Just a tip

[Guest]

Hey, good job on the app. I was wonding how long it was
going to take before MS jumped on this considering the
investment you put into getting everyone on the net (Using
MS. Here's a quick tip from an old schooler, when
defending a system against running applications as
tenatious as Spyware a method I've used to kill those
annoying apps which simply restart themselves is to locate
the offending file, use the built in greatness of security
to not only remove by to specifically deny (almost) all
access to the application. This way when you terminate the
app it has no rights to execute much less read it. By only
leaving the delete security ability you can then remove
it. When doing this with cascading apps it's important to
deney access to all of the apps before terminate them.
This way you can counter the all to familiar spawning of
alternate named and copied apps. McAfee hasn't even
mastered this trick which is why I STILL have to use this
method to get rid of tenatious virus files. This would be
nice to see since your app does not properly kill existing
spyware running at the time of a scan.

 

[Guest]

Sorry but what would you advise about the followin' issue.
Some file "Nail.exe" keeps appearin' after reboot though
it was deleted. And it wants to modify registry
key "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CurrentVersion\WINLOGON". There is a value "Shell" in
this key with the data "Explorer.exe", and
file "Nail.exe" wants to write another data in this
value, namely : "Explorer.exe C:\Windows\Nail.exe". I've
scanned computer with different Anty-Spyware tools (
incluedin' this one ) but in seems like they didn't
figuered out what was causin' the file "Nail.exe" to
appear. Hope you will solve this issue. (At the time I'm
submittin' this report "Nail.exe" is deleted from Windows
folder ... well 'till reboot )
Regards guest

 

[Bill Sanderson]

Read other threads in this group with subject header Aurora--or Ceres.

This beast has three parts, of which you've found one--nail.exe. There are
two other parts: One is named randomly but the name persists on a given
machine--i.e. it always has the same name on a given machine. The second
changes names each time the process is killed--use Microsoft Antispyware's
system explorer process viewer to see this one--the process name starts with
TODO: and the executable name is random. If you kill it, and refresh the
screen, you will see it come right back with a new executable name.

I was able to identify the third portion only with the help of an online
antivirus scan from Trend Micro-- http://housecall.trendmicro.com

I was able to kill the beast only by booting to the recovery
console--booting from the original Windows CD and choosing R at the first
recovery prompt. From this console I was able to find and delete all three
parts.