[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Nail.EXE Spyware Problems.

Posted on 2005-05-12
Medium Priority
Last Modified: 2008-01-09
Running Windows XP Home Edition, It is infected with Nail.exe.  cannot get rid of it at all.  I tried using the following fix:


Click Start > Run > and type in:


Click OK.

In the services window find System Startup Service.

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


When I tried to run services.msc I received the following message:


Microsoft Management  Console


            MMC cannot open the file c:\windows\system32\services.msc.


            This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC.  This may also be because you do not have sufficient access rights to the file


So I then tried to go through Administrative Tools from the Control Panel, then clicked on Computer Management and received the same error, with the exception of the file being c:\windows\system32\compmgmt.msc.  I then went back and tried to open MMC by typing it into the Run command.  It will open an empty console with no snapins at all.  I added the services snapin and it loaded it but it won’t let me save the console.  Also tried to add the compmgmt snapin…and  once again it won’t let me save it. I was able to disable the System Startup Service


The next thing I did was run Hijack This and remove the F2 – REG:system.ini:Shell=Explorer.exe C:\windows\nail.exe  and proceeded to follow these remaining steps:


Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:


Click OK

Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

Paste this:

del C:\WINDOWS\svcproc.exe

Hit Enter

Paste this:

cd C:\windows

Hit Enter

Paste this

nail.exe /FullRemove

Hit Enter

Paste this:


Hit enter to exit the command window.



I went into the registry and removed nail.exe


Rebooted..and it is right back there again like I did nothing.  Now I still can’t open services.msc and compmgmt.msc either.


All of this was done in both Normal and Safe mode with the same results.  


Here is my Hijack This log.  Please help..


Logfile of HijackThis v1.99.1

Scan saved at 9:38:53 PM, on 5/11/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:









C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe


C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe


C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe


C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe

C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE

C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe


C:\Program Files\Internet Explorer\iexplore.exe





R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe

O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Sygate.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0019.exe

O23 - Service: sdkupdate22 (Action Date) - Unknown owner - C:\WINDOWS\System32\SDK0mCORE.exe" -netsvcs (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe

O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Question by:K3HT
LVL 13

Expert Comment

ID: 13985266
I got rid of it with Spyware Dr., no problems at all: 2 runs and done -- just payware :(
LVL 13

Expert Comment

ID: 13987171
Have you made sure that you have turned off system restore? Because if you haven't then it might explain why its such a pain to get rid of it
LVL 12

Expert Comment

by:David Wall
ID: 13987277
I would look at Pete Longs site at http://www.petenetlive.com/Tech/Browsers/hijack.htm which can help.

nail.exe appears to be win32 trojan it may be worth running a full virus scan probably in safe mode.

If the file keeps coming back it is proabaly being propogated somewhere you may find you have a hidden folder in your program files directory that holds the programe that creates the file. try enabling show hidden files and folders in Control Panel > folders > views, look for some unknown package that often relates to web searching or bargain files.

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 13

Accepted Solution

softplus earned 1000 total points
ID: 13987320
Nail is a pain in the b... All the other adware-tools I tried could remove it once but must have left something running, because it all came back after reboot. Spyware Dr. (bought it just for that) killed it right off the bat. I'm sure you could go chasing files and registry entries and also get rid of it, but I have other things that are more fun (like a refreshing root canal surgery)

Expert Comment

ID: 14317637
I second the posting about spyware doctor.  I also had the same problem, the spyware dr. software was the first to fix it.  It costs $29, well worth it.  

Bob B.

Author Comment

ID: 14317661
I have found actually that if you use hijack this to remove it then use mypcuninstaller, which i think is found at www.mypcuninstaller.com  it goes away very easily.
LVL 57

Expert Comment

by:Pete Long
ID: 32644657

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses
Course of the Month18 days, 20 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question