Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I've used the trial "spy Sweeper" program & it has removed the"NAIL.exe." Problem is, when I reboot my PC I get "NAILED" again!!
Yeesch this thing is nuts! Is it possible that webroot is missing something? Is it possible that something resides in the boot sector? If so what do I need to do to EXTRACT THIS NASTY FILE.
I'm running XP pro, with Service Pak II with all critical updates. I've been using, Norton Antivirus (2002), Pest Patrol & now Spy Sweeper.
Any assistance with this nuisance would be greatly appreciated.
Anytime you want to clean your system of viri or other spyware, malware, do the scan and cleaning while booted into Safe Mode WITHOUT network support.
Rule #1: Good Computers don't go down.
Rule #2: There is no such thing as a good computer.
0 
If you still need help with nail.exe which is aurora first download,update and run these three programs:
Then download nailfix but do not run it yet just save it to the desktop. Then download Ewido Security Suite
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.
Next boot into Safe Mode
Then double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Then while still in safe mode run Ewido.Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. We'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
You should post A Hijack This log to remove the F2 items and others that may be on the computer.You will most likely need to post a Hijack This log so that the files associated with the hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor.Do not fix anthing yet.
0
jabuck, Not to sure how to proceed? I've done all the scans & kept the logs; but I don't know how to post the text file?
0
Hey Mike, On the HT logs a file is saved to the folder that you put HT in when you downloaded it. So just open that file and click edit>select all> then go to the computing.net comments area and click on the spot you want to paste the text>go to edit>click paste.
On ewido you need to choose a place ,such as "my documents", to save the text file you create so that you can find it otherwise windows chooses for you making it hard to find sometimes.
0
Hey jabuck, Not sure what you mean by "HT"
I'm not very good with PC jargon & such?
Here is the text file from the ewido scan....
ewido security suite - Scan report
+ Created on: 1:01:40 PM, 9/1/2005
+ Report-Checksum: 88340786+ Scan result:
[948] C:\WINDOWS\system32\raldhuj.exe -> Trojan.Agent.cp : Ignored
C:\Documents and Settings\Mike Grossman\Cookies\mike grossman@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Ignored
C:\WINDOWS\system32\raldhuj.exe -> Trojan.Agent.ay : Ignored
[1312] VM_00F80000 -> Adware.BetterInternet : Error during cleaning
C:\Program Files\PestPatrol\Quarantine\20050828235340.zip/WINDOWS/nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\jqymssdiup.exe -> Adware.BetterInternet : Cleaned with backup
::Report EndDoesn't mean a whole lot to me? :(
0
From that log it looks like nail may still be on the computer i am not real sure but nailfix should have removed it unless you ran ewido from normal mode which will not hurt anything but they have to be run in safe mode. Run nailfix in safe mode again and then run ewido again from safe mode.There is also a trojan still there that ewido will remove in safe mode.
If these are not run in safe mode they will not work.If you are having problems getting into safe mode let me know.
Next HT means Hijack This. Follow the instructions in response 3 to get into safe mode and to download,install and run Hijack This then to post a Hijack This log.
0
Hey jabuck, It seems as though "Nail.exe" has been removed!
:)Here are the scans:
>>Ewidoewido security suite - Scan report
+ Created on: 11:33:40 AM, 9/4/2005
+ Report-Checksum: E1CE0231+ Scan result:
C:\Documents and Settings\Mike Grossman\Cookies\mike grossman@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
::Report End>>HT
Logfile of HijackThis v1.99.1
Scan saved at 11:35:30 AM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mike Grossman\Desktop\KILLaurura\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109478376921
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe!!THANKS!! Let me know if you see any problems with the scans?
0
i had that evil regenerating file "nail.exe"
newest webroot build killed it BUT..making a dummy text file and re naming it as nail.exe
then pasting into the windows folder disabled the evil popup machine before i purchased the webroot program.it would try to run but as it didn't have it's code it just ran an error message and you can close it.
it hides someplace in the dos system and as i know beans about dos i just left it alone until webroot finally killed it.
m s
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
