Removing Aurora: Yeah, Right

One of my duties on my recent trip to Scotland was cleaning up the home network of one of our associates there, and that meant dealing with spyware. I’ve always been fairly meticulous about what kind of software I install on my own computers, and most of my family has transitioned to Macs in the past couple years, so up until last week my only real awareness of how to deal with such an annoyance was along the lines of, “Install Adaware”.

That was my first instinct, followed closely by Spybot when Adaware didn’t seem to work. Most things seemed cleared out pretty well after a couple scans by each program, but a few random-looking processes hung around and pop-ups persisted whenever I browsed the web. The culprits seemed to be a process named NAIL.EXE and the Orwellian-sounding ABetterInternet. A little googling led me to discover The Best Offers Network. The name (unofficial or official, I don’t know) of their spyware/adware/malware is Aurora.

Simply put, Aurora does things so malicious, so difficult to track, so unfathomably evil that I am inclined to wonder whether it was programmed by human beings or shat forth, wholly formed, from the gaping anus of satan himself. If you’re reading this in hopes of learning how to remove it, I would strongly recommend you run screaming in the opposite direction, search out your WinXP installation disc, back up everything you can’t stand to live without, and reformat your hard drive, because Aurora will almost certainly defeat you. There are so many versions out there that nobody can help you, and you will wind up spending so many hours following wrong paths, red herrings, and underpants gnomes that a 2-hour reformat/reinstall will seem like lunch at Alto by comparison.

But I did learn some things while securing my own victory over the festering ball of fecal matter that is Aurora, and you’re welcome to read on if you’re curious.

First, if the Sony Rootkit reportage didn’t convince you, Mark Russinovich and Bryce Cogswell do some amazing work. Absolutely essential to my fishing around the insides of an Aurora-infected system were Filemon, Process Explorer, Rootkit Revealer, and Autoruns. Without these (especially Process Explorer, which is one of the best pieces of software I’ve ever used, full stop), I would have been powerless against Aurora.

Because I didn’t keep notes for most of my crusade against the malware, I can’t give a play-by-play on removing it. That’s not really a problem, though, because the one constant I found during my research for removal methods is that no two installations of Aurora are the same. I don’t know if it’s an intentional strategy of Direct Revenue (whom I like to refer to as Satan’s Anus) to continually release new versions, muddying the anti-spy/malware literature, or a side-effect of the lengths to which Aurora goes to cloak itself, but the upshot is the same either way: you’re on your own here.

Based on the scattershot information I found (the best are the Symantec Security Response articles on Aurora and A Better Internet, but there are other articles linked there that may be of use), I learned that Aurora does its magic largely by running Nail.exe as a windows shell along with explorer.exe, either in your win.ini file or in the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. If you try to edit either entry to remove nail.exe, it’ll write itself right back in.

Once you’ve gotten rid of all the randomly-named processes that are run by nail.exe every time you terminate them (described in the Adware.Aurora article), the trick is to first suspend (not terminate) the explorer.exe process (and hence nail.exe with it), modify the shell entries, then restart. In fact, while you’re feeling things out, don’t terminate any processes: many will automatically respawn, and do so with new random names, littering your system32 directory with hard-to-find, useless adware (because it spoofs the creation date, making it impossible to just delete all the newly-created files).

I wish I had the capacity to write a step-by-step HOWTO detailing precisely how to rid yourself of the Aurora/BetterInternet/BestOffersNetwork crapware, but there can never be such a document so long as Satan’s Anus continues spewing forth newer and more horrific garbage. I’m going to repeat myself here and strongly recommend taking the FDISK course of action, but if you need the adventure/headache, I wish you the best of luck.