I thought the advice in this thread particularly good for this pest:
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Aurora / Nail.exe / Bolger.dll removal 4
- Thread starter bcastner
- Start date
-
2
- #2
yip, we've been using that for a few weeks now at TSG.
Mypctuneup.com performs technical support for a number of companies and we are sorry to hear that advertising software is causing you problems. We will gladly assist you in removing our partners' advertising software from your computer as expeditiously as possible.
From our website you can scan your PC and determine whether or not the software is installed on your machine, and if so, you can then choose to uninstall. To run the uninstall tool click on the link below:
Or go to and click on free uninstall tool and follow the steps.
We hope you find this helpful. Thanks again for your continued patience.
before we found that on the net, we had to use this method to get rid of auror: nail.exe, svcproc.exe and the random 04 entry.
Go to: Start > Run
Type: services.msc
Hit Enter
In the Services window, scroll down for:
System Startup Service
Right click it and select "Properties"
Click the "Stop" button, and wait for Windows to kill the process
Then change the "Startup Type" drop-down menu from "Automatic" to "Disabled"
Copy these instructions to notepad and then restart to safe mode.
How to start your computer in safe mode (
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [quutgxl] c:\windows\system32\zbxhmsv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Go to Start > Run and type in cmd
Click OK
This will open a command shell. In the command window Copy and Paste the
following commands one at a time exactly as the appear below and hit the
Enter key after each one:
del C:\WINDOWS\svcproc.exe
Hit Enter
del c:\windows\system32\zbxhmsv.exe
Hit Enter
cd C:\windows
Hit Enter
nail.exe /FullRemove
Hit Enter
exit
Hit enter
Mypctuneup.com performs technical support for a number of companies and we are sorry to hear that advertising software is causing you problems. We will gladly assist you in removing our partners' advertising software from your computer as expeditiously as possible.
From our website you can scan your PC and determine whether or not the software is installed on your machine, and if so, you can then choose to uninstall. To run the uninstall tool click on the link below:
Or go to and click on free uninstall tool and follow the steps.
We hope you find this helpful. Thanks again for your continued patience.
before we found that on the net, we had to use this method to get rid of auror: nail.exe, svcproc.exe and the random 04 entry.
Go to: Start > Run
Type: services.msc
Hit Enter
In the Services window, scroll down for:
System Startup Service
Right click it and select "Properties"
Click the "Stop" button, and wait for Windows to kill the process
Then change the "Startup Type" drop-down menu from "Automatic" to "Disabled"
Copy these instructions to notepad and then restart to safe mode.
How to start your computer in safe mode (
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [quutgxl] c:\windows\system32\zbxhmsv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Go to Start > Run and type in cmd
Click OK
This will open a command shell. In the command window Copy and Paste the
following commands one at a time exactly as the appear below and hit the
Enter key after each one:
del C:\WINDOWS\svcproc.exe
Hit Enter
del c:\windows\system32\zbxhmsv.exe
Hit Enter
cd C:\windows
Hit Enter
nail.exe /FullRemove
Hit Enter
exit
Hit enter
-
2
- Thread starter
- #3
I just stumbled across this little removal tool, ASBIRemover, and it does work very well. Download and instructions:
bill, this was posted at the TSG forum by The_ KiD, another removal! Haven't tried it out on any victims of aurora, but I have noticed that mypctuneup isn't always working lately, especially if they try and clean it initially manually, then it becomes troublesome with Nail.exe coming back and the random 04 disappearing, you have to get all 3 at the one time!
This trojan remover also works by renaming nail.exe and stopping it from loading up and creating the random 04s.
Trojan Remover
This trojan remover also works by renaming nail.exe and stopping it from loading up and creating the random 04s.
Trojan Remover
bcastner
Thank you for this link.
This was a rather easy and straightforward removal of nail.exe/Aurora spyware.
_______________________________________
Eman_2005
Technical Communicator
Thank you for this link.
This was a rather easy and straightforward removal of nail.exe/Aurora spyware.
_______________________________________
Eman_2005
Technical Communicator
ths is another fix for aurora/nail.exe, as this can be troublesome sometimes to remove with ABI remover and using the uninstaller from mypctuneup.
Download the Nail/aurora fix
* Download the trial version of Ewido Security Suite here
* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.
* Click here for info on how to boot to safe mode if you don't already know
how.
How to boot to safe mode
* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.
* Restart your computer into safe mode now. Perform the following steps in
safe mode:
* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will
disappear and reappear, and a window should open and close very quickly ---
this is normal.
* Now run Ewido:
* Click on scanner
* Put a check by the following before you scan:
o Binder
o Crypter
o Archives
* Click the Start Scan button to start the scan.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
download and run ccleaner.
Download the Nail/aurora fix
* Download the trial version of Ewido Security Suite here
* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.
* Click here for info on how to boot to safe mode if you don't already know
how.
How to boot to safe mode
* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.
* Restart your computer into safe mode now. Perform the following steps in
safe mode:
* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will
disappear and reappear, and a window should open and close very quickly ---
this is normal.
* Now run Ewido:
* Click on scanner
* Put a check by the following before you scan:
o Binder
o Crypter
o Archives
* Click the Start Scan button to start the scan.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
download and run ccleaner.
All this sounds sweet and dandy, but will this prevent Aurora Nail.exe from re-haunting Windows in the future?
It keeps coming again and again.
_______________________________________
Eman_2005
Technical Communicator
It keeps coming again and again.
_______________________________________
Eman_2005
Technical Communicator
- Thread starter
- #9
just to add on bcastner's post..
I finaly got rid of Aurora's Nail.exe with ewido 3.0
It is realy a good tool for this anoying pest. Now everything is working okay, and hope to have it that way for some time (if possible nowdays).
Ewido instantly found all signs of it and delt with it with no problem, so I also think that it cannot return that easily now, at least in this version.
greets,
Marko 9A6NCM
I finaly got rid of Aurora's Nail.exe with ewido 3.0
It is realy a good tool for this anoying pest. Now everything is working okay, and hope to have it that way for some time (if possible nowdays).
Ewido instantly found all signs of it and delt with it with no problem, so I also think that it cannot return that easily now, at least in this version.
greets,
Marko 9A6NCM
- Thread starter
- #11
pechenegs,
Thanks for adding to, and enhancing considerably my original post to try and help most efforts to rid people of this pest. As star for your incredibly efforts.
While the pest has morphed slightly over time, I believe most of the discussions in this thread should allow a completely safe removal of this pest. If infected, start from the bottom and work upwards as removal steps become more sophisticated.
Thanks again, pechenegs..
Bill Castner
Thanks for adding to, and enhancing considerably my original post to try and help most efforts to rid people of this pest. As star for your incredibly efforts.
While the pest has morphed slightly over time, I believe most of the discussions in this thread should allow a completely safe removal of this pest. If infected, start from the bottom and work upwards as removal steps become more sophisticated.
Thanks again, pechenegs..
Bill Castner
Yes, I must express my thanks to pechenegs too, although I have not run ewido yet, but I will, next time I (or my wife) get this nasty adware.
Thanks to MCesic too for the confirmation.
_______________________________________
Eman_2005
Technical Communicator
Thanks to MCesic too for the confirmation.
_______________________________________
Eman_2005
Technical Communicator
bcastner,
I followed the instructions in the link for the ABIremover. I did not have a random key in the registry (what is a random key?) like HKLM\Software\Microsoft\Windows\Current version\run or the bolger BHO. How can I tell what ot delete in Hijackthis after running ABIRemover? Then, how do I know what to delete in system 32 directory? Thanks
I followed the instructions in the link for the ABIremover. I did not have a random key in the registry (what is a random key?) like HKLM\Software\Microsoft\Windows\Current version\run or the bolger BHO. How can I tell what ot delete in Hijackthis after running ABIRemover? Then, how do I know what to delete in system 32 directory? Thanks
Bcastner & Pechenegs,
Thank you both for posting tips on how to successfully remove nail\aurora and bolger. I first downloaded the ABIRemover tool and it might have done some good but I don't think it was totally successful. I then downloaded the nailfix, ewido and ccleaner tools and that got rid of all of the nail, aurora and bolger malware. Thanks, again, for posting useful information.
Thank you both for posting tips on how to successfully remove nail\aurora and bolger. I first downloaded the ABIRemover tool and it might have done some good but I don't think it was totally successful. I then downloaded the nailfix, ewido and ccleaner tools and that got rid of all of the nail, aurora and bolger malware. Thanks, again, for posting useful information.
your welcome Bill C, I have been using all those methods at various times to remove this pest , it's by far one of the worst recently, worse than smitfraud-C which usually goes if the user follows the instructions and the bube.d which can be cleaned up using Kaspersky's trial and Microsoft's antispyware which is proving to be a quite excllent tool!
If anyone needs instructions on the removal of smitfraud let me know, in fact I'll make a seperate post on this tonight!
If anyone needs instructions on the removal of smitfraud let me know, in fact I'll make a seperate post on this tonight!
pechenegs,
A quick question. After I ran the ewido in safe mode and cclear I rebooted to normal mode. Then, I went to add\remove software nd tried to remove the ABIDirect Revenue application. It would not uninstall the application, it kept openning the Direct Revenueweb page. Does this mean the PC is reinfected with nail and aurora? The PC seems to still be running slow. Any ideas. Thanks.
A quick question. After I ran the ewido in safe mode and cclear I rebooted to normal mode. Then, I went to add\remove software nd tried to remove the ABIDirect Revenue application. It would not uninstall the application, it kept openning the Direct Revenueweb page. Does this mean the PC is reinfected with nail and aurora? The PC seems to still be running slow. Any ideas. Thanks.
Try and uninstall it with it's own remover? I'm not familiar with ABI remover I have never used it!
Post a hijack this log here if you want, it will tell s what's going on with your computer and if you are clean?
Download hijack this from the link below.Please do this. Click here:
to download HijackThis. Click scan and save a logfile, then post it here so we can take a look at itfor you. Don't click fix on anything in hijack this as most of the files are legitimate.
Post a hijack this log here if you want, it will tell s what's going on with your computer and if you are clean?
Download hijack this from the link below.Please do this. Click here:
to download HijackThis. Click scan and save a logfile, then post it here so we can take a look at itfor you. Don't click fix on anything in hijack this as most of the files are legitimate.
ravichittilla
Technical User
well, i booted in safe mode, ran the ediwo scanner, and it crashes when it gets to one temporary file. i might be able to delete the file from the command line myself, but it doesn't stay up long enough for me to catch the name. i thought i might be able to remove the 8 letter .exe file if i booted from the windows cd rom and used the recovery console, but the owner of the computer i'm trying to fix doesn't know their administrator password.
any advice?
also, i ran the remover at first like the directions said to, but i still see the random 8 letter .exe file running in the task manager, i try to end it, but of course it just comes up with another one.
thanks.
ravi
any advice?
also, i ran the remover at first like the directions said to, but i still see the random 8 letter .exe file running in the task manager, i try to end it, but of course it just comes up with another one.
thanks.
ravi
pechenegs,
thank you for your advice and for offering to review the HiJack this log file. The PC I am working on belongs to a very good friend and she has been very busy thelast two days. I hope to be able to access her pc again this week and will post the result at that time. She says her PC is running very slowly atthe moment she has a 1.2 ghz cpu and 128 ram. I mentioned to her that more ram would help pplications open up faster and provide more memry for multi tasking. I think that she might still have some malware or spay ware which is also slowing the system down. I just wanted to let you know that I will post the HJT log as soon as I can. Thanks Intuity.
thank you for your advice and for offering to review the HiJack this log file. The PC I am working on belongs to a very good friend and she has been very busy thelast two days. I hope to be able to access her pc again this week and will post the result at that time. She says her PC is running very slowly atthe moment she has a 1.2 ghz cpu and 128 ram. I mentioned to her that more ram would help pplications open up faster and provide more memry for multi tasking. I think that she might still have some malware or spay ware which is also slowing the system down. I just wanted to let you know that I will post the HJT log as soon as I can. Thanks Intuity.
ravi, run the naiifx first in safe mode then run ewido in safe mode, the tmp file shouldn't be a problem, it's a lot easier to advise with a hijck this log, try running ewido in normal mode,
download and run ccleaner, that will take care of the temp folders!
you can akos try this uninstaller form the makers of the adds.
download and run ccleaner, that will take care of the temp folders!
you can akos try this uninstaller form the makers of the adds.
- Status
Similar threads
- Locked
- Question
- Locked
- Question