Spyware Warrior

CalamityJane · Last edited by CalamityJane on Mon Sep 12, 2005 1:22 pm; edited 9 times in total

PLEASE READ AND FOLLOW THESE STEPS CAREFULLY; YOU MAY WANT TO PRINT OR SAVE THESE INSTRUCTIONS LOCALLY BEFORE STARTING.

1. Please download, install, and update the free version of Ewido trojan scanner:
http://www.ewido.net/en/download/

[a]From the main ewido screen, click on update in the left menu, then click the Start update button.

[b ]After the update finishes (the status bar at the bottom will display "Update successful")

[c]Exit Ewido. DO NOT scan yet.

2. Download CCleaner and install, but do not run it yet.

http://www.ccleaner.com/ccdownload.asp

3. Please download this installer for the Nailfix utility revised
http://www.noidea.us/easyfile/file.php?download=20050711214630636
DO NOT run it yet.

Alternate download link here: Nailfix.zip
Location no longer available

4. Don't have HijackThis yet? Here's where to get it and instructions on how to download and scan:
http://spywarewarrior.com/viewtopic.php?t=6914

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

6. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

7. Next, run Ewido again.

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. We'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

8. Then run HijackThis, click Scan, and place a checkmark by the following items (if found):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [random] c:\windows\system32\random.exe r

Close all open windows except for HijackThis and click Fix Checked Note that the 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r.

Locate and delete the following File in BOLD:
c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above).

9. Now, run CCleaner.

Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

10. Finally, restart your computer in normal mode

Download Lavasoft's Ad-Aware Personal SE (free) Edition
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html
and the VX2 Cleaner Plug-in
http://www.lavasoft.de/software/addons/vx2cleaner.shtml.

Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

11. Please post a new HijackThis log, as well as the log from the Ewido scan.
(Or start a new topic with those two logs if you haven't started one yet).

There will quite possibly be more to do but that will be a good start on this infection Smile

Edit by CalamityJane: 30 July 2005: Added link for HijackThis download and install instructions

Edit by CalamityJane: 12 Sep 2005: Added Adaware with Vx2 plugin instructions
_________________
Microsoft MVP 2003-2008, Windows - Security

sprocket79 · Posted: Sun Jun 26, 2005 2:51 pm Post subject:

Is there any other link for the Nail/Aurora Spyware Fix? The two you listed don't work, at least for me. I keep getting page not found for the No Idea link (I think their site is down) and the other one doesn't actually link to a file.

CalamityJane · Posted: Sun Jun 26, 2005 3:00 pm Post subject:

Thanks! I don't know what's wrong with the first link, but I fixed the alternate link - should work (I just tested it)

http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix
_________________
Microsoft MVP 2003-2008, Windows - Security

CalamityJane · Posted: Mon Jun 27, 2005 10:35 am Post subject:

FYI, both links for Nailfix are now working today. That first one must have fixed whatever the problem was as I didn't need to change the URL
_________________
Microsoft MVP 2003-2008, Windows - Security

chrismak · Posted: Tue Jul 05, 2005 8:00 pm Post subject: same nail infection

Sarak,

I have the same freekin nain fungus infection.

The link above for www.ewido.net/en/download doesn't work.

Glad to hear you got rid of it.

Chris

CalamityJane · Posted: Wed Jul 06, 2005 4:09 am Post subject:

Hi Chris,

Nothing wrong with the Ewido download link. Please post your problems/questions into a topic of your own here:
http://spywarewarrior.com/viewforum.php?f=5
_________________
Microsoft MVP 2003-2008, Windows - Security

CalamityJane · Posted: Sun Jul 17, 2005 9:38 am Post subject:

New Alternate link file added Smile

_________________
Microsoft MVP 2003-2008, Windows - Security

starfire1117 · Posted: Thu Jul 21, 2005 5:02 am Post subject: Windows XP and Safe Mode

I am a nail.exe/aurora victim. Tried following your instructions but nothing runs in safe mode. I have windows xp. please advise.

Edit by CalamityJane: Please see your topic thread starfire...your replies will be there:
http://spywarewarrior.com/viewtopic.php?t=15179

suzi · Posted: Tue Jul 26, 2005 5:15 pm Post subject:

Locking topic so no one asks for help or posts logs here. If you need help with this infection, please start your own topic. Help requests posted here may not be seen. SerinMC and shalexa77, I split your posts into separate topics.

shalexa, yours is here:
http://www.spywarewarrior.com/viewtopic.php?t=15321

SerinMC, yours is here:
http://www.spywarewarrior.com/viewtopic.php?t=15337

Thank you.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile