cak46 Posted July 6, 2005 CID Share Posted July 6, 2005 Posted the following in Avasts forum.... BTW: Thanks PHP. Avast was the only AV program I could get to run on this machine, even in safemode..... Any thoughts on this? I'm a newbie with a question. I have a process that when killed, comes back renamed but the exact same size. Avast and AVG with all the newest updates are not detecting this. I captured a copy of the .exe file, renamed it, then edited it. Looks like it uses upx 1.24 to unpack or pack itself. Wish it would be detected by something. Also did adaware as well. This machine had mucho adware, trojan horses, regular viruses. You name it, she had it. Now I'm down to just this one buggar. I've used killbox, no good, the Porgram/process just comes back renamed. Looks like when you kill the process, it deletes the corrosponding file name on the hd. BTW, its running from the c:windowssystem32 directory on a Windows XP SP1 machine. (I do not dare get on the net with it until this bug is gone. made that mistake early in the game before) Can anyone help with this or is Avast interested in the file I have (renamed of course)? Edit: Also ran stinger, and perused the registry with hijackthis and used ms's malicious program removal tool at one point...... Quote Link to comment Share on other sites More sharing options...
dn0 Posted July 6, 2005 CID Share Posted July 6, 2005 It's not that Damn Aurora adware, was a pain in the ace on my buddies PC. It would keep regenerating with a new name, also. Found info from BBR: http://www.broadbandreports.com/forum/remark,13561597?hilite=aurora Quote Link to comment Share on other sites More sharing options...
cak46 Posted July 6, 2005 Author CID Share Posted July 6, 2005 It's not that Damn Aurora adware, was a pain in the ace on my buddies PC. It would keep regenerating with a new name, also. Found info from BBR: http://www.broadbandreports.com/forum/remark,13561597?hilite=aurora Could be. That was one of the many bugs that Avast got rid of. Right now I do get an error with Nail.exe not being found on boot up. Was planning on deleting that entry later. Thing that makes this difficult is that it is a multi-user machine. I'll give it a try tomorrow. Thanks much in advance! Quote Link to comment Share on other sites More sharing options...
dn0 Posted July 6, 2005 CID Share Posted July 6, 2005 That is it, nail.exe is it's other name. Did you read the BBR link I posted? They call it Aurora/Nail: "You don't need to reformat your computer to remove aurora! It only took my two hours to delete aurora/nail, while I was writing this guide. Reformatting takes forever, especially replacing all of your files." Quote Link to comment Share on other sites More sharing options...
cak46 Posted July 6, 2005 Author CID Share Posted July 6, 2005 That is it, nail.exe is it's other name. Did you read the BBR link I posted? They call it Aurora/Nail: "You don't need to reformat your computer to remove aurora! It only took my two hours to delete aurora/nail, while I was writing this guide. Reformatting takes forever, especially replacing all of your files." Yup. Read through it and bookmarked it. Avast did find the most of it, just not this 200kb process that keeps reactivating. I have a feeling that if I put the machine on the web, it's all going to go to pot really fast. I generally don't reformat until the fat lady sings, or the machine is a trainwreck. Thanks again. Will let you know how I fare tomorrow evening when I attempt the fix. Quote Link to comment Share on other sites More sharing options...
falco Posted July 6, 2005 CID Share Posted July 6, 2005 Here's a fix you can download: http://www.noidea.us/easyfile/file.php?show=20050515010747824 Here's removal directions from a forum called"Spyware Warrior". This looks like a tricky removal. 1 -- Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet. 2 -- Please go to the following website http://www.noidea.us/easyfile/file.php?download=20050515010747824 . Click on Spyware Utilities. . Then click on Nail/Aurora Fix download Nailfix.exe Unzip it to the desktop but please o NOT run it yet. 3 -- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml 4 -- Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. 5 -- Then please run Ewido, and run a full scan. Save the logfile from the scan. 6 -- Next please run HijackThis, click Scan, and put a check mark beside: F2 - REG:system.ini: Shell=Explorer.exe C:WINDOWSNail.exe O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:WINDOWSsystb.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM..Run: [picsvr] C:WINDOWSsystem32picsvrpicsvr.exe O4 - HKLM..Run: [Nsv] C:WINDOWSsystem32nsvsvcnsvsvc.exe O4 - HKLM..Run: [Win Server Updt] C:WINDOWSwupdt.exe O4 - HKLM..Run: [pbmxhik] c:windowssystem32ejfbdi.exe r O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:WINDOWSsvcproc.exe Close all open windows except for HijackThis and click Fix Checked. 7 -- Then use Windows Explorer to delete the following lists of program files and folders, if they still exist. C:WINDOWSNail.exe <-- this file C:WINDOWSsystb.dll <-- this file C:WINDOWSsvcproc.exe <-- this file C:WINDOWSwupdt.exe <-- this file c:windowssystem32ejfbdi.exe <-- this file C:WINDOWSsystem32picsvr <-- this folder C:WINDOWSsystem32nsvsvc <-- this folder Please let me know about any problems with the file/folder deletes. 8 -- Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido Thanks daveai _________________ If you found our service worthwhile, and want to help keep Spyware Warrior running please consider donating here. "Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous Quote Link to comment Share on other sites More sharing options...
dman58 Posted July 6, 2005 CID Share Posted July 6, 2005 Had a friend with this same problem Aurora/Nail bug. Quote Link to comment Share on other sites More sharing options...
cak46 Posted July 6, 2005 Author CID Share Posted July 6, 2005 Had a friend with this same problem Aurora/Nail bug. Took me a long time to finally get rid of it. I used AVG free to find what I could & remove it along with Microsoft's Spyware & Spy Sweeper. It kept popping up that Windows couldn't find the file nail.exe on each boot up. I finally went into the Registry and searched for every trace of "nail.exe" and removed them. The one in the windows logon file seemed to be the culprit. Once it was removed the error never popped back up. Hope this will help. Yeah, this is only part of the problem with this bug. If you are running xp, do ctrl+alt+delete. In the process list check to see if there is a randomly named file that doesn't "fit" in the list that may be 200Kb in size. This file, I believe, is remnants of the aurora bug. To find out if it is, end that process and watch closely because a new process will pop onto the list almost instantly after you end the original process. Thanks for all the help! Going to try and eliminate it with your suggestions in a bit. Quote Link to comment Share on other sites More sharing options...
cak46 Posted July 6, 2005 Author CID Share Posted July 6, 2005 Sorry about the double post. Falco, I tried your fix first, since it seemed less involved and a quick try. Looks like this issue may not be aurora after all. Ran the fix then looked for the files mentioned and found none of them. The process disappeared when explorer was shut down by the fix, but came back on instantly when explorer came back up. Looks like, the more I dig, it is directly tied to explorer.exe because if I just end the explore.exe process and then end the random process, it does not come back until the explorer.exe process is restarted. I may try killing each module, one by one, under the explorer.exe process to see if I can find which is restarting the random process. BTW: The bad process starts at about 176kb of mem usage then climbs steadily in memory usage over time. Scanned the file with the name same as the process involved directly with AV, nothing found. DN0, will give your fix a try next. Edit: Ran TrojanHunter. Found it, but can't get rid of it. The trojan is Agent.214. TH stops the process and can rename it, but gives the process enough time to re-constitute itself. Anyone know of a scannner that will kill this bug or will this be a blood-letting ritualistic manual remove? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.