Help with nail.exe

Hello,

I am so incredibly frustrated and would appreciate any and all help. Thanks to your web site I was able to rid my computer of Surf Sidekick and numerous other annoying files, however I cannot get rid of Aurora. I spent almost all day Sunday cleaning my computer and I just can't seem to kill it.

I have followed all of the directions on your help document, including dowloading Spybot, Ad-Aware, CWShredder, Stinger, etc. When those did not do the trick I then dowloaded the latest version of Hijack This and consulted Tony K's list for suspicious files. I've run HJT is safe mode and then gone to my c: drive and deleted the nail.exe file -- it still comes back. I read through your message boards and followed directions to download an Aurora-specifc cleaner to install while in safe mode (abiremover.exe) -- That did not have any effect either.

The "bad" files that I've identified are nail.exe, svcproc.exe, lchpdi.exe and some variance of VX2 which shows as "vzkglvbopi.exe" when it tries to access the internet on its own. There's another .exe file that seems to mutate into a different name every time I restart my computer.

Again, your help is greatly appreciated. Thanks!

Amy

 

Download the following file, after download is complete run the uninstaller. When uninstall is complete reboot and procede with the next steps.

Download Uninstaller


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thank you!!!!

Attached is my HJT log file. Knock on wood, nail.exe is gone. Please let me know if you see any other suspect files.

Thanks again,

Amy

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Viewpoint


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.yourtaxdollarsatwork.org

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\WinStat12.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Hello,

I followed your instructions and was able to get rid of Viewpoint and the svcproc.exe file [see attached log file]. For some reason the ATI hotkey keeps coming back. I've deleted it three times in HJT.

While I did not find a System32\Winstat12.dll file I did find a Winstat12.dat file. I left it alone. Should I delete it?

FYI, my computer stalled twice in a row when I attempted type "cleanmgr" over "services.msc" on the Run menu [while in safe mode]. The third time I re-booted in safe mode and just typed "cleanmgr" and was able to run the program. Not sure if this has anything to do with the ATI key problem, either.

My Spybot scan is coming up clean.

Thanks again!

Amy

 

Yes, you should delete that file as well.

Its not a problem, if you fix it once with HJT and it returns its most likely not a problem. HJT 1.99.1 has a bug that shows (file missing) when it's really there.

Your HJT log is clean, are you having any further problems?

 

My computer is clean... No problems. Thank you again!!!!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!