Nail.EXE Spyware Problems.

Posted on 2005-05-12
Last Modified: 2008-01-09
Running Windows XP Home Edition, It is infected with Nail.exe.  cannot get rid of it at all.  I tried using the following fix:


Click Start > Run > and type in:


Click OK.

In the services window find System Startup Service.

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


When I tried to run services.msc I received the following message:


Microsoft Management  Console


            MMC cannot open the file c:\windows\system32\services.msc.


            This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC.  This may also be because you do not have sufficient access rights to the file


So I then tried to go through Administrative Tools from the Control Panel, then clicked on Computer Management and received the same error, with the exception of the file being c:\windows\system32\compmgmt.msc.  I then went back and tried to open MMC by typing it into the Run command.  It will open an empty console with no snapins at all.  I added the services snapin and it loaded it but it won’t let me save the console.  Also tried to add the compmgmt snapin…and  once again it won’t let me save it. I was able to disable the System Startup Service


The next thing I did was run Hijack This and remove the F2 – REG:system.ini:Shell=Explorer.exe C:\windows\nail.exe  and proceeded to follow these remaining steps:


Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:


Click OK

Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

Paste this:

del C:\WINDOWS\svcproc.exe

Hit Enter

Paste this:

cd C:\windows

Hit Enter

Paste this

nail.exe /FullRemove

Hit Enter

Paste this:


Hit enter to exit the command window.



I went into the registry and removed nail.exe


Rebooted..and it is right back there again like I did nothing.  Now I still can’t open services.msc and compmgmt.msc either.


All of this was done in both Normal and Safe mode with the same results.  


Here is my Hijack This log.  Please help..


Logfile of HijackThis v1.99.1

Scan saved at 9:38:53 PM, on 5/11/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:









C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe


C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe


C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe


C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe

C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE

C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe


C:\Program Files\Internet Explorer\iexplore.exe





R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe

O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Sygate.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} -

O23 - Service: sdkupdate22 (Action Date) - Unknown owner - C:\WINDOWS\System32\SDK0mCORE.exe" -netsvcs (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe

O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Question by:K3HT
    LVL 13

    Expert Comment

    I got rid of it with Spyware Dr., no problems at all: 2 runs and done -- just payware :(
    LVL 13

    Expert Comment

    Have you made sure that you have turned off system restore? Because if you haven't then it might explain why its such a pain to get rid of it
    LVL 12

    Expert Comment

    I would look at Pete Longs site at which can help.

    nail.exe appears to be win32 trojan it may be worth running a full virus scan probably in safe mode.

    If the file keeps coming back it is proabaly being propogated somewhere you may find you have a hidden folder in your program files directory that holds the programe that creates the file. try enabling show hidden files and folders in Control Panel > folders > views, look for some unknown package that often relates to web searching or bargain files.

    LVL 13

    Accepted Solution

    Nail is a pain in the b... All the other adware-tools I tried could remove it once but must have left something running, because it all came back after reboot. Spyware Dr. (bought it just for that) killed it right off the bat. I'm sure you could go chasing files and registry entries and also get rid of it, but I have other things that are more fun (like a refreshing root canal surgery)

    Expert Comment

    I second the posting about spyware doctor.  I also had the same problem, the spyware dr. software was the first to fix it.  It costs $29, well worth it.  

    Bob B.

    Author Comment

    I have found actually that if you use hijack this to remove it then use mypcuninstaller, which i think is found at  it goes away very easily.
    LVL 57

    Expert Comment

    by:Pete Long

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    I wanted to pass this along in case anyone has a problem removing a device from the Device Manager, or if you suspect a corrupted Driver that you want to remove in its entirety. I know it is kinda lengthy and very basic in its format, but I figured …
    Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now