This self-help guide will show how to remove the Aurora - Nail.exe - Svcproc.exe - Epolvy Hijacker
What this program does:
Nail.exe is a is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of it’s author’s sponsors. This program is usually installed through consent, however is sometimes packaged as another product. Aurora.exe is an advertising program by Aurora. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups etc.....
Tools needed for this fix: Related Tutorials:
How to use HijackThis to remove Browser Hijackers & Spyware
Symptoms in a HijackThis Log
Nail
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Epolvy
O4 - HKLM\..\Run: [hdprwdl] C:\WINDOWS\system32\xigvkfa.exe r
O4 - HKLM\..\Run: [qywgyfm] C:\WINDOWS\System32\tocmgs.exe r
(any randomly named 04 entry with an "r" at the end)
Other symptoms
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
_____________________________________________________
Please do both of the following before we start if possible!:1) Please print off these intructions - they will be needed later when internet access is not available.
This self-help guide will allow you to remove the Easy-Search.biz Hijacker
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was before!
Click here to download HJTsetup.exeSave HJTsetup.exe to your desktop.
- Double click on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please download Ad-Aware SE Personal from this page. Now download the VX2 Cleaner from this page. Run Ad-Aware SE Personal.
Click Add-Ons.
Double-click VX2 Cleaner.
Click Ok to Excute this tool.
If malware is found click Clean System.
When it's done click Start in Ad-Aware SE Personal.
Make sure Perform smart system scan is checked.
Click Next.
Let it clean anything it finds.
Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once the Ewido updates are installed and you are in safe mode do the following:- Click on scanner
- Click on Complete System Scan and the scan will begin.
- You will be prompted to clean the first infection.
- Select "Perform action on all infections", then proceed.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop or a location where you can find it easily.
This part is dependant on which infection you have.Navigate to the c:\hijackthis directory and double-click on HijackThis
With IE closed, put a checkmark on these entries and hit "fix checked" (it may well have gone already!):
If you have the nail trojan fix the following entry if it is there:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
If you have the epolvy trojan fix the following entry if it is there if present:
Any entry that had a random ".exe" file in the 04 section, with a "r" at the end:
e.g
O4 - HKLM\..\Run: [hdprwdl] C:\WINDOWS\system32\xigvkfa.exe r
O4 - HKLM\..\Run: [qywgyfm] C:\WINDOWS\System32\tocmgs.exe r
If you have any other symptons of Aurora then fix the following if present :
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Now your computer should no longer be infected with Aurora - Nail.exe - Svcproc.exe - Epolvy Hijacker. It may be possible that you still have some spyware or malware installed on your computer. If you feel this is the case, follow the instructions below to post a HijackThis log and someone will help you to remove the rest:How to submit a HijackThis log
________________________________________________________
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.
David
Edited by Grinler, 19 November 2006 - 07:20 AM.
Back to top
