I ran into a system infected with the Aurora spyware a couple of weeks ago. The company maintains that it is not spyware, but it has no removal tool, it throws popups like crazy and it monitors the system and moves itself around using random file names. As of today, Norton Anti-Virus identifies it but can't get rid of it. Symatec provides a removal tool, but that didn't work either. I've used two separate spyware checkers and they can't delete it either. You can get more information on Aurora here...
http://netrn.net/spywareblog/archives/2005/05/10/got-aurora-nailexe/
The way to tell if you have Aurora is two-fold:
First, check for Nail.exe in the C:Windows directory. If it's there, delete it. If it reappears, Aurora is at work on your system. The other place to check is in the registry under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon. The Shell key will have the value "Explorer.exe c:windowsnail.exe". If you try to modify this setting back to c:windowsexplorer.exe, the aurora software automatically renames it back to include the reference to nail.exe.
The latest Symatec definition identifies this virus as "BetterInternet" and provides a remover that doesn't stop the behavior noted above. To stop the behavior noted above, I took the following steps:
(1) From a command prompt, go to the Windows/System directory and type dir>nail.exe (this changes the contents of nail.exe and their software doesn't try to remedy this situation)
(2) Reboot. Upon startup you'll get an error message, but ignore it. You can now delete Nail.exe and it will not reappear.
(3) Finally, using RegEdit, go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon and change the shell key to "c:windowsexplorer.exe"
Reboot and your system is now clean.
