I hit a variant of this on a machine today. There were three parts:
nail.exe was set in the windows shell command in the registry==shell was set
to explorer.exe c:\windows\nail.exe
then there was a randomly named executable which was recreated each time
Microsoft Antispyware killed its process--the process was called TODO:
And then there was a longer randomly named executable--ossffsomething or
other.exe
For me, the key was running TrendMicro's Housecall online antivirus scan--it
was able to spot the OSS...... piece which none of the other tools had been
able to ID--couldn't see it in startup items via sysinfo32, or Microsoft
Antispyware, tryed Sysinternals rootkitdetector--nothing found. Trend
couldn't clean or delete any of the 6 things it found, most of which were
irrelevant.
That executable wasn't deletable even in command-line safe mode.
So I booted to the recovery console and was able to remove nail.exe,
oss....., and the randomly named executable of the moment, and that did the
job.
So--here's an example of a cleanup which Microsoft Antispyware didn't
manage--I'd scanned this fully in both safe mode and normal mode multiple
times, and these popups, which were headed CERES and AURORA, kept on coming.
In this case, an antivirus gave the best clue, but removal required a
maintenance OS--in this case the Recovery Console, which enabled me to
remove the executables involved.
