Network News

X My Profile
View More Activity

Help Me Test a Spyware Solution

In my day job (i.e., when I'm not filling in on this blog for Brian Krebs), I write the Help File how-to column in Sunday's Business section. Spyware is a perennial topic in that space, and by far the worst spyware offender -- to go by the mail I get from readers -- is the parasite known variously as Aurora, ABetterInternet, or nail.exe.

I'd like to offer readers some usable tips on how to yank this thing -- tips that don't include editing 16 different lines in the Windows registry -- and I think I might have come across a workable remedy.

It involves mangling the nail.exe file that drives an Aurora infestation in a way that preserves that file's size and name (one of the nastier parts of this spyware beast is the way it recreates nail.exe each time it's removed).

I found this suggestion on a Web forum -- I don't remember which one -- and tested it successfully on one Aurora-infected laptop.

If you have Aurora on your Windows XP machine and would like to help, try the instructions in the next section. Let me know in the comments here or via e-mail whether it worked or not, or if any parts of this should be changed.

If all goes well, the results of this little experiment in open-source journalism could show up in print in a week or two.

1. The first step is to shut off the infected machine's Internet access, so that Aurora's components can't attempt to download fresh copies of themselves. Make sure your PC is  no longer connected to a live modem, wireless network or whatever you use to get online.

2. Then open the Notepad program (in the Start Menu's Accessories sub-menu), which you'll use to mangle the nail.exe file at the heart of an Aurora infection. In Notepad, select "Open..." from the File menu, choose "All Files" from the drop-down "Files of Type" menu at the bottom of the screen, navigate to the "Windows" folder of your C: drive and select "Nail.exe."

3. Now that you have this program open in Notepad, select a random chunk of it, chose "Cut" from Notepad's Edit menu. Then scroll up or down at random and choose "Paste" from the Edit menu. Repeat several times, then save the file.

4. Run an anti-spyware utility (I suggest Microsoft's Anti-Spyware beta, but any up-to-date one should do). It should report Aurora is present on your machine, then offer to clean it up. Let it.

5. The third step is to open Microsoft's Registry Editor. From the Start Menu, select "Run...", type "regedit" and hit Enter.

6. In that program's left-hand column, double-click "HKEY_LOCAL_MACHINE," then double-click each of the following child items as it appears: "SOFTWARE," "Microsoft," "Windows NT," "CurrentVersion," then finally, "Winlogon."

7. Now switch to the right-hand pane, scroll down and double-click "Shell." That will open a window titled "Edit String"; the "Value data" field should read only "Explorer.exe." Delete anything else you see there, click OK and exit Registry Editor.

8. Reboot your PC, and run your anti-spyware program to confirm that Aurora is gone.

9. Now delete the Nail.exe file you previously scrambled. Restart, and run another anti-spyware scan. You should be clear from now on.

-- Rob Pegoraro
Washington Post consumer technology editor

By Brian Krebs  |  October 20, 2005; 1:49 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Longer Logins at Online Banks?
Next: Why You Need to Guard Your Computer

Comments

SRC corp has a solution for nail.exe and the other infections you are talking about. SRC corp is a network security tool designed to help secure and increase productivity in the work place. You can try it free for 30 days
http://www.srctechs.com

Posted by: Brian Colms | October 20, 2005 4:50 PM | Report abuse

SRC corp has a solution for nail.exe and the other infections you are talking about. SRC corp is a network security tool designed to help secure and increase productivity in the work place. You can try it free for 30 days
http://www.srctechs.com

Posted by: Brian Colms | October 20, 2005 4:51 PM | Report abuse

SRC corp has a solution for nail.exe and the other infections you are talking about. SRC corp is a network security tool designed to help secure and increase productivity in the work place. You can try it free for 30 days.

http://www.srctechs.com

Posted by: Brian colms | October 20, 2005 4:53 PM | Report abuse

Why do users continually take on the pain and agony of the core problem 'windows'. Why not just buy a new Mac Mini and be happier?

Honestly, is it in your best interest, and the public's best interest, to continue to bandage an obviously broken system? Why not just suggest they save themselves the long term trouble and just spend 600$ on a computer that is not part of the problem?

Posted by: Chris | October 22, 2005 1:59 AM | Report abuse

Although your solution seems to be quite novel, it
doesn't take into account that the first 2-4 KB of the file is where the startup info is, and what you really should cut and paste some place is the very start of the file to some place else other than start. WHen you do that, it won't even start running. On the other hand, the AV program may flag it as being infested with a virus using either method (random or move start some place else).

Posted by: Henry Hertz Hobbit | October 22, 2005 10:03 PM | Report abuse

spy ware is a butt

Posted by: Anneliese Toumey | October 23, 2005 4:26 PM | Report abuse

I clean PCs al day of spyware and I have found only one method that's foolproof. First the PC must be restarted in safe mode. Do a search for Nail.exe, then highlight it in the found box and hit delete. Before you confirm the delete, open a command prompt, change to the c:\windows (or winnt) folder, and type "copy con Nail.exe". Now Press F6, and before you hit enter, go back to the confirm delete box, hit wnter, then switch to the command prompt and hit enter. It will briefly ask to confirm the overwrite of Nail.exe, say yes. You now have an empty Nail.exe text file. Restart, so it tries to run it, you'll get a windows error like "Nail.exe is not a valid Windows Application". You NOW can remove the Nail.exe from the WINLOGON key in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion. If you try to remove this key BEFORE you screw up Nail.exe the key will be recreated immediately. Running other spyware utils can be done at this point. HijakThis is one of the best, it removes keys from everywhere.

Posted by: Jeff K from Brooklyn | October 25, 2005 12:10 AM | Report abuse

Sorry but your solution didn't work. I did manage to get Aurora stymied by faking the nail.exe file but abetterinternet still shows up and runs every time I turn on the PC regardless of how many times I run MS Antispyware, Spysweeper, etc. Even the above-posted SRC app did not work.

Looks like I'll have to wipe the drive and start over...

Posted by: Stan Richardson | November 7, 2005 6:38 PM | Report abuse

Somebody suggested a novel method to remove the infection:
"Why do users continually take on the pain and agony of the core problem 'windows'. Why not just buy a new Mac Mini and be happier?"
My dear friend, MacMini does not have tis virus becuase less people buy macmini, so it does not make sense to have a virus for it. If enough people had mac mini somone would have created a nail.exe for it too.

Posted by: Sage | November 17, 2005 3:54 PM | Report abuse

I recently tried for an evening to get rid of nail.exe and all of it's nastiness, only to see it keep recreating itself and repeating the infection. In the process, I watched task monitor, killed the randomly named processes and watched new ones appear, etc. During all this, I got an idea and it worked.
After restarting in safemode, I killed the latest identified process, immediately deleted nail.exe, then immediately UNPLUGGED THE MACHINE. As a result, the process was unable to reproduce itself. I went back into safe mode and deleted the resultant traces, based on the names of the files and processes I had last identified.

Posted by: JNTECH | November 26, 2005 4:25 PM | Report abuse

The best way of ridding oneself of this and most other spyware is to boot to an alternate boot environment and manually delete the offending file. The CD distro of Knoppix works quite well, as it can mount NTFS partitions. However, creating your own Ultimate Boot CD:

http://www.ultimatebootcd.com/

is really the best way to go, as it allows you to also run several popular freeware/shareware virus and spyware scanning utilities outside of the normal Windows environment.

Posted by: Chris of Death | December 8, 2005 11:40 PM | Report abuse

Excellent!
I used your instructions to remove nail.exe from my computer and it worked! I couldn't use the "Note Pad" instruction part...went straight to the Registry Editor and deleted it from there. Restarted my computer and it was gone. I had another problem with NewDot which I got instructions for deleting from another source which was similar to your instructions for nail.exe and that worked also. Thank you so much for writing this article! This is great!

Posted by: james brown | January 1, 2006 8:39 AM | Report abuse

I've been having problems with this nail.exe bug for quite some time. Every time any of my programs find it and delete it, it just comes back. I began to have serious problems with all my programs, the computer was really sluggish, searching the webb was a nightmare, and it disabled my antivirus software. I have finally been free of it for several days now. All I did was use Noadware. When it pulled it up just like usual I told it to delete it. When it asked if I wanted to back it up I said no. Then I immediately shut down my computer. Waited a few minutes and turned it back on. Then I ran noadware, spybot S&D and my Mcafee scan. None of them found anything even the better Internet stuff was gone. Hope this works as well for others as it has for me. Good Luck All!

Posted by: Cyndy Hamilton | July 13, 2006 11:23 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company