internetinspiration logo
Home Internet Guides Privacy & Security Must have software Internet Shopping Earn Money Fun & Games Freebies

Privacy & Security
Stubborn Malware
Remove Aurora _ Nail.exe

Are Aurora pop ups annoying the crap out of you? the bad news is Aurora software outsmarts the 'click and fix' scanners and appears to be almost impossible to remove. Even if your security software finds it, maybe even deletes it, Aurora comes right back, or is back on the next reboot, although it has to be said that the security Industry is gradually catching up with them as some scanners can now remove enough of the adware to stop the pop ups, other elements will be left behind though..
The good news is that I did say it appears almost impossible to remove.

Aurora, a product from Direct Revenue (other names used include, and the latest one, Best Offers)  is a variant of their transponder adware, other variants include VX2 and abetterinternet.

Direct Revenue do offer a removal tool that does stop the pop ups, but there are a few reasons why it may not be a good idea to use it.

It is not available from their main website, they direct you instead to, (owned by Direct Revenue) which raises questions like ..... why?
Surely it would be cheaper for them and more convenient for their 'customers' to have the installer in the software.

 You are instructed to turn off your firewall and security products and allow the uninstaller to connect to back the internet, why would an uninstaller need to connect to a remote server?.

The uninstaller includes the component, thunst.exe it is common in most of Direct Revenue's software to send information about the users computer system.

A condition of using the uninstaller is that you have to accept that you agreed to install the software in the first place.

The installer leaves behind a component which, according to Direct Revenue, will prevent Aurora being installed again, a little puzzling as it is claimed Aurora is only installed with user consent, (as you are reading this, you probably know this is not true) if this was correct, something to prevent the installation must be totally unnecessary.

How much trust should you put in a company that uses questionable business practices and ethics?
If Direct revenue really want to be seen as a creditable company, they need to start acting like one because no matter how much Legal semantics their Lawyers produce in their attempts to shut up those who speak out, no company will ever be regarded as respectable by trying to force people into having a product they don't want..... even if it is free.
I have yet to come across anyone who has knowingly, intentionally or deliberately put it in their computers

So why do these people silently install software that is by design, difficult to remove, or will re-install if you dare try to delete it?

Their software allows them to send you pop up adverts they are paid to display, including adult content, some poor quality spyware / anti-virus scanners and a pop up blocker from, get this....produced and distributed by Direct Revenue !
It will also detect and remove adware from competitors of Direct Revenue and can disable some security software,
I wonder if they chant 'If you cannot beat em - delete em' at their motivational gatherings

Here is their address should you feel like hogging their phone line/mail box/Fax/E mail with your complaints.
Direct Revenue LLC
107 Grand Street
3rd Floor
New York,
NY 10013
Telephone : 8668396164
Email :

Manual Removal Instructions.

WARNING - If you remove Aurora software by any method other than their own remover, you are actually in breach of their cleverly worded. cover-their-ass end user license agreement that you apparently agreed to when you downloaded their software................. Remember???
Although exactly how they will enforce their EULA is not known, maybe they will send the boys round, you have been warned.

The main components of this adware are -
*******.exe Where * is up to 11 randomly generated letters.

Prepare for removal
First, whilst online, download the following.

Ewidow Removes most of the adware For the Free version, select Download Demo. Download, install and update its database but do not run yet. The 'paid for' version has a background guard and would have prevented Aurora installing in the first place.


Ace Utilities. 30 day Free trial of a comprehensive cleaning utility,.

And this small removal file. (This file is for Windows XP only, for other operating systems complete all other operations)  Copy and Paste the contents of the box below, onto notepad.
(Click Start > All programmes > Accessories > notepad).

cd %windir%
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
On the notepad toolbar, Click File and then save from the drop down list.
In the Save in box, select Desktop
In File name, type in killAurora.bat
In the Save as type select All types
Click Save.

You are now ready for the removal operation.

You may want to print out these instructions as you will be offline.

Reboot your PC in Safe Mode Help.

Windows XP only - Double click on the KillAurora.bat Icon on your desktop. You will get a window appear briefly. Your taskbar and icons may also flicker, this is normal.

Run the ewidow scanner and allow it to remove everything found.

Now to clean out all those registry keys.
Open Ace Utilities. Whilst we are targeting the Aurora leftovers,  depending on your usual clean up routine there could be a lot of other crap to remove.

Click clean up , select remove Junk Files. Scan and delete everything found. Close the remove junk files box.

Select Clean system registry. Click options and select Thorough. Scan and delete everything found. Close the Clean system registry box.

Select Delete History, click the Windows tab and select the following-
Empty the Windows Prefetch Folder.
Delete empty folders on the Windows Temp folder.
Erase Folder streams in the Windows registry.

Click Execute Now

Click the internet Explorer/MSN tab and select the following-
Delete cookies
Delete locked URL cache file.
Delete all auto-complete Data.
Clear typed URL's of Address bar
Clear Browser History
Delete Cache (Files in temporary Internet folder)

Click Execute Now.

You can of course select any of the other options you wish to clean.

Reboot your PC in Normal mode. This will have removed nearly all of the infection, the pop ups will have stopped and your internet activities will no longer be tracked, but there may be a file still in your system that was renamed by Nail.exe each time you start your PC. Although the file in itself cannot run, obsolete files can cause or contribute to system instability.

If you wish to find and remove that randomly named file, first set Windows to show hidden files and folders. Help.
Open windows explorer and navigate to the C:\Windows\system folder.
How to -
Right click on the Start button and select Explore. In the left panel of the Windows Explorer, click on the Hard drive where your Windows is stored (usually C).
In the right panel, double click on the Windows folder.
Find and double click on the System folder.
Now look for a .exe file that is named a series of  random letters, e.g. lfzorkd.exe. When you  right click and select properties the box, it will show a size of around 74kb and a 'creation date' will be the current (Today's) date as the file is created  each time you start the PC.

If you want to double check you have the right file, do one, or more of the following-

Copy and paste the file name into a good search engine, e.g. lfzorkd.exe. Confirmation that this is the file you are looking for will come in a 'no results found' message.
Submit the file here for analysis.

Once you are happy you have found the file, Right click and select delete, or as a precaution, right click, select rename and change the file extension (after the dot) from .exe to .old. If your computer has no problems after a few days, return and delete the file.

All Traces of Aurora should now be removed.

This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
Privacy & Security




hackers, crackers & firewalls





BHO's & Hijackers

Drive by downloads


Scams & Hoaxes

Hijack this-
automatic analysis

Free pest scan

Unwanted processes

How to-Tutorials

Clean up/repair after malware infection

Prevent malware installing

Install Hijackthis

Start in Safe mode

Show hidden files/folders

enable/disable Active X controls

Disable Messenger service pop-ups

Use the Host file

Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool

Kill E2Give

Kill MySearch

Kill Sdbot-ADD / lockx.exe

Kill seeve.exe / mediamotors pop ups

Kill Winfixer2005

Kill SysProtect


New Winfixer infection displays fake Blackworm warning

The real cost of Free security software

About us Contact us FAQ Links Privacy Statement Site Map Webmasters
Click here to add this page to your favorites
©Internet Inspiration, 2003.      All registered trademarks are observed and respected.
If you receive advertising pop ups whilst viewing this site, you are infected with an ad-serving parasite, because we don't use pop ups. See our Privacy & security section for help with detection and removal.