There is actually a very simple way to stop Aurora from running on your computer. Although this method may not thouroughly delete every trace that the spyware has on your computer, it is successful in completely stopping the annoyance from running on your system. This can be temporary until easier and more effective methods of removal are available for non-advanced users. Please carefully read this page, I cannot be held responsible for the misreading/misuse of this information.
1. Disable System Restore. This will help keep the Aurora virus from reviving its files. You can do this by right-clicking My Computer, clicking on the System Restore tab, and unchecking the box. Click Ok.
2. Using Notepad, open Nail.exe. Select everything in the file and erase (Do not delete the file). Then overwrite Nail.exe with this blank, 0 kb updated file. If the file remains 0 kb, you're in luck! Then, unregister the DrPmon.dll file. If you don't know how to do this, look at the below example:
Type something like this in Start > Run:
regsvr32 /u /s /n /i c:\windows\system32\drpmon.dll
3. CRTL ALT DELETE and look for a [random-letter filename].exe. It should be around 180kb, but I'm not positive on another system. If you aren't sure, try ending task a suspicious file, and if another, random-letter filename pops up, then that's the one. Write the filename down. (i.e. dwinfyp.exe)
4. Now that you have Nail.exe disabled and the dll unregistered, restart your computer in Safe mode. While in Safe mode, do the same thing as you did with Nail.exe to several files:
A) svcproc.exe
B) aurareco.exe
C) buddy.exe
D) dllvoasrs.exe
E) dsr.exe
F) dinst.exe
G) [random letters].exe*
*This file will generate random letters for its filename. It is located in c:/windows/system32/. It should be the file you wrote down.
Note: You can quickly find these files by using Search on your computer. Not all of these files may be present on your system, so don't worry. (You may also want to do a search on your computer for the above files in the Windows Prefetch folder)
5. Now that you have those files disabled, open your Registry (Start > Run: regedit). Use the Find feature and search for "Nail.exe" w/o quotes. You should come up with something like this:
Shell=Explorer.exe C:WINDOWS\Nail.exe
Modify the above so that it only looks like this:
Shell=Explorer.exe
6. Now look for the [random-letters].exe file, that you wrote down, and use the Find feature to locate it in your registry. It should be under HKLM......Windows > Run. Just delete that key since it is in the startup section. After that, close out of the registry.
7. Make sure the files mentioned in 4. are 0 kb! If you do not, by restarting the virus may revive and you would have to start all over. If all the files (that were actually on your computer) are disabled, then you should be problem-free when you restart your computer in normal mode.
Well I hope this works for whoever desperately wants to stop Aurora from running. This strategy should completely stop it from running, but some traces may still be left (although they will be disabled).
1. Disable System Restore. This will help keep the Aurora virus from reviving its files. You can do this by right-clicking My Computer, clicking on the System Restore tab, and unchecking the box. Click Ok.
2. Using Notepad, open Nail.exe. Select everything in the file and erase (Do not delete the file). Then overwrite Nail.exe with this blank, 0 kb updated file. If the file remains 0 kb, you're in luck! Then, unregister the DrPmon.dll file. If you don't know how to do this, look at the below example:
Type something like this in Start > Run:
regsvr32 /u /s /n /i c:\windows\system32\drpmon.dll
3. CRTL ALT DELETE and look for a [random-letter filename].exe. It should be around 180kb, but I'm not positive on another system. If you aren't sure, try ending task a suspicious file, and if another, random-letter filename pops up, then that's the one. Write the filename down. (i.e. dwinfyp.exe)
4. Now that you have Nail.exe disabled and the dll unregistered, restart your computer in Safe mode. While in Safe mode, do the same thing as you did with Nail.exe to several files:
A) svcproc.exe
B) aurareco.exe
C) buddy.exe
D) dllvoasrs.exe
E) dsr.exe
F) dinst.exe
G) [random letters].exe*
*This file will generate random letters for its filename. It is located in c:/windows/system32/. It should be the file you wrote down.
Note: You can quickly find these files by using Search on your computer. Not all of these files may be present on your system, so don't worry. (You may also want to do a search on your computer for the above files in the Windows Prefetch folder)
5. Now that you have those files disabled, open your Registry (Start > Run: regedit). Use the Find feature and search for "Nail.exe" w/o quotes. You should come up with something like this:
Shell=Explorer.exe C:WINDOWS\Nail.exe
Modify the above so that it only looks like this:
Shell=Explorer.exe
6. Now look for the [random-letters].exe file, that you wrote down, and use the Find feature to locate it in your registry. It should be under HKLM......Windows > Run. Just delete that key since it is in the startup section. After that, close out of the registry.
7. Make sure the files mentioned in 4. are 0 kb! If you do not, by restarting the virus may revive and you would have to start all over. If all the files (that were actually on your computer) are disabled, then you should be problem-free when you restart your computer in normal mode.
Well I hope this works for whoever desperately wants to stop Aurora from running. This strategy should completely stop it from running, but some traces may still be left (although they will be disabled).
