TechSpot

Disabling Aurora is easy

By fresh_dg87
Aug 15, 2005
Topic Status:
Not open for further replies.
  1. There is actually a very simple way to stop Aurora from running on your computer. Although this method may not thouroughly delete every trace that the spyware has on your computer, it is successful in completely stopping the annoyance from running on your system. This can be temporary until easier and more effective methods of removal are available for non-advanced users. Please carefully read this page, I cannot be held responsible for the misreading/misuse of this information.

    1. Disable System Restore. This will help keep the Aurora virus from reviving its files. You can do this by right-clicking My Computer, clicking on the System Restore tab, and unchecking the box. Click Ok.

    2. Using Notepad, open Nail.exe. Select everything in the file and erase (Do not delete the file). Then overwrite Nail.exe with this blank, 0 kb updated file. If the file remains 0 kb, you're in luck! Then, unregister the DrPmon.dll file. If you don't know how to do this, look at the below example:
    Type something like this in Start > Run:
    regsvr32 /u /s /n /i c:\windows\system32\drpmon.dll

    3. CRTL ALT DELETE and look for a [random-letter filename].exe. It should be around 180kb, but I'm not positive on another system. If you aren't sure, try ending task a suspicious file, and if another, random-letter filename pops up, then that's the one. Write the filename down. (i.e. dwinfyp.exe)

    4. Now that you have Nail.exe disabled and the dll unregistered, restart your computer in Safe mode. While in Safe mode, do the same thing as you did with Nail.exe to several files:
    A) svcproc.exe
    B) aurareco.exe
    C) buddy.exe
    D) dllvoasrs.exe
    E) dsr.exe
    F) dinst.exe
    G) [random letters].exe*

    *This file will generate random letters for its filename. It is located in c:/windows/system32/. It should be the file you wrote down.

    Note: You can quickly find these files by using Search on your computer. Not all of these files may be present on your system, so don't worry. (You may also want to do a search on your computer for the above files in the Windows Prefetch folder)

    5. Now that you have those files disabled, open your Registry (Start > Run: regedit). Use the Find feature and search for "Nail.exe" w/o quotes. You should come up with something like this:
    Shell=Explorer.exe C:WINDOWS\Nail.exe

    Modify the above so that it only looks like this:
    Shell=Explorer.exe

    6. Now look for the [random-letters].exe file, that you wrote down, and use the Find feature to locate it in your registry. It should be under HKLM......Windows > Run. Just delete that key since it is in the startup section. After that, close out of the registry.

    7. Make sure the files mentioned in 4. are 0 kb! If you do not, by restarting the virus may revive and you would have to start all over. If all the files (that were actually on your computer) are disabled, then you should be problem-free when you restart your computer in normal mode.

    Well I hope this works for whoever desperately wants to stop Aurora from running. This strategy should completely stop it from running, but some traces may still be left (although they will be disabled).
     
  2. zephead

    zephead TechSpot Paladin Posts: 2,483

    i think rbs's plan was better/easier...
     
  3. fresh_dg87

    fresh_dg87 TS Rookie Topic Starter

    yea well i'm here to help, not compete
     
  4. zephead

    zephead TechSpot Paladin Posts: 2,483

    there's nothing wrong with that. in fact, the community appreciates people contibuting as such. i was questioning your saying that this constitues an easy removal.
     
  5. Spike

    Spike TS Rookie Posts: 2,371

    Yes, I think I'd have to agree with zep on this.

    Now, and executable script or program that could do all that - that would be easy, but then the user concerned has to be able to trust that said script or programe is safe.
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Problem with the above solution is, that the information is NOT complete, there are quite a few more .exe and .dll files that need to be 'snuffed', not to mention several registry entries that need to be removed as well!

    So, if you use the above method and it works for you, you only cured SOME of the symptoms.
    Otherwise, see my post How to remove Aurora/Nailfix
     
  7. Spike

    Spike TS Rookie Posts: 2,371

    geez - I don't really know all that much about Aurora having never had it. Maybe I should deliberately infect a machine with it. It sounds like a massive piece of kit?

    How evil would someone have to be to write something like this?
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Spike, you DON'T want to KNOW, believe me.
    If you DO insist, I can PM you how to get infected voluntarily, but:

    RBS-Warning:
    Aurora is extremely detrimental to the health of your PC.
     
  9. zephead

    zephead TechSpot Paladin Posts: 2,483

    i've had to clean up many systems, and aurora one of the toughest things to get off.
    i really want to meet the people responsible for creating aurora, and i'll be bringing a tire-iron...
     
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    You don't need to go very far.

    Meet the makers of Aurora:
    Domain name: WWW.ABETTERINTERNET.COM
    as well as
    Domain name: WWW.DIRECT-REVENUE.COM
    Registrant:
    Thinking Media LP
    275 Madison Avenue
    New York, NY 10016
    US
    +1.8668396164
     
  11. zephead

    zephead TechSpot Paladin Posts: 2,483

    well i won't have to go as far as you, but it's a long drive over there. to the best of my knowledge NYC is nearly 1,000 miles away, but threatening letters are still an option...
     
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.