Struggling to stop AURORA popups......Please help!!

[melmartin]

Hi, I'm new to this board...and I'm not very good with computers

I've never had a virus or anything....then all of a sudden I'm getting like ten popup ads every minute!

I tried Microsoft Antispyware and Adaware they didn't help
If anything I think they made it worse!

I can hardly type... I have no idea what to do ...I'm not super-internet savvy
but, I'm willing to follow directions and learn and
I would SOO appreciate any help ANYONE can offer!

I read a previous post by "lunatic" and "realblackstuff" that seemed hopeful?~
I don't know what Hijack This is but....anything help is welcome...

I'm completely at your mercy for help

thank you in advance for any replies~
I'll be forever grateful!

 

[Spike]

HJT, as far as is important here, is simply a program that will generate a report on running processes, suspicious entries, and startup items on your system. (it should be noted however that much of what it displays in the log file is perfectly legitmate, and often quite important for windows to run - but unless you're going to examine the file on your own and not ask for help, this should concern you. If in doubt, ask someone.)

I don't know your level of ability, but if could you precisely follow the instructions provided by RealBlackStuff here, and then post a fresh HJT log as a txt attachment in this thread it would be very helpful.

If you are having any trouble understanding what to do from these instructions, then please post back here and tell us what in particular you are having trouble with.

 

[melmartin]

thank you so much, I'm working on it and will post the HJT log thingy...

should I post that as a separtate thread or continue that here?

thanks again!

 

[Spike]

as described on the link in my above post, rename the log file with a .txt extension, and upload it to a new POST in this thread

You're most welcome by the way, Welcome to Techspot! :hotbounce:

 

[melmartin]

Posting my HJT log for help with popups!

Hi Spike! I'm sure you're busy...but whenever you get a chance to look at this would be great...

Attached is my HJT...I followed all the directions, I think

and if you'd like for me to copy and paste the text of the HJT log...I could do that as well... I tried to fix some based upon the directions...but I was unable to figure out which ones to delete!

So, my HJT log remains untouched....and I would love for you to look at it if you have some time.

Thank you again~!

 

[RealBlackStuff]

Before you start, disconnect the PC from the internet!

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
winnn10n.exe
vssymvea.exe
casclient.exe
sf.exe
sfita.exe

Next, try to UNinstall (NOT delete yet!) anything to do with:
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\sf\sf.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINDOWS\System32\winnn10n.exe
C:\WINDOWS\System32\vssymvea.exe
C:\Program Files\Cas\Client\casclient.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\System32\ca.dll
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 ==>> if you can find these <<==
O4 - HKLM\..\Run: [x32i3qR] winnn10n.exe
O4 - HKCU\..\Run: [g0tsRkd6Q] vssymvea.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1118875347952
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Winkir - Unknown owner - C:\WINDOWS\System32\Winkir.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.

Unless you install at least XP/SP1 don't come back again!

 

[Spike]

What RealBlackStuff said! He's better than I am (heck, he wrote the instructions!)

Anyways, I hope RBS's advice clears everything (it should! and he's right about the service pack, you need it!). Feel free to post back if you've any problems.

 

[melmartin]

Thank you so much realblackstuff and spike!
I really appreciate it!

I know you all are very busy...but THANK YOU, thank you again!
I'm really grateful for your time and your kindness~!

:wave:

 

[melmartin]

I'm sorry this may be a completely *****ic question.....

but I thought I have Windows XP......?

What do I need to do to get the SP1?

Thank you again and sorry for the inconvenience

 

[Spike]

SP1 stands for service pack one. It is a package of updates and fixes that makes windows XP less buggy, adds a little bit of functionality, and makes your computer more secure.

SP1 can be downloaded from the Microsoft website, or installed through visiting windows update (also known as the express installation) It can take quite some time to download though on a slow connection, and I wouldn't reccomment doing so on dial up, though you may still be able to obtain it on CD.

The current service pack for windows XP is SP2. If you intend to install SP2, there is no need to install SP1 first. There are issues with SP2 though that some find annoying. Personally though, I have no real problem with it.

visit http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx for info and/or install of SP1

and

http://www.microsoft.com/windowsxp/sp2/default.mspx for info and/or download of SP2.

Hope this helps.

 

[melmartin]

Thank you so much for your quick reply! I so appreciate that!

Yes...I will download the SPack ASAP! Could you explain just a little bit about the probs with SP2?? I'm just not sure which to download? If you say SP2 is okay for you...then it's probably okay for me too...? Just let me know when you get a chance which one is best~

Also...I went through and followed realblackstuff's instructions....they have helped immensely...and the popups are pretty much gone! nowhere near the earlier frequency.... :giddy:

The only problem is when trying to delete the folders from C:/Documents and Settings/[username]/Local Settings/Temp......I found a TON of files in this temp folder!
When I tried to delete the content.ies file, the following message popped up:

"Error deleting file or folder: Cannot delete server-~/ Cannot find the specified file. Make sure you specify correct path and file name"

So, I just left that file in the temp folder!
The other 1,100 files are in the recycle bin....

Is it normal to have had so many in the temp folder?
Should I delete them from my Recycling bin or keep them just in case?

Sorry to bombard you with an onslaught of questions!

I can't even begin to tell you how thankful I am for this website.
Spike, you and realblackstuff have been awesome!
Yall rock! :grinthumb

 

[Spike]

In your case, I would probably recommend SP2. It does stop some programs working, but by now most if not these will have updates available to fix this. A lot of more experienced tech people feel that SP2 has made windows TOO ***** proof, to the point of appearing pedantic. However, for the inexperienced user it safeguards against a lot of potential issues in security terms that SP1 does not.

SP1 doesn't really carry any problems as such, but it is missing a large number of critical security updates available in SP2.

As for the Temporary internet files, yes, it is quite common to find thousands of files in there sometmes, and there's no problem. It's purely information that has been cached from the internet so that the computer doesn't have to download it again if visiting the same site. Occasionally though something nasty comes in frm a website and lives there, but if it does, any good virus/adware scanner will pick it up.

You should probably note that the folder "content.ie5" is perfectly normal. It is a system folder, usually hidden on most machines, and as such shouldn't be deleted (so it's just as well it won't let you! lol)

I note that you say that the popups are reduced. If you don't mind me asking, are they internet pop ups, or messenger ones? (messenger service pop-ups are simply grey boxes (lke any error message!) containing only a title in the bar at the top, a message in text, and an ok button at the bottom). Incidentally, SP2 puts a built in pop-up blocker into internet explorer.

I would also recommend that you start using the Firefox web browser (as RBS mentioned in his instructions in the spyware removal thread you followed) if you aren't doing so already.

Hope this helps and as ever, feel free to ask if you're stuck. You're welcome to the help. That's what I come here for (and if he doesn't mind my saying, RBS is probably happy to help those that help themselves too )

 

[melmartin]

thank you again for your prompt reply!

Yes, I have now downloaded SP2!!

The ads have really stopped to practically nothing now! I was trying not to be too optimistic before....but it's been hours now...and I think it's safe to say that the brunt of the problem is completely gone.

As for your question...I think there were both types the Internet and the Messenger...because some were with the blue title bar where you just click OK ....but others were the kind you could not close (the kind where you have to go to task manager and end task)

But, I think those troubles are basically behind me now...as long as I keep up with the security scans~

I am using Mozilla Firefox as well! Boy, what a difference that makes! No ads when I use that at all! Yay!
It's almost too good to be true! :bounce:

Thank you again...I know you may not think it's much...but you have helped everyone that uses this computer!

Have a wonderful nite! :wave:

 

[Spike]

why, thankyou. The messenger service popups should completely stop now, as SP2 turns off the service that allaows them. As for standard internet popups, well, there'll always be a few - the internet's like that.

I think you can now declare yourself completely clean and ready to go. (hopefully you have a firewall and Antivirus - if you can download SP2 that quickly, a firewall is a must! lol)

Firefox does make a huge difference too it also reduces the risk of future infestations.

Thankyou for your clear appreciation though, it doesn't happen often. It's certainly put a smile on my face.

 

[RealBlackStuff]

Without trying to sound patronizing, would you please abstain from using those pastel colours in future?
The normal black is perfect, those washed-our colours you use, are very hard to read....
Use the B at the top-left of the message box to make things bold if you want to accentuate something.