Nail.exe adware problem

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Yesterday, I was downloading a "free" screensaver and began receiving
adware. I stopped the download and began checking for problems. Adaware
found many problems, which it fixed (it says).

My problem is that somehow this adware has made all the files in the XP Pro
c:\winnt disappear from view. Computer still works fine, so they must be
hidden by some other means.

I found this line in HijackThis that was objectionable.
F2 - REG:system.ini: Shell=Explorer.exe c:\WINDOWS\Nail.exe
It couldn't be fixed because no files can be seen in the C:\Winnt directory.
Norton can not scan a directory with no files, etc., and I can't delete any
files for the same reason. The only file showing in the folder is
c:\winnt\system32\spllo\PRTPROCS\W32X86\hpprn02.dll (may be a printer
driver).

I went into the registry and deleted this key and still no luck, although it
stopped the automatic addition of a new file to be included in startup with
the "stop process" of an unknown .exe in the taskmanager.

So... I need to know how to restore the files to "not hidden". And, if
anyone has any ideas regarding removal of this adware, I'd be most grateful.

Tom

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Please download ewido security suite it is a free version of the program.
http://www.pcbutts1.com/downloads/ewidosetup.exe
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database
could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being
installed.
(the status bar at the bottom will display "Update successful" )
Exit ewido. DO NOT SCAN YET.

Download CCleaner and install it, but do not run it yet.
http://www.pcbutts1.com/downloads/ccsetup122.exe

Please download this file: Revised Installer for the Nailfix Utility
http://www.pcbutts1.com/downloads/nailfix1.exe
Save it to your desktop.
DO NOT RUN IT YET.

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer.After hearing your computer beep once during startup,
but before the Windows icon appears, press F8.Instead of Windows loading as
normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup
Make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open
and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the
action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now as the action.
Once the scan has completed, there will be a button located on the bottom of
the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find
it easily.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere
and the game "Risk" )

Now run HijackThis, click Scan, and place a checkmark next to each of the
following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HJT, then click the Fix Checked button.
Close HJT.

Locate and delete the following File
C:\WINDOWS\Nail.exe

Now run CCleaner
Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies"
under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a
while to run.

Finally, restart your computer in normal mode and please post a new
HijackThis log, as well as the report log from the Ewido scan by using Add
Reply.




--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Tom Landon" <mdeanhouston@sbcglobal.net> wrote in message
newsZGXZ3bmFHA.3544@TK2MSFTNGP15.phx.gbl...
> Yesterday, I was downloading a "free" screensaver and began receiving
> adware. I stopped the download and began checking for problems. Adaware
> found many problems, which it fixed (it says).
>
> My problem is that somehow this adware has made all the files in the XP
> Pro c:\winnt disappear from view. Computer still works fine, so they must
> be hidden by some other means.
>
> I found this line in HijackThis that was objectionable.
> F2 - REG:system.ini: Shell=Explorer.exe c:\WINDOWS\Nail.exe
> It couldn't be fixed because no files can be seen in the C:\Winnt
> directory. Norton can not scan a directory with no files, etc., and I
> can't delete any files for the same reason. The only file showing in the
> folder is c:\winnt\system32\spllo\PRTPROCS\W32X86\hpprn02.dll (may be a
> printer driver).
>
> I went into the registry and deleted this key and still no luck, although
> it stopped the automatic addition of a new file to be included in startup
> with the "stop process" of an unknown .exe in the taskmanager.
>
> So... I need to know how to restore the files to "not hidden". And, if
> anyone has any ideas regarding removal of this adware, I'd be most
> grateful.
>
> Tom
>

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Try running spybot from http://www.safer-networking.org/en/index.html it
looks like it is part of "Aurora" spyware. If you google for nail.exe there
are many suggestions.
Neil

"Tom Landon" <mdeanhouston@sbcglobal.net> wrote in message
newsZGXZ3bmFHA.3544@TK2MSFTNGP15.phx.gbl...
> Yesterday, I was downloading a "free" screensaver and began receiving
> adware. I stopped the download and began checking for problems. Adaware
> found many problems, which it fixed (it says).
>
> My problem is that somehow this adware has made all the files in the XP
> Pro c:\winnt disappear from view. Computer still works fine, so they must
> be hidden by some other means.
>
> I found this line in HijackThis that was objectionable.
> F2 - REG:system.ini: Shell=Explorer.exe c:\WINDOWS\Nail.exe
> It couldn't be fixed because no files can be seen in the C:\Winnt
> directory. Norton can not scan a directory with no files, etc., and I
> can't delete any files for the same reason. The only file showing in the
> folder is c:\winnt\system32\spllo\PRTPROCS\W32X86\hpprn02.dll (may be a
> printer driver).
>
> I went into the registry and deleted this key and still no luck, although
> it stopped the automatic addition of a new file to be included in startup
> with the "stop process" of an unknown .exe in the taskmanager.
>
> So... I need to know how to restore the files to "not hidden". And, if
> anyone has any ideas regarding removal of this adware, I'd be most
> grateful.
>
> Tom
>