Stupid Spyware.

[apostolics]

guys i have annoying popup spyware from company aurora it is so annoying they try all the time with pop ups and warning banners to get winfixer or antivirus or all kinds of other junk any way its my work pc. i did notice a file in my system 32 folder thats trippin. when i end process in task manager it then changes name. even if i delete it another one comes back instantly. what do you think it is? and how to remove. ive used spybot and adaware.

[Ste]

first of all you got 2 explorer.exe when u should only have one, and u got an iexplorer.exe

 

All I can recommend is don't use IE

download Firefox, soybot search and destroy Ad Aware SE personnel, spyware blaster, run all of thoses then post results, also download CDshredder run it, also download , hijackthis and post results.

[Blue_cow]

Also microsoft anispyware. ( i know, it sounds like an oxymoron, but its good). It works surprisingly well and found some things on my old comp that adware wouldnt find.

[SMeeD]

Did you try disabling some of the procceses in MSCONFIG? That may relieve you of the madness of looking at those popups when you try and hunt down the files.

[apostolics]

yes disabled all in msconfig. and the reason for iexplore was that i was just on win update and firefox cant be used also i havbe to use ie. a t work some software internet based only works with active x and other ms ie only features. as for explorer i only have one now??? what happened in the picture??sometimes explorer trips out.

 

hijack log :

Logfile of HijackThis v1.99.1

Scan saved at 1:02:18 PM, on 8/6/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

c:\windows\system32\iekuwk.exe

C:\WINDOWS\system32\BRMFRSMG.EXE

C:\Program Files\D-Tools\daemon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Folding@Home\winFAH.exe

C:\Program Files\Folding@Home\FahCore_78.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\test\Desktop\linspire\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.overclockersclub.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: Shell=Explorer.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [wkgfwca] c:\windows\system32\iekuwk.exe r

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Folding@Home 5.02.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: SEAGULL J Walk Java Client 4_0C10 - http://www.resultscorp.com/jwalk/jwalk_ie.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {35A04A10-3CA7-48A2-A099-A32C3FCE5899} (wrapper.cmdlgwrapper) - http://207.214.41.2/au.dev.ocx/wrapper.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122597225611

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe

O16 - DPF: {C3896235-D05D-4CBE-A4B4-E62C923AC5FC} (ZipCode3.UserControl1) - http://207.214.41.2/au.dev.ocx/ZipCode3.CAB

O16 - DPF: {EA297219-593E-408D-BFD4-2D43E203550D} (strprint.trprints) - https://partnering.one.microsoft.com/mcp/to...scriptPrint.CAB

O16 - DPF: {FF292E11-00CD-4756-B13A-832E1CE35D9C} (AU3.UserControl1) - http://207.214.41.2/au.dev.ocx/au3.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E89B89F-CC7F-495F-BDED-DBD45C036A65}: NameServer = 68.166.63.10

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

 

i see one item in my startup :o4 - HKLM\..\Run: [wkgfwca] c:\windows\system32\iekuwk.exe r

but i disable it then at boot its back on. must rewite when i restart

[Ste]

c:\windows\system32\iekuwk.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

O4 - HKLM\..\Run: [wkgfwca] c:\windows\system32\iekuwk.exe r

 

those are what i think look suspicious.

 

but run all the other programs also. can't rely opn 1 program.

[Akujin]

Oh man I had this exact same problem a while back. Check C:\Windows and see if there is a "Nail.exe". If there is, you will need to use killbox with one of the options checked (delete before boot or something). This should fix that reoccuring file thing which gives the aurora popups.

[apostolics]

i deleted nail.exe a while ago and its not there anymore

[Ste]

might wanna check again coulda renamed itself.

[Akujin]

Then assuming that file comes back with a different name every time you delete it, use killbox with delete before boot (or on boot, or whatever). That should fix the problem.

[AntitrustSpider]

I work at a computer repair place and the CEO of the compay had Aurora on his computer We of course had to fix it. I don't know how they did it but they found some instructions online and it fixed it. Might wanna search google for a removal guide or something.

[Hushplz]

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

 

>Delete that

 

c:\windows\system32\iekuwk.exe

 

I dont like the look of this. But can not find any information on it.

 

http://www.mypctuneup.com/evaluate.php?b=aurora

 

Here is instructions on how to get rid of aurora.

 

Good Luck!