Run - > 'regedit'. I opened HKEY_CURRENT_USER/software/aurora. I deleted the whole aurora folder, then I quickly right-clicked on HKEY_CURRENT_USER/software, and clicked on 'New' -> 'Key'. I named this key 'aurora'. I then right-clicked on 'aurora', then clicked on 'Permissions...', then I selected 'deny' on the 'Full Control' option for each user, clicked 'Apply', then clicked 'Ok'. Everything seems to be working fine now.. Oh, and I also had to make sure I did EVERYTHING right, and removed:
C:\temporary
c:\windows\browserxtras
C:\Documents and Settings\(User Name)\Local Settings\Temp\toc_0032.exe (main installer)
C:\Documents and Settings\(User Name)\Local Settings\Temp\tp7543.exe (main installer)
C:\WINDOWS\vwzailkubk.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\elitealp32.exe
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe
C:\WINDOWS\TASKMAN.exe
C:\WINDOWS\ilaijn.exe
C:\WINDOWS\ieuninst.exe
C:\WINDOWS\Q330994.exe
C:\WINDOWS\EliteToolBar
Andeverything else that looked strange to me. Just makesure you get everything out. After all of this, I felt safe, and am now not bthered by that stupid pop-up anymore. Hope this helped, if you need more help, or anything of the sort, please e-mail me at mr_polendo@hotmail.com Enjoy  | |
|
Jstncase
@comcast.net
| NAIL.EXE
It appears to be several virii, trojans and malware programs all together. it is hidden inside of some java .jar files. I believe I got it by using/installing limwire or some other fileshire/bittorrent software. i know someone else got it by installing JRE and a few web pages automatically installed it. fun thing with java is it bypasses all the security and installs itself | |
|
Jon1234
@hp.com
| Hit them where it hurts... These Aurora guys are scum of the earth. I'm shooting the attached e-mail to every company who's products are advertized in the Aurora pop-up's. There's fortune 500 companies there too, so one would think they'd pay attention. If enough people complain, ad revenue generated via aurora will suddenly dry out.
quote:
Hello,
You must have signed an online advertising agreement with Direct Revenue LLC in New York. As your company's ads are frequently showing up in malicious pop-up ads driven by a 'service' called Aurora. Aurora is a pop up ad software run by Direct Revenue LLC.
I suggest you Google for Aurora and you'll see that consumers are furious about Aurora. It's the most malicious pop up ad program published sofar, very difficult to get rid of.
I am not sure you want to intentionally link your reputable brand to the likes of Direct Revenue LLC. I would appreciate if you could copy me on a e-mail you send to Direct Revenue asking them to stop using Aurora in advertising your services.
Otherwise I will have to assume that you are in agreement with the malicious marketing practises of Direct Revenue LLC, and I will file a complaint with Better business Bureau against your company.
Yours truly,
Jon
and of quote | |
| | | |
|
