TechSpot

Can't Stop Aurora Popups

By jluechau
Jul 4, 2005
  1. Hi! I've been trying to stop these popups by reading other posts, but they are just not going away. I have Adaware, AboutBuster, CCleaner, CWShredder, Nailfix, Ewido, HijackThis, Spybot and Symantec Antivirus. Nothing is getting rid of it. I'm running these in Safe Mode, but should I be running them in the Admin user or the user that says my name? I've attached my most recent HJT log. Any help anyone could give me would be amazing. Thanks!!
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Once you have done that, go HERE and follow the instructions exactly.

    Then, please post a fresh HJT log.

    Regards Howard :wave: :wave:
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    ViewMgr.exe
    ttdrvs.exe
    fdinlak.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    svcproc.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [hwbads] c:\windows\system32\ttdrvs.exe
    O4 - HKLM\..\Run: [dajhgb] c:\windows\system32\fdinlak.exe r
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O23 - Service: CWShredder Service - Unknown owner - C:\DOCUMENTS AND SETTINGS\JENNIFER ANNE\DESKTOP\cwshredder.exe (file missing)
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
     
  4. jluechau

    jluechau TS Rookie Topic Starter Posts: 20

    When I boot in Safe Mode, should I choose the Admin user or the Jennifer user?
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Log on under your own name. That`s provided you`ve got full administitive rights.

    Regards Howard :)
     
  6. jluechau

    jluechau TS Rookie Topic Starter Posts: 20

    Ok. I did of all of that. Here is my latest HJT log. Now I have this thing on my desktop called desktop.ini that I can't get rid of. Also, everytime I boot my computer, it gives me a message about Nail.exe. And I didn't understand the very last part the realblackstuff said. The "When done, from between the dotted lines" part.

    Well, let me know what I should do. You guys are so wonderful and helpful! Thanks!!
     
  7. Rickster

    Rickster TS Rookie

    Hello Jennifer!
    Your HijackThis log didnt go through, or you may have forgotten to post a fresh one.
    Also, what realblackstuff meant by between the dotted lines, is if you look at his post he has dotted lines in 2 places, and everything between them, you need to find through windows explorer (Right click the start button and choose explore, is one way to do this) and locate the files or folder directories that he has bolded, then delete them manually(right click, choose delete.)
    I hope this will help you~
    -Rick
     
  8. jluechau

    jluechau TS Rookie Topic Starter Posts: 20

    Whoops!! Here it is!
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  10. jluechau

    jluechau TS Rookie Topic Starter Posts: 20

    Ok. I deleted the things between the dotted lines, well none were there, but I tried. Then I did the mypctuneup and the trendmicro stuff. So here is my latest HJT log. Tell me what you think. Also, everytime I restart my computer I get a "can't find C:\WINDOWS\nail.exe" error message. I have an icon on my desktop called desktop.ini. The icon is faded compared to the rest, and it says when I try to remove it, that it is a system file. What should I do?! Thanks!!! You guys are all awesome.
     
  11. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    You get a missing nail.exe message because there are still references to it in the registry.

    Also, desktop.ini is a file that is part of Windows, you see it because you have hidden files/folders turned on. Normally the file is hidden from you, don't worry about it.

    Click Start-run and type "regedit" and hit enter.
    Once in there, hit F3 and type "nail.exe". Search for and remove references to it.
    Also do a search on your hard drive for "Nail.exe" and remove traces there as well. Usually in c:\windows\nail.exe.

    Nail.exe, however, is not the PRIMARY bug, it is created by another one, which hopefully you've got removed. So all that's left is to delete the traces to nail.exe in the registry.

    Then go into My Computer. Click Tools-folder options, and tell it to hide hidden/system files. Your desktop.ini will go away.

    I suggest you run a tool called regsupreme (http://www.macecraft.com/regsupreme/). Clean whatever it finds. Just do a standard search.

    That should do it for those two.

    Remove these from your HJT:
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [hwbads] c:\windows\system32\ttdrvs.exe

    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    ----------

    Some of these aren't necessarily bad, just not needed.

    Lastly, you DO want to do ALL your tools and cleaners from Safe Mode. And I suggest doing them ALL from EVERY user account you can get in. As each user account can have spyware all its own.

    I might also say that this one worries me:
    O4 - HKLM\..\Run: [hwbads] c:\windows\system32\ttdrvs.exe

    It could come right back as a different name. So watch for that. Scan with HJT as soon as you clean and see if another similar entry shows up. Or log off and back on in Safe Mode and see if one reappears. If so, you aren't clean yet!

    Good luck.
     
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Please do us all a favour, and find someone who knows about PCs.
    I have given you the instructions and you do NOT follow them.
    I can't give them any clearer, so GET HELP!

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    ViewMgr.exe
    ttdrvs.exe
    PowerReg Scheduler.exe
    Launcher.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Webshots\Launcher.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [hwbads] c:\windows\system32\ttdrvs.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
     
  13. jluechau

    jluechau TS Rookie Topic Starter Posts: 20

    Then don't reply. If you want to help, I would love it. But, if you are going to help people, you need patience. I have done everything you have told me and it just keeps coming back. So I'm sorry to be a pain in your side, but I'm trying. You don't have to deal with me if you don't want to. There have been others who have helped me who aren't frustrated. Thank you for everything you have done this far, but please don't feel like you need to do anymore if you don't want to. For anyone who feels like they might have the patience, here is my latest HJT log. Tell me what you think. And thank you for everything you have done this far. You have been very helpful.
     
  14. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    I don't see a log :)

    Are you still having trouble?

    I don't doubt that you followed RBS's instruction. Fact is if it is still there, then it is REALLY attached itself deep and may require some fancy removing. Taking it to a shop may be the way to go, but if the problem is that intense, you might want to consider a reload over this frustration! Because a repair shop would probably recommend that anway.

    So what'll it be?
     
  15. jluechau

    jluechau TS Rookie Topic Starter Posts: 20

    Am I able to do a reload? Does that mean I'll lose everything?
     
  16. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    You are able to do a reload if you have your Operating System disk, or OS recovery disk. And your Product Key.

    You won't lose anything if you back it up first! Track down your important data and burn it to a CD or an external drive. Double check that your data is on this backup media, and then reload.

    Some people reload once a year just to keep clean. Some people reload every time they upgrade hardware.
    You can only hack at Windows so much before it just needs to be reloaded.

    Some general items that are common for backup are:

    My Documents
    Favorites
    E-Mail/Address book
    Financial Data (Tax, Quicken, Quick Books etc)
    Pictures (in general, but most would/should be in My Docs)

    Otherwise, it could be a long and hard fight to clean it up at this point.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...