Over 1 million tech questions and answers.

Winfixer/Aurora Popups Hijackthis log

Q: Winfixer/Aurora Popups Hijackthis log

I'm having constant problems with popups from winfixer and aurora.
Here is my Hijackthis log:
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 10:03:42 PM, on 8/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\bufijtd.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
C:\WINDOWS\System32\Winzip32.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\WINDOWS\system32\monitorbk.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: IncrediFindBHO Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ryan\Application Data\Mozilla\Profiles\default\kkxw5zx6.slt\prefs.js)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InteliSys] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [Winzip Archiver] Winzip32.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyfu32.exe
O4 - HKLM\..\Run: [dlpwhaf] c:\windows\system32\bufijtd.exe r
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\RunServices: [Winzip Archiver] Winzip32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_1
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\system32\monitorbk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O9 - Extra button: Advisor - {B3413D98-5C41-44AC-BB8D-6C346B24CDD5} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.240:8000/Java/cfs40320.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/TrfV3nd02.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/cannonballs/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SPCMON service (SPCMON_Srv) - Unknown owner - C:\WINDOWS\SPCMon\wsyssrv.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

RELEVANCY SCORE 200
Preferred Solution: Winfixer/Aurora Popups Hijackthis log

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Winfixer/Aurora Popups Hijackthis log

Read other 7 answers
RELEVANCY SCORE 72.4

Hello,

I am working on Win2000 OS machine. I read the earlier posts on HijackThis file and other tools that we need to install before posting a message.

I am getting the Aurora pops and also the Ceres pop ups a lot and my system as well as the internet connection seems to be very slow for past few days.
I have been using the bittorrent client for past 3-4 days and I am not sure if that has caused these pop ups as so far I never got any popups while using the Mozilla firefox browser but now it has started coming in them.

Would appreciate your help in this regard. Thanks a ton in advance.

I installed the HijackThis and HijackAnalyser too and I am giving my HijackThis Log file as well as Result file.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:05:17 AM, on 7/15/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.... Read more

A:Aurora Popups & HijackThis file

Also while I was reading other posts regarding removal of Aurora, I saw that we need to install the Ewido Security Suite.
Hence, I thought I would just install this and keep. But after installing when I try to update it, it crashes giving the usual Windows Memory error....and it crashes..Any idea why this is happening?

I uninstalled and deleted the folder, rebooted the machine and tried to install it again but the same thing is happening..

Please help.....

Read other 5 answers
RELEVANCY SCORE 70

I had this problem a couple weeks ago and got help here. I forgot to come back and post after I did the initial cleaning (oops). I thought it was gone...guess not. Thanks Logfile of HijackThis v1.99.1Scan saved at 11:05:23 AM, on 11/8/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exec:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\Syst... Read more

A:Hijackthis Log - Winfixer Popups

Please print these instructions out or save it in notepad for use in Safe Mode.Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to extract the filesThis will create a VundoFix folder on your desktop.After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.Once in safe mode open the VundoFix folder and doubleclick on KillVundo.batYou will first be presented with a warning.
It should look like this
VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.
Next you will see:
Please Type in the filepath as instructed by the forum staff
and then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\jkkll.dllPress Enter to continue with the fix.
Next you will see:
Please type in the second filepath as instructed by the forum
staff then press enter: At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\llkkj.*Press Enter to continue with the fix.The fix will run then HijackThis will open, if it does not open automatically please open it manually.In HiJackThis, please place a check next to the following items and click FIX... Read more

Read other 8 answers
RELEVANCY SCORE 69.2

Yall have helped fix my computer in the past, so hopefully yall can come through again. I'm having a few problems currently, I'll get a prompt saying I have so and so virus, and then it redirects me to a website trying to get my to buy their product to fix it. And then I also get pornography popups when scrolling through random files on my computer.

Here is my log:


Logfile of HijackThis v1.99.1
Scan saved at 3:59:43 PM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\... Read more

A:HiJackThis Log, winfixer problem and popups

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order.
* * * * * *
Please download & run VundoFix.exePut a check next to Run VundoFix as a task.
Click OK when you will receive a message saying vundofix will close and re-open in a minute or less.
When VundoFix re-opens, click the Scan button followed by the Remove button
** Your desktop will go blank as it starts removing Vundo. **
Restart your computer & post the contents of C:\vundofix.txt and a new HiJackThis log.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *
Download & install - CleanUp.exe (not recommended for WinXP64)

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! does not create any... Read more

Read other 1 answers
RELEVANCY SCORE 69.2

Hi. Ive been getting all sorts of bad pop-ups and spyware lately. One that comes up pretty often is WinFixer. I know that my computer is probably loaded with spyware and ive already run spybot and adaware. Any help on what to do with my HijackThis log would be GREATLY appreciated. Thanks in advance..


-------------


Logfile of HijackThis v1.99.1
Scan saved at 10:14:43 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcs... Read more

A:HijackThis log.. Winfixer popups, spyware..

Hello and Welcome

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

Before we do anything else, please ensure that you have already patch your system against the recent WMF exploit. Please refer to my sig. No point we fix anything only for it to return tomorrow.

Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download this tool and save it to your desktop. Then double click the tool and follow the instructions.

VirtumundoBeGone.exe

When its done, reboot and post the log that is created on your desktop called VBG.TXT in your next reply


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\System32\awvtr.dll
O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file)
O4 - HKLM\..\Run: [tndegc46] C:\WINDOWS\System32\tndegc46.exe
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90A... Read more

Read other 1 answers
RELEVANCY SCORE 63.2

PLease help me remove winFixer and Aurora pop ups. I've run adaware and microsoft antispyware, but it didn't work. Below is my HijackThis scan.. Thanks!!!

Logfile of HijackThis v1.98.2
Scan saved at 6:39:10 PM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\qbocjo.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\Q2hyaXMgU2xhdWdodGVy\command.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shar... Read more

A:Help! WinFixer and Aurora pop ups

Read other 6 answers
RELEVANCY SCORE 62.8

I can fix most ad aware problems myself, but this one is a doozy. Any help is appreciated. This isn't my computer (thankfully). I've run updated Ad Aware, Spybot S&D, CWShredder, Trendmicro Housecall and Norton 2004. I noticed while running in safe mode, there's an obvoius malicious process running that restarts itself under a new random name when I try to kill it. Here's my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 4:59:27 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TWVn\command.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norto... Read more

A:WinFixer, Aurora, etc etc etc (HJT log included)

Read other 16 answers
RELEVANCY SCORE 62.8

Hello.

Somehow I seemed to have contracted a nasty virus called Aurora or WinFixer.. I had to reformat the last time I got this thing (I hate IE, I think I was just websurfing)..

Any help you guys can provide would be much appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 1:21:43 PM, on 7/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\windows\system32\lwzhds.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVCOMS.EXE
O4 - HKLM\..\Run: [Kern... Read more

A:Aurora/Winfixer problems, HELP! HJT Log

Read other 9 answers
RELEVANCY SCORE 62

Hello, I would really appreciate some help in finally destroying the annoyance that is Aurora. Logfile of HijackThis v1.99.1Scan saved at 12:43:29 PM, on 9/10/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\RioMSC.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\System32\omsfurq.exeC:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeD:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\System32\wuauclt.exeD:\Program Files\iPod\bin\iPodService.exeD:\Program Files\Counter Strike\Steam.exeC:�... Read more

A:HJT log file, prolems with WinFixer and Aurora

Hello and Welcome to BleepingcomputerOk you got some problems there ...this is gonna take a few steps.FirstDownload L2mfix from one of these two locations:http://www.atribune.org/downloads/l2mfix.exehttp://www.downloads.subratam.org/l2mfix.exeSave the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Read other 11 answers
RELEVANCY SCORE 61.2

Logfile of HijackThis v1.99.1Scan saved at 3:10:05 PM, on 28/11/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTSvcCDA.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\CyberLink\Shared Files\RichVideo.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Ulead Systems\... Read more

A:Infected With Winfixer 2005, The Best Offers, Aurora

Hi,The forums are really busy, that explains why logs get behind. We start with the oldest logs first. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.Then I'll take a look. I see you have Spyware Nuker installed. I recommend you uninstall it because it was a rogue product before and although some things are changed, I still not recommend it.Also read here for more info:http://www.spywarewarrior.com/rogue_anti-s...re.htm#swn_noteBy the way, does spysweeper still flag The bestoffers, Winfixer etc? Because it deals with it normally. What makes you think it is still present on your system?

Read other 6 answers
RELEVANCY SCORE 55.6

I am getting Aurora Popus quite often. Here is my log:Logfile of HijackThis v1.99.1Scan saved at 5:44:12 PM, on 5/12/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\eHome\ehRecv... Read more

A:Aurora Popups

Hello dadrivr, You have a nail.exe infection on your computer. This should fix it. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet. Please run Notepad and copy the following text into a new file: @ECHO OFF cd %windir% Nail.exe /FULLREMOVE sc config SvcProc start= disabled sc stop SvcProc sc delete SvcProc attrib -s -r -h nail.exe attrib -s -r -h svcproc.exe del nail.exe del svcproc.exe cd %windir%\system32 attrib -s -r -h DrPMon.dll del DrPMon.dll exitSave the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal. Then please run Ewido, and run a full scan. Post the log from the scan here for me. Then please run HijackThis, click Scan, and check: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeClose all open windows exce... Read more

Read other 12 answers
RELEVANCY SCORE 55.6

I tried all day yesterday to read these forums and get rid of this but I can't. Can anyone help here is my current Hijack log. I've run SpyBot, Ad Aware, Killit, Kaperskly virus checker. If it's been mentioned on this forum I've tried it. I can't even boot my PC into safe mode. It keeps telling me my password is wrong. I am running XP Professional.

Logfile of HijackThis v1.99.1
Scan saved at 7:20:14 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Mpf4\Mpf.exe
c:\windows\system32\egrryiv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\WINDOWS\... Read more

A:Aurora Popups

Hello, and welcome to TSF!


Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"


===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Bullseye Networks

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Program Files\NaviSearch\bin\nls.exe
c:\windows\system32\egrryiv.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u cfgmgr51.dll
regsvr32 /u Bolger.dll
regsvr32 /u nvms.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typin... Read more

Read other 11 answers
RELEVANCY SCORE 55.6

My Wife's machine has this annoying Aurora Network pop up problem.

I've run :

Adware SE Personal
Spybot

and it says there is nothing there after cleaning up the mess I found with Adware SE..

Here is the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:04 AM, on 8/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\WINDOWS\iisvers.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\wsrv32.exe
c:\windows\system32\kjvamf.exe
C:\WINDOWS\System32\hsfesrv.exe
C:\Program Files\UltimateBuddy\UltimateBuddy.exe
C:\WINDOWS\System32\196_150_ni.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\jsproxy.exe
C:\WINDOWS\rmpfjjgoad.exe
C:\WINDOWS\rmpfjjgoad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\... Read more

A:Aurora popups

Hello and Welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Diable Spybot's Tea Timer. We can re-enable it when we're done.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you ma... Read more

Read other 1 answers
RELEVANCY SCORE 55.6

This is my hijackthis info. what do i delete?

Logfile of HijackThis v1.99.1
Scan saved at 6:14:37 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\borland\interbase\Bin\IBGuard.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trams\Common Files\tlmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trams\Common Files\tlmgrconsole.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
c:\windows... Read more

A:aurora popups

Hi mieketankink

Welcome to TSG!

* Download the trial version of Ewido Security Suite here.
Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.
* Go here to download CCleaner.
Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button.
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
Click OK
Do not run CCleaner yet. You will run it later in safe mode.

* Also Click here to download Nailfix.zip.
Unzip it to the desktop but please do NOT run it yet.
* Click here for info on how to boot to safe mode if you don't already know how.
* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.
* Restart your computer into safe mode now. Perform the following steps in safe mode:
* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
* Now run Ewido:
Click on scanner
Put a check by the following before you scan:
Bin... Read more

Read other 1 answers
RELEVANCY SCORE 55.6

Thank you so much in advance, I'm completely at a loss....

Issue: When I open up IE an advertisement popup is spawned with Aurora in the Title bar.

Programs I've run: Ad-Aware, Spyware Doctor, SpySubtract, CW Shredder, Spybot and SpywareBlaster.

Other methods tried: I've gone through /Windows and found the file yfnzweqeoo.exe with the Aurora icon. I delete it and it keeps coming back. I've tried deleting the Aurora folder in my registry and it keeps coming back. When I do this I'm not connected to the internet. I reboot every time I delete. I also clean out my prefetch directory each time as well because this file appears AURARECO.EXE-33137DA2.pf.

Another file that seems to be related to it is hjkdmgiq.ini

Hijack log file:

Logfile of HijackThis v1.99.1
Scan saved at 5:15:09 PM, on 4/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Pack... Read more

A:Aurora Popups

Hi......

You are infected with a new parasite that is not easy to remove by using HJT so ......

Go to Start > Run and type: cmd

and hit Enter. When a command prompt opens, type:

nail.exe /FullRemove

and hit Enter. Close the command prompt and reboot an post a new log.

Read other 4 answers
RELEVANCY SCORE 55.6

Hey guys, firstly great idea for a site.

I can't get rid of these popups, tried doing it myself with the info from other threads but doesnt seem to be working. I did the HJT Analyzer and this is what is in the result.txt file

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:32:56 PM, on 10/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\DVD Region Killer\RegKillTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Anthony\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bqnlpe] C:\WINDOWS\system32\t... Read more

A:Aurora popups!

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete t... Read more

Read other 3 answers
RELEVANCY SCORE 55.6

Please advise. Thanks.Logfile of HijackThis v1.99.1Scan saved at 6:34:09 PM, on 7/9/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\CTSvcCDA.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeC:\Program Files\Java\jre1.5.0_01\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\wintask.exeC:\WINDOWS\System... Read more

A:HJT LOG - popups and Aurora

If you still need help, could you post a fresh log please?

Read other 6 answers
RELEVANCY SCORE 55.6

Logfile of HijackThis v1.99.1
Scan saved at 10:23:29, on 24/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\GeoGraphix\Tools\GeoSync.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Upda... Read more

A:Aurora popups

Hi maxbeallisto

Welcome to TSG!

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.

Please continue in this thread.
 

Read other 2 answers
RELEVANCY SCORE 55.6

I have been trying to remove Aurora from my friends computer. I have viewed other threads about this and tried all those things, but it still comes back. I've done adaware and MS antispyware in regular and safe mode. Anyway, here is my HJT report, please help me.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 4:09:11 PM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\scrjoc.exe
C:\Documents and Settings\Kevin Colson\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\Act... Read more

Read other answers
RELEVANCY SCORE 55.6

I am having the dreaded Aurora popups. I already have spybot S & D, Ad-aware and MS antispyware and they do not remove these popups.this is my log. I think F2 is one problem. How to fix this and any other issues in the log? Logfile of HijackThis v1.99.1Scan saved at 11:44:22 PM, on 5/18/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\SYSTEM32\GEARSEC.EXEC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\Tablet.exeC:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exeC:\Program Files\Google\ggviewer67-72.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\QuickTime\qttask.exeC:\PR... Read more

A:HLT log - Aurora popups

Hello dams and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.Step #1Download and install ewido security suite. Update the program and then close it. Do not run it yet.Step #2Download nailfix.zip and unzip it to its own folder.Step #3Start in Safe Mode Using the F8 method:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #4Navigate to the folder you unzipped nailfix.zip into and double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.Step #5Start ewido and click on the Scanner button. On the Scanner page click on My Computer and then click the Start button to begin the scan. Let it run to completion and fix anything that it finds.Step #6Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeO3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)O4 - HKLM\..\Run: [ixerglyf] C:\WINDOWS\ixerglyf.exeO4 - HKLM\..\Run: [Dvx] C:\WINDOWS\... Read more

Read other 11 answers
RELEVANCY SCORE 55.6

hey i read some info for this. i hope you guys can fix it for me, thanks!

-------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:51:52 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\RunDll32.exe
c:\windows\system32\opmmfu.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sides... Read more

A:help!!, Aurora popups

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.


Downloads

Right click on this link and choose Save As. Save it to your desktop. DO NOT RUN IT YET

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net/en/download/updates/ DO NOT RUN IT YET

Download Nailfix at http://www.noidea.us/easyfile/file.p...50711214630636 Unzip it to the desktop but do NOT run it yet.

Download Process Explorer from http://www.sysinternals.com/Utilitie...sExplorer.html

Run Process Explorer and find the Process " opmmfu.exe " in the list of Processes.
Select the process and click Process > Suspend.

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\windows\system32\opmmfu.exe
When prompted if you want to reboot click YES
Leave Process explorer running with the process suspended.

Boot Into Safe Mode
Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


Run Downloaded Programs
Once in Safe Mode, please double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


N... Read more

Read other 19 answers
RELEVANCY SCORE 55.2

I'm trying to clean up a friends computer that has been getting a lot of popups. I have installed, updated and run Spybot S&D and Ad-Aware SE. I've also installed Mozilla Firefox and tightened up some of their system settings.

There are some persistant programs that defy removal. One in particular is C:\WINDOWS\Nail.exe. If I delete it, it comes back. I don't know what is creating it. I've done some googling and tried some stuff. I eventually oped Nail.exe in notepad and saved it as a 0 byte file just to prevent this unknown exe files from existing.

The following is a logfile for their system. Please note that I will only be able to access the system every few days or so, so I might not respond quickly, but I will respond to and help. Thanks.



Logfile of HijackThis v1.99.1
Scan saved at 2:57:47 PM, on 05/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.... Read more

A:trying to clean aurora popups

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..

Download any of the required programs before attempting to start any of the fixes.


Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run Adaware,SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to setup Ad-Aware

Download Ad-Aware
Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make... Read more

Read other 5 answers
RELEVANCY SCORE 55.2

Thanks!Logfile of HijackThis v1.99.1Scan saved at 6:41:49 AM, on 5/18/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\RegSrvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\System32\1XConfig.exeC:\Program Files\Common Files\Dell\EUSW\Support.exeC:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exeC:\WINDOWS\LJYIENC.EXEC:\WINDOWS\System32\ctfmon.exec:\windows\system32\mtinhm.exeC:\WINDOWS\System32\wbem\wmiapsrv.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\svchost.exeC:\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,(D... Read more

A:Spyware, popups, aurora

Hello CinnamonGirl and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.Step #1Download and install ewido security suite. Update the program and then close it. Do not run it yet.Step #2Download nailfix.zip and unzip it to its own folder.Download LSP-Fix to your desktop. Do not run it yet.Download CCleaner and install it but do not run it yet.Step #3Start in Safe Mode Using the F8 method:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #4Navigate to the folder you unzipped nailfix.zip into and double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.Step #5Start ewido and click on the Scanner button. On the Scanner page click on My Computer and then click the Start button to begin the scan. Let it run to completion and fix anything that it finds.Step #6Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websear... Read more

Read other 1 answers
RELEVANCY SCORE 55.2

I would be really grateful if someone could please help me get rid of these annoying aurora popups. I also seem to have Trojan which keeps coming back even though I think I've removed it PLUS a host of other parasites that I can't get rid of. I also get that annoying Bargain Buddy coming back time and again.
I have run Ad-Adware and Xoft-Spy but they only seem to do cosmetic fixes and then the problems return.
I am completely computer illiterate so apologies - but I read a letter from another person on this site and have done what they did and ran Hijack This - and this is my log below.
I use Window XP and Windows.
Could you please tell me what to do now?
I did have this problem once before and I fixed it simply by doing a System Restore to a previous date - but, this time, when I tried to restore, all my past restore dates and automatic computer checkpoints had been mysteriously deleted.
Thank you for your help with this

Here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:30:13 AM, on 4/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
... Read more

A:Need to get rid of Aurora popups and parasites

Hi and welcome..
While waiting for a HJT log expert...
Aurora uninstaller http://www.mypctuneup.com/evaluate.php
 

Read other 2 answers
RELEVANCY SCORE 55.2

This is my first time trying this. I am trying to fix my mother-in-laws computer. They had no antivirus software/spyware/adaware programs previous to the problems. The screen gets 100's of popups starting with Aurora popup window. I intially ran Spyware Doctor, Spybot S&D, Adaware Se, and Norton. What I have narrowed it down to is the following, and I cant get rid of it:Viruses found: Trojan.Dropper, Trojan.AlwayUp, and W32.Sasser.wormSpyware cant get rid of: Transponder.BolgerThese are the main issues I have found anyways. I figured I would try the HiJack this since that is where a few webpages led me. Any help is appreciated. The following is my LOG file:Logfile of HijackThis v1.99.1Scan saved at 6:33:50 PM, on 06/04/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\System32\PackethSvc.exeC:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exeC:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS... Read more

A:HJT Log 1st time help Aurora Popups

Welcome Perk76 to Bleeping Computer.Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later. Be sure to follow ALL instructions!You are running HijackThis from its zipped archive; please create a new folder for it and unzip the program into it. It is very important you do this before anything else!***Disable Spyware Doctor for the duration of this fix. It will get in the way of cleaning.***Please download the trial version of Ewido Security Suite here:http://www.ewido.net/en/download/Install it, and update the definitions to the newest files. Do NOT run a scan yet.***Please download the Killbox.Unzip it to the desktop but do NOT run it yet.***Please download Nailfix from here:http://www.noidea.us/easyfile/file.php?dow...050515010747824Unzip it to the desktop but please do NOT run it yet.***Open HijackThisGo to ?config?Go to ?misc tools?Press the button ?open uninstall manager?In the list find:Enigma Software Adorons Easy SecuritySpySpotterWeather BugMyWebSearchSurfEnhanceWindows AFA Internet EnhancementPress ?delete this entry?.Close HijackThis***Download CWShredder, update it. Then open the program and click ?fix?.***Download Stinger Save it to your desktopDoubleclick s-t-i-n-g-e-r.exeMake sure it scans your entire diskPress 'Scan Now'Stinger will fix whatever it can find.***Next, please reboot your computer in Safe Mode by doing the following:1) Restar... Read more

Read other 7 answers
RELEVANCY SCORE 54.4

Logfile of HijackThis v1.99.1
Scan saved at 12:25:17 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\zklrzvr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
H:\John Bentley\Extra Special Files\Programs\iTunesHelper.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\windows\sp2update.exe
C:\Program Files\AIM\aim.exe
C:\Program ... Read more

A:Aurora-Part of the ABI Network popups? Another

Read other 10 answers
RELEVANCY SCORE 54.4

I also have the aurora - part of the abi network popup ads.......

here is my hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 10:30:13 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\btcrueq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Bruce\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE... Read more

A:Aurora-Part of the ABI Network popups?

Read other 10 answers
RELEVANCY SCORE 54.4

Having lots of trouble with Aurora, etc. Here is my HJT log, could not run HJT Analyzer since it says that it is not the latest version. Please help.

Thanks

--------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:45:19 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
c:\windows\system32\yqrwfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsr... Read more

A:Aurora, Yazifind, ABI Network Popups

Hi and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted by our Team. Click the "Thread Tools" button located in the original thread line and select "Subscribe to this Thread".

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you have Notepad 'on'. If you should choose to do otherwise, it may lead to some confusion.

If there's anything that you don't understand, kindly ask your question(s) before proceeding with the fixes. There should not be any open browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175

Nailfix - Unzip tp a new folder

FindIt's.zip

Process Explorer

DSRFix

Ewido Security Suite - Install & Update it's database but do not run it yet.

UNPLUG YOUR COMPUTER FOM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =... Read more

Read other 8 answers
RELEVANCY SCORE 54.4

Hi, I'm new to this forum. Recently I've got the ABI Network/Aurora problem. I've fixed it by altering the Nail.exe and other related executable files and so far there's no more trouble from aurora. however, I've been troubled by the Yazifind popups. They occur especially when I'm running full screen programs.

Below is my HJT log I got through the HJT analyzer. any help is appreciated, thank you.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr... Read more

A:Yazifind popups and ABI Network/Aurora

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us/easyfile/file.p...50711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune.org/downloads/dsrfix.zip and save it to... Read more

Read other 12 answers
RELEVANCY SCORE 54.4

For the past few weeks, I have been getting popups like crazy.
Most come up with the title Aurora in their own browser window.
I have ran Adaware, Spybot, & Microsoft's spyware scanners and each found VX2. I told each program to remove the files, but the popups still occur. Also, none of the spyware scanner find anything infecting the machine.

Here is a copy of the HJT log. Any help would be most appreciated!!
Logfile of HijackThis v1.97.7
Scan saved at 10:29:47 AM, on 4/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Norton\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
d:\Ip Commander\DIPSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Norton\Anti Virus 2002\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
D:\SonorkServer\srksvr.exe
D:\WatchGuard\CONTROLD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Norton\ANTIVI~2\navapw32.exe
C:\WINNT\system32\ctfmon.exe
D:\Client Manager\CMAGS.EXE
D:\WatchGuard\controldGUI.exe
C:\WINNT\system32\wisptis.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\MICROS~1\Office10\OUTLOOK.EXE
D:\M... Read more

A:Aurora Popups - Need help - HiJack Log included

hi, welcome to TSG.

It's ok, this works.

Mypctuneup.com performs technical support for a number of companies and we are sorry to hear that advertising software is causing you problems. We will gladly assist you in removing our partners' advertising software from your computer as expeditiously as possible.
From our website you can scan your PC and determine whether or not the software is installed on your machine, and if so, you can then choose to uninstall. To run the uninstall tool click on the link below:
http://www.mypctuneup.com/evaluate.php
Or go to www.mypctuneup.com and click on free uninstall tool and follow the steps.
hoster
Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

Run an online antivirus check from

http://www.kaspersky.com/beta?product=161744315

you will need to input a name
and email adress but anyone will do & then acccept an active X control IT IS
SAFE to do soLET IT FIX WHATEVER IT FINDS

go to this site and download these tools and once you get both
adaware and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk entries".
Click next to start the scan.Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again
Wi... Read more

Read other 1 answers
RELEVANCY SCORE 54.4

I can't get rid of these pop ups. It says Aurora-Part of the ABI Network on top of each one and does it almost anytime I do a search or change websites. I have and am currently cleaning my computer using your replies to a few other people, but this one is still around. I used the one that had the winint.dll problems with McAfee and it seemed to work as well as cleaning up numerous other problems. I feel a Donation is in order as I tried numerous other resources that did nothing, but detect the problem, but couldn't get rid of them. Thanks for that and any other help.
 

A:Aurora-Part of the ABI Network popups?

Read other 7 answers
RELEVANCY SCORE 54

Aurora popups and Win32.Qoologic.T Downloader Trojen

HJT Analizer Cleaned Log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log... Read more

A:Aurora Popups and Win32.Qoologic.T Trojen

Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

I notice that you have two anti-virus programs on your machine. That's not a good idea!!
Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall one of them.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #2 - Run Fix - by typing 2

Press any key to reboot your computer.
After the reboot, your Desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Save the contents of that log as I shall require you to post it in your next reply after completing the fix.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional ... Read more

Read other 13 answers
RELEVANCY SCORE 53.2

Ahhh...the hated Aurora "ABI" virus - giving me popups that are slowly driving me batty. There are a couple other things I don't recognize on HJT, and decided it was time to take it to the professionals since the last time I tried to fix something on my own I wound up deleting some crucial files...it was a big mess indeed.

Running windows 2000, here are the results of HJT:

Logfile of HijackThis v1.98.2
Scan saved at 12:42:38 PM, on 9/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\uxvzhff.exe
C:\Program Files\Common Files\Real\Update_OB\realsched... Read more

A:Problems with persistent trojans/popups (Aurora/ABI and neededware)

Run the un-installer here - http://www.mypctuneup.com/evaluate.php

------------------

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/
Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your C: Drive
This will take some time to run!
Post that log and a new HiJack log If the Ewido log is too large attach it.
 

Read other 3 answers
RELEVANCY SCORE 52

HiI can?t get rid of multiple Winfix windows that popup.I followed your ?Preparation guide before posting? I When I tried ad-aware SE and after about 1 minute I get a blue screen and I crash. Here's the logLogfile of HijackThis v1.99.1Scan saved at 4:38:15 PM, on 2/19/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\... Read more

A:Winfixer Popups

Hello Knorfhus, Welcome to BleepingComputer!My name is Nick and I will be checking over your log.Let's get started. You will want to print or save these instructions.Moving HijackThis to a permanent folderSince HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted.Click Start.Open My Computer.Double-Click on C:/.Select the File menu and select New > FolderName the folder "HijackThis" or "HJT"Move the HijackThis.exe exacutable into the new folderPlease download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Put a check next to Run VundoFix as a task.You will receive a message saying vundofix will close and re-open in a minute or less. Click OKWhen VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will shutdown your computer, click OK.Turn your computer back on.Please post the contents of C:\vundofix.txt and a new HiJackThis log.Thanks,Nick Bleeping Computer

Read other 8 answers
RELEVANCY SCORE 52

I have been getting the WinFixer Popups. Attached is my HiJack This Log...

Logfile of HijackThis v1.99.1
Scan saved at 6:21:19 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WI... Read more

A:WinFixer Popups

Please download & run VundoFix.exePut a check next to Run VundoFix as a task.
Click OK when you will receive a message saying vundofix will close and re-open in a minute or less.
When VundoFix re-opens, click the Scan button followed by the Remove button
** Your desktop will go blank as it starts removing Vundo. **
Restart your computer & post the contents of C:\vundofix.txt and a new HiJackThis log.

Read other 10 answers
RELEVANCY SCORE 52

I'm having problems with Winfixer popups, and none of my anispyware programs are picking it up. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:16:46 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1117760980\ee\aolsoftware.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1117760980\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1117760980\ee\aolsoftware.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\McAfee.com\Agent\... Read more

A:Winfixer Popups

Hi

Please download VirtumundoBegone and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

When finished please check via Add/Remove and uninstall WinFixer (if it is there).

-----------------------------------------------

Please download this and run it only when all the above fixe have been done. Ewido Security Suite

Install Ewido Security Suite.
When installing, under 'Additional Options' uncheck: "Install background guard" and "Install scan via context menu"

To open the main screen double click the icon on the desktop.

You will get a warning 'Database could not be found!'.(only if no updated have first been installed) Click OK.

Update to the latest definition files.On the left of the main screen click Update.Then click on Start Update.Let it complete the updates.


Now Click on Scanner and Click on Complete System Scan and the scan will start.

During some scans it may find cases of false positives so you will need to step through the process of cleaning files one-by-one.

If a file is detected you KNOW to be legitimate, select None as the action. Do NOT select 'Perform action on all infections'

If you are unsure of any entry found... Read more

Read other 7 answers
RELEVANCY SCORE 52

I've started getting these weird popups about blackworm or something its really annoying i don't know how it happened but anyways hope you guys can help me fix this problem and any other problems you may find.

here is my HIJACKTHIS log

Logfile of HijackThis v1.99.1
Scan saved at 1:00:43 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - B... Read more

A:Winfixer popups

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
Post the contents of C:\vundofix.txt as well as a new HijackThis log
 

Read other 3 answers
RELEVANCY SCORE 52

Well, I just dont know what to do. Ive ran ad aware, Dr.Web, Spybot, nortan, trend micro, ewido, and ive even deleted some odd things from Hijackthis to the best of my ability. Im still getting WinFixer and other such annoying popups. Please help me out.

Log :

Logfile of HijackThis v1.99.1
Scan saved at 11:02:50 AM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Program Files\I... Read more

A:WinFixer and other popups - HJT log Please Help

Just a little more info the help out who ever can help me out.

ewido is showing me something about Spyware.Look2me and problems with :

[444] ..srbapiu.dll
[184] ..srbapiu.dll
[160] ..ilm32.dll

ewido said there was a problem deleting those files and I couldnt do it manually. I even went to safe mode and closed every process that the system would allow me to, then tried to delete them but still nothing.

Some site told me I had a parasite "Bookedspace" but I think I got rid of it.

Anyway, thanks for any help.

Read other 16 answers
RELEVANCY SCORE 52

I followed the steps listed in the preparation guide (e.g., Ad-Aware, Spybot, virus scan, etc.) and am on the last step (download HijackThis and create a log). We have been getting a terrible amount of pop ups. The previous steps have helped significantly, but I am still getting Winfixer. I haven't been running the computer long enough to know if other popups will still be coming. Below is my logfile. Any help you can give would be greatly appreciated!Logfile of HijackThis v1.99.1Scan saved at 8:13:37 PM, on 12/22/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\system32\hkcmd.exeC:\HP\KBD\KBD.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\ALCWZRD.EXEC:\WINDOWS\... Read more

A:Winfixer And Other Ad Popups

You have more ? do these and then do my next postPlease print these instructions out for use in Safe Mode. Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to extract the files This will create a VundoFix folder on your desktop. After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.15 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter
At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\ddaba.dll Press Enter,
Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\abadd.*
If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

The fix will run then HijackThis will open. In HijackThis... Read more

Read other 7 answers
RELEVANCY SCORE 52

When I try to download anything I get winfixer popups.I get reboots when I run Adware.THere is a SemanticInsight in my startup. I sets itself after each reboot upon unchecking (msconfig)Running win XP prohere is my hijackthis logLogfile of HijackThis v1.99.1Scan saved at 3:00:20 PM, on 4/3/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeD:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeD:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\Explorer.EXED:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeD:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\wuauclt.exeD:\Temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explo... Read more

A:Winfixer Popups

Hello que pasa,Welcome to BleepingComputer!My name is Nick and I will be reviewing your logs.The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspxApply the update, reboot, and post a fresh Hijack This log.thanks,Nick

Read other 1 answers
RELEVANCY SCORE 52

Hi guys,I have tried to follow your guide as best I can but there is always something to be deleted no matter how many time I run Adaware, Norton Antivirus, System Mechanic etc.I would be grateful for any help to repair this problem ...Many thanks in advance.Logfile of HijackThis v1.99.1Scan saved at 09:41:47, on 23/04/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16414)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Nero\Nero 7\InCD\InCDsrv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\svchost.exeC:\iFtpSvc\iFtpSvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\CyberLink ... Read more

A:Winfixer And Other Ad Popups

Welcome to the BleepingComputer HijackThis Logs and Analysis forum RottenSod Please download Combofix and save to the desktop:http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exeNote: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang. **************************Please go to: C:\Program Files\HijackThis\HijackThis.exeRight click on Hijackthis.exe and select 'Rename', rename it to abc.batDouble click on abc.bat(which is still Hijackthis.exe),post that log into your next reply.

Read other 7 answers
RELEVANCY SCORE 52

helloI'm new to this forum and lately i've been having these really annoying popups from winfixer and a lot of other site. I think this has something to do with the program command. Anyways I would really appreciate it if someone could help me!Thanks in advance!here is my log!Logfile of HijackThis v1.99.1Scan saved at 16:27:20, on 6/11/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\Explorer.EXEC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\WINDOWS\system32&... Read more

A:Winfixer Popups

You have the latest version of VX2. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!==================David

Read other 2 answers
RELEVANCY SCORE 52

Here is my latest HJT log...can someone help me,too.please? My OS is WIndowsXP home.I too am going crazy with the WinFixer mess...help!?
Logfile of HijackThis v1.99.1
Scan saved at 5:25:29 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\adtech2006.exe
C:\WINDOWS\system32\igps.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\pgws.exe
C:\windows\system32\dh9012.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\AIM95_c4\aim.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\gebcb.dll
O2 - BHO: ... Read more

A:Winfixer popups

Read other 11 answers
RELEVANCY SCORE 52

Winfixer is popping up on my computer again. This time its about the blackworm virus. I need help please. Here is my hjt log
Logfile of HijackThis v1.99.1
Scan saved at 8:45:49 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP... Read more

A:winfixer popups

Read other 8 answers
RELEVANCY SCORE 52

I am having problems with Winfixer and logs of popups. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:55:23 PM, on 1/3/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\ikalekdg.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\SpySpotter3\SpySpotter.exe
C:\Program Files\SpySpotter3\Defender.exe
C:\Program Files\Ruxvjdg\Ppgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - ... Read more

A:Winfixer and Popups

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs).

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Restart your computer and boot into Safe Mode... Read more

Read other 3 answers
RELEVANCY SCORE 52

I have the stupid winfixer problem. I followed your directions in the 'read this first' post (hopefully) and ran the highjack this log and then ran the analizer and here is the log from that. I hope this is all I need to post right now.

Thanks in advance for your help! :)

PS...I may have had some stuff open when I did this. I read the next post AFTER I followed all the directions!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:58:15 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\CoffeeCup Software\PopUp Blocker\PopupBlocker.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\SCARDS32.EXE

R0 - HKCU\Sof... Read more

A:Winfixer popups

Hi and Welcome
Things dont look to bad...

It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..


Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------



Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This"
------------------------------------------------------------------




Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate ... Read more

Read other 10 answers