Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How To Remove The Aurora - Nail.exe - Svcproc.exe - Epolvy Hijacker

  • Please log in to reply
No replies to this topic

#1 -David-


  • Members
  • 10,603 posts
  • Gender:Male
  • Location:London
  • Local time:07:12 PM

Posted 04 November 2005 - 04:17 PM

This self-help guide will show how to remove the Aurora - Nail.exe - Svcproc.exe - Epolvy Hijacker

What this program does:

Nail.exe is a is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of it’s author’s sponsors. This program is usually installed through consent, however is sometimes packaged as another product. Aurora.exe is an advertising program by Aurora. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups etc.....

Tools needed for this fix: Related Tutorials:

How to use HijackThis to remove Browser Hijackers & Spyware

Symptoms in a HijackThis Log


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


O4 - HKLM\..\Run: [hdprwdl] C:\WINDOWS\system32\xigvkfa.exe r
O4 - HKLM\..\Run: [qywgyfm] C:\WINDOWS\System32\tocmgs.exe r
(any randomly named 04 entry with an "r" at the end)

Other symptoms

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

:) Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
This self-help guide will allow you to remove the Easy-Search.biz Hijacker
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was before!

:thumbsup: Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

:flowers: Please download the trial version of Ewido Security Suite here:
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

:P Please download Ad-Aware SE Personal from this page.

:) Now download the VX2 Cleaner from this page.

Run Ad-Aware SE Personal.
Click Add-Ons.
Double-click VX2 Cleaner.
Click Ok to Excute this tool.

If malware is found click Clean System.
When it's done click Start in Ad-Aware SE Personal.
Make sure Perform smart system scan is checked.
Click Next.
Let it clean anything it finds.

:trumpet: Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

:inlove: Once the Ewido updates are installed and you are in safe mode do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

:cool: This part is dependant on which infection you have.

Navigate to the c:\hijackthis directory and double-click on HijackThis
With IE closed, put a checkmark on these entries and hit "fix checked" (it may well have gone already!):

If you have the nail trojan fix the following entry if it is there:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

If you have the epolvy trojan fix the following entry if it is there if present:

Any entry that had a random ".exe" file in the 04 section, with a "r" at the end:

O4 - HKLM\..\Run: [hdprwdl] C:\WINDOWS\system32\xigvkfa.exe r
O4 - HKLM\..\Run: [qywgyfm] C:\WINDOWS\System32\tocmgs.exe r

If you have any other symptons of Aurora then fix the following if present :

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

:) Now your computer should no longer be infected with Aurora - Nail.exe - Svcproc.exe - Epolvy Hijacker. It may be possible that you still have some spyware or malware installed on your computer. If you feel this is the case, follow the instructions below to post a HijackThis log and someone will help you to remove the rest:

How to submit a HijackThis log

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


Edited by Grinler, 19 November 2006 - 07:20 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users