nail.exe

c:\windows\nail.exe keeps coming back.
Trojan hunder finds it and cleans it but it returns on the next scan.
please help.

xpsp2
ie6

Ray

 

- Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
- At the command prompt opens, type the below command and then hit the enter key:

nail.exe /FullRemove

NEXT:
Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Delete the value, Nail.exe

After doing the above, procede with the following to make sure your clean!

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thank You,
ran dos cmnds, didnt see anything happen
mad reg change but it reappears after restart.
this thing is stubborn

banners valuead's also pop up

Log is attached
Thanks

 

forgot to change to the windows directory before the fullremove...

 

defaults to doc settings etc
cd\ give you
C:\>
run from there? or should 1st be cd\windows?

 

cd\ (puts you to the root of drive C)
cd windows (puts you inside the the windows directory ie: c:\windows>)
once there, then type nail.exe /fullremove

 

got it but I still didnt see any thing run to show it was removed in dos

 

Got it
Nail.exe is gone from c windows and from the reg
BUT
valueads keep popping up and panda online shows 20 spyware/adware including beter interenet virtumundo comet
ncase, bargain buddy any more suggestions?

is the svcproc unknown owner a problem?
Thanks for any help

 

Oldman,

Stick to your own threads please!


rhaneski,

Please attach a current HJT log.

 

HJT Log attached
Thank you

 

This log appears to be from Safe Mode? If so, attach a new one from normal mode.

 

BJ, won't happen again... (I interjected when I saw no reply from you yesterday), just trying to help out.

 

hjt log
Thank YOu

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

EERJDLL.exe

EERJENC.exe

n?pdb.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1075
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
(If you need these leave them as is!)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [s3l7nack] C:\Program Files\s3l7nack\s3l7nack.exe
O4 - HKLM\..\Run: [EERJDLL] C:\WINDOWS\EERJDLL.EXE
O4 - HKLM\..\Run: [EERJENC] C:\WINDOWS\EERJENC.EXE
O4 - HKLM\..\Run: [usbsng] c:\windows\system32\ovdwavr.exe
O4 - HKCU\..\Run: [Zjtu] C:\WINDOWS\system32\n?pdb.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\s3l7nack ←–– Delete this whole folder if it exist!

C:\WINDOWS\EERJDLL.exe

C:\WINDOWS\EERJENC.exe

C:\WINDOWS\system32\n?pdb.exe

C:\WINDOWS\system32\ovdwavr.exe

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Done!
Fastest reboot on this machine in awhile

Hope this log looks good. I really appreciate your help.
I enjoyed a Mobile Alabama last summer on the way to New Orleans
Thank you

 

panda active scan log is attached.

 

Your log is now clean!

Are you having any further problems?

 

So far so good, no valuead popups, trend micro and mcafee scanned clean, pandasoftware still shows some adware entries.
Can I turn system restore back on now?

Your help has been amazing and a lifesaver.
Thanks so much.

 

Wait, tried to set a picture to the desktop and it turned white, now when you right click desktop properties does not appear.

 

sorry, think I fixe that
control panel, display, desktop , customize, web, security appeared as a web page and lock desktop items was checked. cleared both and picture displayed. hope that was the fix.

 

One last question,
box is booting in selective startup
with check marks removed for 428o,eetu.Bman1, skype and a few others
428o doesnt show on a file search.
what hapens if I or should I check normal startup on the general tab in msconfig or can it run forever in selectiv startup
Thank You

 

Personally I would stick with normal startup.