Aurora popup will not go away

By Lunatic
May 3, 2005
Topic Status:
Not open for further replies.
  1. A day ago I started getting a popup at random, even when internet explorer was not open. I got rid of the IE, installed firefox.

    I ran adaware and spy bot and norton antivirus, all in safe mode.
    I also ran hijackthis while in safe mode, aslo this other program someone said to try. Ill post both logs. The other program is called "Find It's"

    laptop specs are as follow:
    XP Home SP1
    Mobile AMD Athlon XP 1789MHz
    HP Pavilion ze4400
    192MB PC2100 DDR SDRAM
    40GB 4200RPM HHD

    After looking it up online, I found out that Nail.exe is part of this aurora popup. But I have done several searches both in safe mode and normal mode and came up with nothing.

    Attached Files:

  2. maXimus4444

    maXimus4444 Newcomer, in training Posts: 118

    First off, you need IE for Windows Updates. Second check this thread and make sure you follow the exact directions.

    After that run Hijack-This then post your log.
  3. Lunatic

    Lunatic Newcomer, in training Topic Starter Posts: 66

    Yeah I know IE is needed for updates, I didnt uninstall it, not that I could.
    I just took it off the desktop and quick launch and program files under the start menu.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    ggcqtiq.exe
    svcproc.exe (if there)

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    svcproc.exe
    When found, Stop it if it is running, doubleclick on it and change the Startup type to Disabled.

    Next, copy and paste the following text from the quote box and save it on your PC as svcproc.reg
    PS: there is NO space in 'S vcProc', its SvcProc, this is a forum-quirk!

    Next, double-click on the saved svcproc.reg to clean up your registry.

    You say you have the nail.exe program (but I don't see it...)
    Anyway, click Start/Run and type cmd and hit Enter. When a command prompt opens, type:
    nail.exe /FullRemove and hit Enter.

    You now MUST reboot in Safe Mode again!
    Next, run a HJT scan and place a tick-mark in the little square before (if still there):

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsd1304.dll (file missing)
    O4 - HKLM\..\Run: [ojxhplc] c:\windows\system32\ggcqtiq.exe
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4448/mcfscan.cab
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

    Now click on the Fix Checked button in HJT.
    When done, delete the two highlighted bold .exe files.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
  5. Lunatic

    Lunatic Newcomer, in training Topic Starter Posts: 66

    No, I dont have it. I just read that it was part of aurora but I didnt find it on the system.

    Thanks Ill try this when I get home.
  6. hotwater9

    hotwater9 Newcomer, in training

    I also have popups from Aurora. I ran Ad-aware and Spy bot search and destrow with no luck. Below is my HJT log. What should I do?

    Logfile of HijackThis v1.99.1
    Scan saved at 12:51:26 PM, on 5/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.advancedaquarist.com/issues/nov2002/chem.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [wfhjxr] c:\windows\system32\lswhee.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XIMETA\NetDisk\Admin.exe
    O4 - Global Startup: PowerPanel.lnk = ?
    O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093282381942
    O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://192.168.1.100/tsweb/msrdp.cab
    O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/webinst.exe
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: LANSCSI Helper Service (LanScsiHelper) - XIMETA, Inc. - C:\Program Files\XIMETA\NetDisk\LDServ.exe
    O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  7. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    conscorr.exe
    lswhee.exe
    svcproc.exe (if there)

    Next, try to UNinstall anything to do with (if there):
    C:\Program Files\Ebates_MoeMoneyMaker\

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    svcproc.exe
    When found, Stop it if it is running, doubleclick on it and change the Startup type to Disabled.

    Next, copy and paste the following text from the quote box and save it on your PC as svcproc.reg
    PS: there is NO space in 'S vcProc', its SvcProc, this is a forum-quirk!

    Next, double-click on the saved svcproc.reg to clean up your registry.

    Click Start/Run and type cmd and hit Enter. When a command prompt opens, type:
    nail.exe /FullRemove and hit Enter.

    You now MUST reboot in Safe Mode again!
    Next, run a HJT scan and place a tick-mark in the little square before (if still there):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.advancedaquarist.com/issues/nov2002/chem.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
    O4 - HKLM\..\Run: [wfhjxr] c:\windows\system32\lswhee.exe
    O4 - Global Startup: PowerPanel.lnk = ?
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1093282381942
    O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://192.168.1.100/tsweb/msrdp.cab
    O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/webinst.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

    Now click on the Fix Checked button in HJT.
    When done, delete the highlighted bold .exe files. When a directory-name is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
  8. hotwater9

    hotwater9 Newcomer, in training

    I didn't have any luck. I am still getting popups. When following the steps that you posted, the following occured:
    None of those programs showed up in the taskmanager.
    I did not find svcproc.exe in the services.
    When I do the full removal in dos should I get any type of confirmation that it has been removed? It seems like nothing happened.
    In the HJT list, the following items were not listed:
    When I went to delete the files, conscorr.exe lswhee.exe and the Ebates folder were not present. There was a text file named conscorr but I did not delete it.
    Here is my new HJT scan.
    Thanks for all of you time and help! I can't believe how hard this thing is to remove.
  9. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Do the same corrections as in my previous post, except:
    conscorr.exe has disappeared and
    lswhee.exe is now tdcytap.exe
    This last file will have a DIFFERENT name EVERY time you start your PC, it will appear in the same place, so you should be able to follow it.

    c:\windows\system32\tdcytap.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O4 - HKLM\..\Run: [atlebf] c:\windows\system32\tdcytap.exe
    O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

    If that does not work, get the 30-day trial version of Trojan Remover here: http://www.simplysup.com/tremover/download.html
  10. hotwater9

    hotwater9 Newcomer, in training

    Thanks I downloaded a free trial of ewdio and it removed it!!! Thanks for all of your help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.