Nail.exe & Aurora HELP!!!!

BaLLeRBaLLeR Boca Raton, Florida
edited June 2005 in Spyware & Virus Removal
DONT EVER LET YOUR YOUNGER SIBLING ON YOUR COMPUTER WITHOUT KNOWING WERE THEY WILL GO!!!!!!!

I leave the house the other day and i come back to see my computer infected with a thousand viruses and trojans. I was successful in removing all of the torjans via ad-aware and hijack this through safemode...
The only one left is Nail.exe and the Aurora pop-ups i cant get rid of them no mater what i do they always show up on my hi-jack this log. Also in my task manager there is always one .exe that if i delete it comes back as another name ex. lzzwpn.exe i delete it and it comes back as: dlwwshk.exe or another bunch or random letters. Help would be greatly appreciated. thanks

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2005
    Please post your HijackThis log so we can help you.
  • BaLLeRBaLLeR Boca Raton, Florida
    edited May 2005
    here my hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:23:53 PM, on 5/7/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Ventrilo\Ventrilo.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Valve\Steam\Steam.exe
    c:\windows\system32\dlwwshk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Patrick\Desktop\HijackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ksloan] c:\windows\system32\dlwwshk.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2005
    Boot into Safe Mode (Press F8 at the BIOS screen when booting) and fix these entries:
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [ksloan] c:\windows\system32\dlwwshk.exe

    Still in Safe Mode, find and delete these files:
    C:\WINDOWS\Nail.exe
    c:\windows\system32\dlwwshk.exe

    Then boot back into Normal Mode and post a new log.
  • BaLLeRBaLLeR Boca Raton, Florida
    edited May 2005
    i think i got rid of the second one but nail.exe keeps loading itself after i delete it were ever it is heres the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:16:28 PM, on 5/7/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Documents and Settings\Patrick\Desktop\HijackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • drummerboy678drummerboy678
    edited May 2005
    I'll understand if you just want to take advice from 'Sam', but I had the same Aurora pop-ups and Nail.exe problems.

    The way I got rid of them was by downloading killbox, and running that in safe mode. Here is my post, feel free to follow the directions near the bottom. That helped me out completely.

    http://www.short-media.com/forum/showthread.php?p=268533#post268533

    Good luck
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    If you still need help with this problem please post a new hijackthis log.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    This topic has been closed due to a lack of response. If you need this topic reopened, please contact a member of the SVT SWAT Team and we will reopen it for you. Include the address of this thread in your request.
  • Lynnrob
    edited May 2005
    I have Nail.exe by aurora which brought its friends...I can't get rid of it...I have microsoft antispyare; norton, and xoftspy. I have been fighting this little hitchhiker for two days.... :shakehead

    The lady at microsoft couldn't help even though she had me install another program.

    The above virus knocked out my keyboard commands so i can't do an F8 to get into dos thus getting into windows through the safemode.... :bawling:

    help?

    Lynn in San Diego..

    suggestions appreciation!!! :thumbsup:
  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2005
    Lynnrob, please create a new topic with your HijackThis log in it.
  • jcc2z
    edited June 2005
    BaLLeR wrote:
    DONT EVER LET YOUR YOUNGER SIBLING ON YOUR COMPUTER WITHOUT KNOWING WERE THEY WILL GO!!!!!!!

    I couldn't agree even more

    I couldn't figure out how to delete that stupid thing either. I tried getting different spyware programs, but they all done the same thing, no deletion of the program.

    I'm some what computer literate, so I figured theres got to be a way to out smart this program.
    I got to looking in the registry for nail.exe, and found one entry saying "explore c:\windows\nail.exe" something like that. I also found that you can't delete that one either, it keeps poping right back up.

    I'm sure there are web sites that offer something to help clean this up, but it took me forever looking, and I never found much to help me.

    I did however find a web site talking about how to remove it manually. Overall, it was mostly a bunch of garbage about most of it, but a few points were made....

    STEP 1
    Reboot your computer into safe mode. You can do this by pressing F8 a few times while your computer is booting up.
    (I cleaned my computer up without having to do this).

    Step 2
    Find nail.exe, which I think is supose to be in the Windows directory.

    Step 3
    Open Notepad, and go to Save as..., Type the name of the notepad document as "nail.exe" and make sure it doesn't save it as a text file (I think it will say something like Type .txt files, click on that and put it to all files.

    Once you have this done, whereever you have saved it go and look at it, like mine was at the desktop so I could get to it easier.
    It should give you and error when you try to open it because its just a mock program, and the file size should be 0 bytes.

    Step 4
    Click with your right mouse button and copy the file that you created.

    Step 5
    Now go to the windows directory where the real nail.exe is. Delete the file and as soon as you hit yes, press Shift + Insert (using the mouse is to slow). Then click on it with your right mouse button and go to properties and click on "read-only" atribute. You need to do all of this pretty quickly, it should only take a couple of seconds.

    Now, you should have the mock program in the place of the original nail.exe, to make sure that you have the right program in place, remember the size of the program will be "0 bytes", if its anything else then you will have to repeat step 5.

    Step 6
    Now restart your computer, once its back up, there will be an error that will popup,but its ok, its where the system is trying to open nail.exe, and with the mock program, it can't.
    So now, the program should be disabled.
    now go to start-run- and type regedit.
    Go to edit, and search for nail.exe
    There should only be on entry, which says like before explore c:\windows\nail.exe
    edit that entry and take off the c:\windows\nail.exe
    Now....
    go to Hkey_local_machine\software\microsoft\windows\currentversion\run and make sure that there is nothing there thats not supose to be.
    something like sjdfhos.exe and delete the entry, personally for me, I don't have anything in mine because I know if something does get added, I know its not supose to be there.
    It won't hurt anything if you do get rid of everything.

    Step 7
    Now reboot your computer again, and do all your scans, the scans should pick everything else up and delete it
    note... don't delete nail.exe
    Its the mock program and it won't hurt anything, make sure that everything that contains to a virus is gone, and then delete it, but keep an eye out and make sure that it doesn't come back.
    To be honest, I left mine on my computer, because its not taking up any space and it prevents the program re-installing itself.
    I figure after a while, someone some where will make a point to put the removal process in every anti program, by then, it will be obsolete, or pretty close to it.

    Remember, the stupid thing knows how to download itself, and install itself, so becareful.


    Joey.
This discussion has been closed.