Another Aurora Popup problem.

[Rickster]

Another Aurora Popup problem cleaned.

Hello!
Ive read many other peoples posts/threads about this in order to rid of it without asking for help, but Ive gotten rid of everything else but aurora, I believe. Anyway, I've tried and tried to no avail.
I believe everything is in this hijackthis log.
If anyone can help me, I'd be a happy camper.

 

[RealBlackStuff]

Your PC is still riddled with junk! You need to clean up first.

Go to this post here first, and follow the instructions EXACTLY, especially about UPDATING.
How to remove Begin2Search/Coolwebsearch and Other Nasties

Then see How to post your Hijackthis log-files as an attachment.

 

[Rickster]

Hello again, and thanks for the fast response!
Ive followed youre instructions on this page: How to remove Begin2Search/Coolwebsearch and Other Nasties
I downloaded every program, except for the Smartkiller one, because the link is not working for me. Updated each one, then I ran them all, in safe mode, in the order in which you asked.
I then made another HJT log, hopefully this one is better!
I'm really trying my best here~
Thanks for your time,
-Rick

 

[RealBlackStuff]

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
jlzspa.exe
avznkp.exe
ViewMgr.exe
lmhdll32.exe
lfpole16.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
c:\windows\system32\jlzspa.exe
C:\WINDOWS\system32\avznkp.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [q72g3sX] lmhdll32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\avznkp.exe reg_run
O4 - HKLM\..\Run: [pciojmu] c:\windows\system32\jlzspa.exe r
O4 - HKCU\..\Run: [bwtmRibtX] lfpole16.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\mprepl40.dll
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

 

[Rickster]

allright~
directions followed...
I had a problem though, when deleting everything in:
C:\Documents and Settings\[User name]\Local Settings\Temp\
and
C:\Windows\Temp folder
I ran into a file named index.dat that would not let me delete it because "This file is being used by another program."
It was in multiple places in the temp folders, namely in Temp\Cookies, Temp\Temporary Internet Files, Temp\History.IE5.
I deleted everything else in the temp folder but this specific file.
This was all in safe mode, and Im not sure what program was running this file.

Heres my new HJT scan log.
I notice that these keep coming back, after fixing and deleting:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\mprepl40.dll

Am I doing something wrong? Trying to follow everything correctly.

Thanks alot for your help,
-Rick

 

[Rickster]

While browsing the forums here, I ran into your How to fix Aurora/Nailfix thread.
I went ahead and ran through those procedures, since Ive alread downloaded those programs and had everything ready to try, already.
Ran it, now waiting to see if its clean.
Heres the latest HJT log.
Thanks,
-Rick

 

[RealBlackStuff]

Good man, You did some proper spring-cleaning!

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
ogantq.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
c:\windows\system32\ogantq.exe
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\mprepl40.dll

Now click on the Fix Checked button in HJT.

When done, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

The above is standard text, if you've done it already, OK.
To leave the index.dat files is OK as well.

Funny though, my Temp file only holds junk, no index.dat files anywhere, did you read the instructions properly, for the right directories?

 

[Rickster]

Well It seems like everythings clean, I havent had an aurora pop up and its no longer find-able via search, or anything.
While running HJT this time, ogantq.exe wasnt even there.
The only thing that riddles me and my system now seems to be the index.dats... which I have no idea where they came from! I tried to follow everything precisely as to not mess anything up. I'm pretty sure I did follow instructions correctly, I double-checked everything. Its the least I can do to help you help me. I greatly appreciate it. Thank you for your time.
I suppose I'll look into that now, and let you know what I figure/find out.
Edit: After reading more about them, they're normal hidden windows logs of what sites you've been to while using Internet Explorer. Its just annoying to have to delete everything around them just to clear your temp folder. I have read that you can delete them by shutting explorer down, getting them that way, so that no program is running them but I dont think I will worry about it, unless otherwise instructed.

Thanks again,
-Rick

 

[RealBlackStuff]

To be sure, click on Start/Run and type in cmd and click OK.
In the command window, type CD \ and hit enter.
Then type in attrib index.dat /s >index.txt and hit enter
Then post back and attach that file c:\index.txt
You seem to have way too many index.dat files in the wrong places!

 

[Rickster]

Here you go,
-Rick

 

[RealBlackStuff]

You need to get rid of these bold directories:
You may have to restart in Safe Mode before it lets you.

C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Rick\Local Settings\Temp\Cookies\index.dat
C:\Documents and Settings\Rick\Local Settings\Temp\History\History.IE5\MSHist012005062920050630\index.dat
C:\Documents and Settings\Rick\Local Settings\Temp\History\History.IE5\index.dat
C:\Documents and Settings\Rick\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat

 

[Rickster]

Done.
That was weird though, it let me delete every directory but this one:
C:\Documents and Settings\Rick\Local Settings\Temp\History\
which has only 1 thing in it:
History.IE5\MSHist012005063020050701\index.dat

All the others deleted with no problem.
Since Ive swapped from IE to firefox a week or so ago, I dont know if that will ever be used, as its in an IE folder.
Anyway, system has been clean since aurora pop up, so I'm really happy about that. Thanks, again