Can't Stop Aurora Popups

When I boot in Safe Mode, should I choose the Admin user or the Jennifer user?

Log on under your own name. That`s provided you`ve got full administitive rights.

Regards Howard

Ok. I did of all of that. Here is my latest HJT log. Now I have this thing on my desktop called desktop.ini that I can't get rid of. Also, everytime I boot my computer, it gives me a message about Nail.exe. And I didn't understand the very last part the realblackstuff said. The "When done, from between the dotted lines" part.

Well, let me know what I should do. You guys are so wonderful and helpful! Thanks!!

Hello Jennifer!
Your HijackThis log didnt go through, or you may have forgotten to post a fresh one.
Also, what realblackstuff meant by between the dotted lines, is if you look at his post he has dotted lines in 2 places, and everything between them, you need to find through windows explorer (Right click the start button and choose explore, is one way to do this) and locate the files or folder directories that he has bolded, then delete them manually(right click, choose delete.)
I hope this will help you~
-Rick

Whoops!! Here it is!

First see my post How to remove Aurora/Nailfix and run that, using the mypctuneup solution.

Then get Trendmicro to do a scan:
http://be.trendmicro-europe.com/consumer/housecall/housecall_launch.php

If you then still have problems, run another HJT log and post it here.
The above is easier to follow for you, I assume.

Ok. I deleted the things between the dotted lines, well none were there, but I tried. Then I did the mypctuneup and the trendmicro stuff. So here is my latest HJT log. Tell me what you think. Also, everytime I restart my computer I get a "can't find C:\WINDOWS\nail.exe" error message. I have an icon on my desktop called desktop.ini. The icon is faded compared to the rest, and it says when I try to remove it, that it is a system file. What should I do?! Thanks!!! You guys are all awesome.

You get a missing nail.exe message because there are still references to it in the registry.

Also, desktop.ini is a file that is part of Windows, you see it because you have hidden files/folders turned on. Normally the file is hidden from you, don't worry about it.

Click Start-run and type "regedit" and hit enter.
Once in there, hit F3 and type "nail.exe". Search for and remove references to it.
Also do a search on your hard drive for "Nail.exe" and remove traces there as well. Usually in c:\windows\nail.exe.

Nail.exe, however, is not the PRIMARY bug, it is created by another one, which hopefully you've got removed. So all that's left is to delete the traces to nail.exe in the registry.

Then go into My Computer. Click Tools-folder options, and tell it to hide hidden/system files. Your desktop.ini will go away.

I suggest you run a tool called regsupreme (http://www.macecraft.com/regsupreme/. Clean whatever it finds. Just do a standard search.

That should do it for those two.

Remove these from your HJT:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [hwbads] c:\windows\system32\ttdrvs.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
----------

Some of these aren't necessarily bad, just not needed.

Lastly, you DO want to do ALL your tools and cleaners from Safe Mode. And I suggest doing them ALL from EVERY user account you can get in. As each user account can have spyware all its own.

I might also say that this one worries me:
O4 - HKLM\..\Run: [hwbads] c:\windows\system32\ttdrvs.exe

It could come right back as a different name. So watch for that. Scan with HJT as soon as you clean and see if another similar entry shows up. Or log off and back on in Safe Mode and see if one reappears. If so, you aren't clean yet!

Good luck.

Please do us all a favour, and find someone who knows about PCs.
I have given you the instructions and you do NOT follow them.
I can't give them any clearer, so GET HELP!

Boot in Safe Mode.
Switch System restore OFF, see how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
ViewMgr.exe
ttdrvs.exe
PowerReg Scheduler.exe
Launcher.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Webshots\Launcher.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [hwbads] c:\windows\system32\ttdrvs.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

Then don't reply. If you want to help, I would love it. But, if you are going to help people, you need patience. I have done everything you have told me and it just keeps coming back. So I'm sorry to be a pain in your side, but I'm trying. You don't have to deal with me if you don't want to. There have been others who have helped me who aren't frustrated. Thank you for everything you have done this far, but please don't feel like you need to do anymore if you don't want to. For anyone who feels like they might have the patience, here is my latest HJT log. Tell me what you think. And thank you for everything you have done this far. You have been very helpful.

I don't see a log

Are you still having trouble?

I don't doubt that you followed RBS's instruction. Fact is if it is still there, then it is REALLY attached itself deep and may require some fancy removing. Taking it to a shop may be the way to go, but if the problem is that intense, you might want to consider a reload over this frustration! Because a repair shop would probably recommend that anway.

So what'll it be?

Am I able to do a reload? Does that mean I'll lose everything?

You are able to do a reload if you have your Operating System disk, or OS recovery disk. And your Product Key.

You won't lose anything if you back it up first! Track down your important data and burn it to a CD or an external drive. Double check that your data is on this backup media, and then reload.

Some people reload once a year just to keep clean. Some people reload every time they upgrade hardware.
You can only hack at Windows so much before it just needs to be reloaded.

Some general items that are common for backup are:

My Documents
Favorites
E-Mail/Address book
Financial Data (Tax, Quicken, Quick Books etc)
Pictures (in general, but most would/should be in My Docs)

Otherwise, it could be a long and hard fight to clean it up at this point.