Aurora on my wife's computer

My household seems to be the latest victim of the Aurora ad campaign. I have followed the instructions of "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal" and still we are plagued by the pest. I was not able to connect to the internet while in Safe Mode, so I ran the on line scans in regular mode.
I have run HijackThis, but did not attempt to fix anything.
I'm assuming that following the mypcsetup link to their own removal tool is a bad idea - but I do need help getting rid of it.

 

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

the Trend Micro scan found one piece of malware, but I don't know the name. Ad-Aware & SpyBot found numerous problems and I fixed had the programs fix them (but we've used these programs for awhile and everytime we've used them since our Aurora infestation the devils are found, removed and then return). I don't believe any of the other programs found anything.
Attached is the HijackThis log file.
Thanks.

 

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {7E7746FA-F6B4-EE0C-313C-36D8B82A4D64} - C:\Program Files\FYI\umnhhilmet.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rvnpmr.exe reg_run
O4 - HKLM\..\Run: [VIBDENC] C:\WINDOWS\VIBDENC.EXE
O4 - HKLM\..\Run: [SXZXDLL] C:\WINDOWS\SXZXDLL.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess

Also, once you do those boot in safe mode and delete any of these that you find

C:\WINDOWS\VIBDENC.EXE
C:\WINDOWS\SXZXDLL.EXE
C:\WINDOWS\System32\rvnpmr.exe
C:\WINDOWS\Nail.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log.

 

I cannot seem to get rid of a couple of those lines from my HJT scans:
F2 and the O4 lines with KavSvc, VIBDENC & SXZXDLL. I ran HJT a number of times, booted back to Safe Mode and deleted the Nail.exe file a couple of times.
But it still is there. Here's the new HJT log.
Thanks.

I have another HJT log, from the first time through the procedure outlined above, that shows a different combination of the KavSvc, VIBDENC or SXZXDLL files still present - if that helps at all.

 

BlueBob,

You have some baddies that will take some time to remove. Lets start by getting rid of the Aurora.

Fisrt, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot and procede with the below steps:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

Fisrt, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot into normal mode and attach a fresh HJT log.

EDIT:
NM guess just listen to him...

 

jeff6303j,

Please leave the fixing to us professionals. I have already posted instructions for this user. There is an infection that takes some work to remove.

 

I saw you posted instructions...I was posting while u posted...

sorry, I was helpin him work thru and was getting to that...

all yours I guess...

 

Posting the READ ME's and things like that are fine with me. The only thing I ask is that the fixing stay to us as we are more experienced as we do this everyday.

This user has an infection that is fairly new and takes several steps in removing.

 

ok...I was getting there, but thats fine

gl hf
jeff

 

Okay, I guess you guys had some conversation in my absence -- anyway, following bjgarrick's instructions I ran ABIremover, and did the Qoologic and RKFiles programs. Qoologic responded that "the system file not suitable for running ms-dos and windows applications" and I chose both Close and Ignore a few times before it finished.
Attached are both the Qoologic file.txt and RKFiles log.txt

 

This is going to seem very long but its not that bad. Now you will have to manually remove these files one by one. I did it this way so it would be easier and would avoid any confusion. So lets get started...

Download Pocket KillBox

Now, Copy and Paste C:\WINDOWS\system32\cnclas.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS_1059.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msplock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\pacis.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\Pop2.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\US4.0-3.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\fqggiuukyea.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\tdtb.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\wupdt.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now Allow Killbox to reboot your system, after you have rebooted post 2 fresh logs from the same tool along with a HJT log.

 

okay I downloaded and ran KillBox, one log file attached (I could not figure out how to generate a 2nd log). Also new HJT log attached.
more stuff popping up like mad.....

 

Attach 2 fresh logs from the Qoologic Tool & RKFiles Tool. You still have several problems, we have to take them one at a time to get them all.

 

okay, here are the log files: Qooologic and RKFiles, along with a new HJT for good measure.
Well, I had trouble uploading the Qoologic file2.txt so I've got the other 2 here, will try another post with the Qoologic log.

 

Qoologic log file this time....no, it's not here...it states the file has already been uploaded....?

 

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS_1059.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msplock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\quteqi.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\fqggiuukyea.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\svcproc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now Allow Killbox to reboot your system. After you have rebooted post 2 new logs from both tools again. Rename them to like log1 and log2 if you get the already uploaded error again.

 

here are the new log files - okay, again regardless of what name I put on the qoologic log file, it states that the file has already been uploaded to the thread.
I will try from a different computer. Or do you want me to post the log as text in these comments?

 

I'm trying to upload the log files again -- this time from my computer at my office -- hopefully they won't be recognized as "the same files" --- okay, now I'm acting a little more clever....I uploaded the Qooologic log file as a pdf.

Now we can get back to fixing the problem rather than me struggling with simple tasks.
thanks.

 

Click Start > Run > Copy and paste the following lines exactly as they appear. If you get any popup messages click OK. Let me know if you get any errors with this.

regsvr32 /u C:\WINDOWS\system32\msclock32.dll

regsvr32 /u C:\WINDOWS\system32\msplock32.dll

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msplock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\sdwmmwc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Again, Allow Killbox to reboot your system, afterwards post new logs. Rename them and you shouldnt have a problem.

Also, attach them as .log or .txt format.

 

both regsvr32 commands succeeded, at least that was the response.
On the KillBox instructions I finally figured out what you meant by "copy & paste" - I have been navigating to the files via the folder in KillBox (including this latest time). Does it still work that way?
Here are the latest Qoologic and RKFiles logs.

(still having trouble uploading the qoologic file.txt -- it states it has already been uploaded)
will post this much and keep trying.

 

okay, I managed to upload it as q-file.txt -- if you're interested I actually had to open the file and insert a change (a leading blank line) and then save it. Screwy, unless this just means that the content of the file is the same and we're not really getting anywhere......I hope not.
Thanks.

 

You need to follow my post exactly as they are so nothing will go wrong. Im not sure if something is hiding or its the way your doing it but they keep coming back. So this time follow the post exactly as it appears.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnti.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS_1059.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste CC:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\zgnupmw.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\fqggiuukyea.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\svcproc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system, after you have rebooted run the ABI Remove again. Afterwards reboot and post a fresh HJT log along with 2 new logs from the tools.

 

Good morning. Okay, I have copied & pasted in the KillBox window to remove the suckers. Msclock32.dll was the one file that wasn't there (and yes, I noticed the extra leading C in your line and pasted it both with & without it to be sure).
Other notes, which may or may not be pertinent:
1. upon rebooting we typically get a message box stating that there was an error loading EGACESS_159.dll because it could not be found. Considering that this is a file that we are attempting to remove, I thought that it wasn't a bad thing, but since something is looking for it, maybe it does mean something. Sorry I haven't included this in previous postings.
2. When I've run the Qoologic Finder program I immediately get a message that Norton AntiVirus has detected a malicious script (c:document.....\\activesetup.vbs) -- previously I didn't notice that it was Norton that detected the script so I have chosen "stop this script" because I thought it was part of the Qoologic Finder program that detected it; this time I thought that it might be Norton detecting the Qoologic Finder procedure and therefore chose "allow entire script once." The program seems to run anyway, but maybe it gets to do it's real job this way. I dunno, but just to keep you informed of what's going on....
I'm posting first my HJT log and will post the other two logs in a separate post.

 

okay now for the Qoologic Finder and RKFiles logs -- yes, I read the RKFiles log and saw the damned msclock32.dll line, but when I tried to run KillBox to zap it, I couldn't find the file.
I have noticed in the multiple times I've run KillBox that msclock32.dll is there sometimes and is not there others......
Thanks for staying on this issue.

 

does it matter if I run ABIremover in regular mode or safe mode? The most recent time I ran it in normal mode -- or does one run it or install it? It didn't appear to launch a process when I double clicked on the .exe file.

 

Read my post very carefully!

Run the ABI Remover in SAFE MODE!

Temporarily disable Norton so it will quit blocking my fixes.

Now, Boot back into Safe Mode and run the ABI Remove. After you do this reboot again into Safe Mode and run Killbox and remove the below.

Whether it is blue or not, run every step as is!

Now, Copy and Paste C:\WINDOWS\system32\cqwlqev.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnti.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot and post 3 new logs.

 

I'm trying to follow your instructions a T. Didn't know that Norton AV was in the way.
Here's the HJT log.
Next posting for the Qoologic & RKFiles logs.

 

here are the other 2 log files.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
C:\WINDOWS\systb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rvnpmr.exe reg_run
O4 - HKLM\..\Run: [SXZXDLL] C:\WINDOWS\SXZXDLL.EXE
O4 - HKLM\..\Run: [VIBDENC] C:\WINDOWS\VIBDENC.EXE
O4 - HKLM\..\Run: [qvftdb] c:\windows\system32\itgephq.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1059.dll,InstantAccess

O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\SXZXDLL.exe
C:\WINDOWS\VIBDENC.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SXZXDLL.exe
C:\WINDOWS\VIBDENC.exe

C:\WINDOWS\System32\itgephq.exe
C:\WINDOWS\System32\msclock32.dll
C:\WINDOWS\System32\rvnpmr.exe
C:\WINDOWS\System32\itgephq.exe
C:\WINDOWS\System32\rvnpmr.exe
C:\WINDOWS\System32\itgephq.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnti.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log along with 2 new logs from the tools.

 

persistent is all I can say about this problem....
anyway, I followed all your instructions and before I upload the logs here is the storyline of what happened when I ran the procedures:
When I ran HijackThis I found all the lines you mentioned in your previous post except:
O4 - HKLM\..\Run: [qvftdb] c:\windows\system32\itgephq.exe
I did notice some line with dnti.exe in it, but did not do anything about it since you had no instructions along that line.
When I tried to delete C:\WINDOWS\System32\rvnpmr.exe, I was told that it could be deleted, it was in use or something.
[you listed a number of duplicates in the delete instructions, I'm assuming that this was not intentional - at any rate did not find multiple listings for these files]
Also, SpyBot could not delete all of the files it found, asked if it could run upon reboot (I chose "yes" of course), but since I had it reboot in Safe Mode SpyBot did not fire up right away, so I ran it anyway, and it found one file (ABetterInternet) and deleted it. Upon rebooting in Normal Mode SpyBot did run automatically and found the same file.
However, looking at the log files does not make me feel that we've licked this yet.
Attached first is the HJT log. Next posting will have the other log files.
Thanks again for forging on with this devil.

 

and now the Qoologic & RKFiles logs.

 

I hate to ask this with these few infections, but without this critical update these things will get worse and more will come in.

Go to Windows Updates and install Service Pack 2. Afterwards download the attached file, save to your desktop.

Reboot into Safe Mode and run nailfix.bat! Your desktop will disappear but will return, this is normal! After the utility completes reboot into normal mode and attach a new HJT log along with 2 new logs from the tools.

 

I'm back....that was a simple statement that packed a whollop:

......it took me quite some time to negociate my way through Windows Updates, finally downloading a bunch of pre-SP2 updates before being prompted for SP2. Anyway, I made it and here is the HJT log.
btw, when I was really frustrated with the updates I ran nailfix and then HijackThis, deleted a few known bad lines (from previous times through this all) - it worked pretty well before I - or as I - downloaded the updates. Better with Firefox than IE. Anyway after updates & SP2 were installed Aurora came back (this was before I could run nailfix again -- and yes, I ran it in Safe Mode).
Thanks.

 

here are the other 2 log files in my SP2 + nailfix world.

 

Before we continue, go into Add/Remove Programs and uninstall Spy Sweeper as it may be blocking this fix. Also, uninstall Spybot, Adaware or anything other type protection programs for temporary fixes.

Afterwards run the below online scan and post your results.

Bitdefender online scan

After you do this reboot and post 2 logs from the tools.

 

BitDefender results attached -- sorry, for the delay in posting, I had to run the Bit Defender 2X because overnight it shut down and then I was gone for a couple days. In the meantime my wife did use the computer, go on-line etc, and I don't know if things are reappearing that we could've shut down.

 

Qoologic & RJTools logs.

 

let me try again with the BitDefender report, it didn't seem up upload last time (it was an html file, so I saved it as a text file this time)

 

Before you start this fix, disable any and all AntiVirus Programs and AntiSpyware Programs.

Now, Please reboot into Safe Mode

Locate PocketKillbox
(Procede with these steps exactly as they are, even if they do not turn blue)

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS_1059.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\hhvlweo.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\pzgrhpx.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\qpvkb.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\rvnpmr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\supdate.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\gwshowq.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\fqggiuukyea.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\svcproc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\systb.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\wupdt.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnti.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.


Now allow Killbox to reboot your system. After you have rebooted and windows has loaded, post 2 new logs from the tools and a fresh HJT log.

 

okay, here are the logs --- first the HJT. Also, fyi, after running KillBox - per instructions of course - and rebooting, I got the following message: Error Loading EGDACCESS_1059.dll, the specified module could not be found.

 

and here are the log files from our tools.

 

Again, disable all anti virus & spyware programs.

Locate PocketKillbox
(Complete this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\bbuzdll.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\bbuzenc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\iazpjw.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to once again reboot your system. After you have rebooted and windows has loaded, procede with the following fix.


Download the following file:
http://www.mypctuneup.com/uninstaller_exe.php

After download is complete, double click to run the uninstaller. After it completes procede with the following fix.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [SXZXDLL] C:\WINDOWS\SXZXDLL.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rvnpmr.exe reg_run
O4 - HKLM\..\Run: [bbuzdll] C:\WINDOWS\bbuzdll.exe
O4 - HKLM\..\Run: [bbuzenc] C:\WINDOWS\bbuzenc.EXE
O4 - HKLM\..\Run: [apzcgjn] c:\windows\system32\iazpjw.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1059.dll,InstantAccess

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\bbuzsvc.exe

C:\WINDOWS\SXZXDLL.exe

C:\WINDOWS\bbuzdll.exe

C:\WINDOWS\bbuzenc.exe

C:\WINDOWS\System32\iazpjw.exe

C:\WINDOWS\system32\rvnpmr.exe

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log along with 2 new logs from both tools.

 

okay, we're getting close to the end of all this, right? I mean, you sent me to the Dark Side to get the mypctuneup uninstaller and after allowing them to uninstall their garbage we're going to sneak up from behind and obliterate them, right!!!
Here's the HJT log --
when I ran the uninstaller (which I had to run while connected to the internet) I got a couple of C++ run time errors, but it seemed to complete the task. Two of the HijackThis lines were not present:
O4 - HKLM\..\Run: [apzcgjn] c:\windows\system32\iazpjw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

other than that, nothing else to report (except that while I was trying to limit the use of this computer today, there was a little activity on line, with only 1 or 2 pop ups).
Thanks.

 

and now the other two logs from The Tools.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [usujdll] C:\WINDOWS\usujdll.exe
O4 - HKLM\..\Run: [usujenc] C:\WINDOWS\usujenc.EXE

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Windows VisFx Components and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\bbuzsvc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\usujdll.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\usujenc.EXE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach 3 new logs and we should be thru.

 

Thanks for everything bjgarrick, I'll miss you when this problem is finally whipped. For the time being I think there's still something there, at least the RKFiles log shows traces of a couple of evil ones. First here's the HJT log.

 

now for the logs from The Tools.

 

Disable any antivirus and antispyware program so it wont block this fix!

Scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htttp://webproxy.artic.edu/flaxman .pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1059.dll,InstantAccess

Make sure All Browser Windows are Closed when you Click FIX.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS_1059.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach 3 new logs.