{"id":30,"date":"2005-06-16T14:02:00","date_gmt":"2005-06-16T14:02:00","guid":{"rendered":"http:\/\/www.noidea.us\/wordpress\/?p=30"},"modified":"2005-06-16T14:02:00","modified_gmt":"2005-06-16T14:02:00","slug":"nailaurora-fix","status":"publish","type":"post","link":"http:\/\/www.noidea.us\/wordpress\/2005\/06\/nailaurora-fix\/","title":{"rendered":"Nail\/Aurora Fix"},"content":{"rendered":"

NOTE: These instructions have been superseded with updated procedures for the nailfix installer and a new version of Ewido. Please post a HijackThis Log in the Malware Removal Assistance forum here or at any of the ASAP Member Sites.<\/a><\/b>
\n\n\n

\nThe following are instructions to run the Nail\/Aurora popups fix. This can be recognized by the following lines in HijackThis:
\n\n\n

\nF2 – REG:system.ini: Shell=Explorer.exe C:\\WINDOWS\\Nail.exe\n\n\nO23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\\WINDOWS\\svcproc.exe
\n<\/b>
\n\n\n

\nI ALWAYS recommend starting this fix by posting a HijackThis log at one of the forums listed in the Spyware Help Forums<\/a> FIX LINK!<\/i> section.
\n\n\n

Please download, install, and update the free version of Ewido trojan scanner<\/a>:
\n\n\n

    \n\n\n
  1. When installing, under “Additional Options” uncheck<\/b> “Install background guard” and “Install scan via context menu”.
    \n\n\n
  2. When you run ewido for the first time, you will get a warning “Database could not be found!”. Click OK<\/b>. We will fix this in a moment.
    \n\n\n
  3. From the main ewido screen, click on update<\/b> in the left menu, then click the Start update<\/b> button.
    \n\n\n
  4. After the update finishes (the status bar at the bottom will display “Update successful”)
    \n\n\n
  5. Exit Ewido. DO NOT scan yet.
    \n<\/ol>\n\n
    \n\n\n

    \nDownload CCleaner<\/a> and install, but do not run it yet.
    \n\n\n

    \nPlease download the Nail\/Aurora Spyware Fix<\/a> from NoIdea.US.
    \n\n\n

    \nUnzip it to the desktop but do NOT run yet.
    \n\n\n

    \nReboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft<\/a>:
    \n\n\n

      \n\n\n
    1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
      \n\n\n
    2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
      \n\n\n
    3. When the Boot menu appears again, and the words “Safe Mode” appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
      \n<\/ol>\n\n
      \n\n\n

      \nOnce in Safe Mode, please double-click on nailfix.cmd<\/b> that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly — this is normal.
      \n\n\n

      \nNext, run Ewido<\/b> again.
      \n\n\n

        \n\n\n
      1. Click on the Scanner<\/b> button in the left menu, then click on the Start<\/b> button. This scan can take quite a while to run, so time to go get a drink and a snack….
        \n\n\n
      2. If ewido finds anything, it will pop up a notification. You can select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK<\/b>.
        \n\n\n
      3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.
        \n<\/ol>\n\n
        \n\n\n

        \nThen run HijackThis<\/b>, click Scan<\/b>, and place a checkmark by the following item:
        \n\n\n

        \nF2 – REG:system.ini: Shell=Explorer.exe C:\\WINDOWS\\Nail.exe<\/b>
        \n\n\n

        \nClose all open windows except for HijackThis and click Fix Checked<\/b>.
        \n\n\n

        \nNow, run CCleaner.
        \n\n\n

          \n\n\n
        1. Uncheck<\/b> “Cookies” under “Internet Explorer”.
          \n\n\n
        2. if running Firefox:<\/i> then click on the “Applications” tab and uncheck<\/b> “Cookies” under “Firefox”.
          \n\n\n
        3. Click on Run Cleaner<\/b> in the lower right-hand corner. This can take quite a while to run.
          \n<\/ol>\n\n
          \n\n\n

          \nFinally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.]]><\/p>\n","protected":false},"excerpt":{"rendered":"

          NOTE: These instructions have been superseded with updated procedures for the nailfix installer and a new version of Ewido. Please post a HijackThis Log in the Malware Removal Assistance forum here or at any of the ASAP Member Sites. The following are instructions to run the Nail\/Aurora popups fix. This can be recognized by the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-computers"],"_links":{"self":[{"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/comments?post=30"}],"version-history":[{"count":0,"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/posts\/30\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/media?parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/categories?post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.noidea.us\/wordpress\/wp-json\/wp\/v2\/tags?post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}