Help Me Test a Spyware Solution
In my day job (i.e., when I'm not filling in on this blog for Brian Krebs), I write the Help File how-to column in
Sunday's Business section. Spyware is a perennial topic in that space, and by
far the worst spyware offender -- to go by the mail I get from readers -- is the
parasite known variously as
I'd like to offer readers some usable tips on how to yank this thing -- tips that don't include editing 16 different lines in the Windows registry -- and I think I might have come across a workable remedy.
It involves mangling the nail.exe file that drives an Aurora infestation in a way that preserves that file's size and name (one of the nastier parts of this spyware beast is the way it recreates nail.exe each time it's removed).
I found this suggestion on a Web forum -- I don't remember which one -- and tested it successfully on one Aurora-infected laptop.
If you have Aurora on your Windows XP machine and would like to help, try the instructions in the next section. Let me know in the comments here or via e-mail whether it worked or not, or if any parts of this should be changed.
If all goes well, the results of this little experiment in open-source journalism could show up in print in a week or two.
1. The first step is to shut off the infected machine's Internet access, so that Aurora's components can't attempt to download fresh copies of themselves. Make sure your PC is no longer connected to a live modem, wireless network or whatever you use to get online.
2. Then open the Notepad program (in the Start Menu's Accessories sub-menu), which you'll use to mangle the nail.exe file at the heart of an Aurora infection. In Notepad, select "Open..." from the File menu, choose "All Files" from the drop-down "Files of Type" menu at the bottom of the screen, navigate to the "Windows" folder of your C: drive and select "Nail.exe."
3. Now that you have this program open in Notepad, select a random chunk of it, chose "Cut" from Notepad's Edit menu. Then scroll up or down at random and choose "Paste" from the Edit menu. Repeat several times, then save the file.
4. Run an anti-spyware utility (I suggest Microsoft's Anti-Spyware beta, but any up-to-date one should do). It should report Aurora is present on your machine, then offer to clean it up. Let it.
5. The third step is to open Microsoft's Registry Editor. From the Start Menu, select "Run...", type "regedit" and hit Enter.
6. In that program's left-hand column, double-click "HKEY_LOCAL_MACHINE," then double-click each of the following child items as it appears: "SOFTWARE," "Microsoft," "Windows NT," "CurrentVersion," then finally, "Winlogon."
7. Now switch to the right-hand pane, scroll down and double-click "Shell."
That will open a window titled "Edit String"; the "Value data"
field should read only "Explorer.exe." Delete anything else you see
there, click OK and exit Registry Editor.
8. Reboot your PC, and run your anti-spyware program to confirm that
9. Now delete the Nail.exe file you previously scrambled. Restart, and run another anti-spyware scan. You should be clear from now on.
Washington Post consumer technology editor
Posted by: Brian Colms | October 20, 2005 4:50 PM | Report abuse
Posted by: Brian Colms | October 20, 2005 4:51 PM | Report abuse
Posted by: Brian colms | October 20, 2005 4:53 PM | Report abuse
Posted by: Chris | October 22, 2005 1:59 AM | Report abuse
Posted by: Henry Hertz Hobbit | October 22, 2005 10:03 PM | Report abuse
Posted by: Anneliese Toumey | October 23, 2005 4:26 PM | Report abuse
Posted by: Jeff K from Brooklyn | October 25, 2005 12:10 AM | Report abuse
Posted by: Stan Richardson | November 7, 2005 6:38 PM | Report abuse
Posted by: Sage | November 17, 2005 3:54 PM | Report abuse
Posted by: JNTECH | November 26, 2005 4:25 PM | Report abuse
Posted by: Chris of Death | December 8, 2005 11:40 PM | Report abuse
Posted by: james brown | January 1, 2006 8:39 AM | Report abuse
Posted by: Cyndy Hamilton | July 13, 2006 11:23 PM | Report abuse
The comments to this entry are closed.