Aurora, Buddy.exe???

After following all the Read Me documentation on this page and running all recommended spyware, virus and trojan removers, I am still getting the Aurora popups. I believe the program name is "TODO" when I look it up in properties. I believe it is also related to the regenerating process that runs in my task manager (usually running at 160 K) and changes names every time you stop the process. I have to add that I am unable to boot into safe mode due to running DVI to my digital Sony TV. I am hoping this is not the reason why this pain of a program keeps returning. Any help would be greatly appreciated. I have an available HJT log if needed. I am runnning Comcast broadband with a Dell P4 1.6ghz with 512MB or Ram.

Thanks in Advance, Tim

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here is my HJT Log, this is my first time posting so be gentle!!

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

P2P Networking


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

ivgaso.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.we1.attbb.net
(If you need these or know them leave them as is, if not have HJT fix them)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vrbhpgw] c:\windows\system32\ivgaso.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\P2P Networking ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\ivgaso.exe

C:\WINDOWS\Nail.exe

C:\WINDOWS\svcproc.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Well, I'm right back where I started from. Deleted the P2P Networking folder, was able to stop the process, but returned shortly with a different name when I was in Safe Mode. UNREAL!! I have evenb tried creating a dummy file and dragging it on top which did not work either. Nail.exe returned also as you can see by my log. The R1 entries you mentioned are my internet settings, attbb is Comcast internet, used to be AT&T. As you also see, it is now named hlfltoo.exe. This is the name it took after trying to delete and stop the process several times. I have triple checked your instructions and have done everything I can do!! I hope we can find a way through this.

 

I have been doing some research for others viewing this thread also. It seems all these originate from a company called Direct Revenue, via abetterinternet.com, offeroptimizer.com etc. etc. See there devious website and feel free to send as many emails as you can!!

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Before we start any fixes, be sure SpyBot S&D's TeaTimer is DISABLED!

Click Start > Run > type system.ini

Find the line that refers to Nail.exe and delete it. Save the file!


NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:
System Startup Service (SvcProc)
If that does not work try entering the short name: SvcProc


NEXT:
Run CCleaner



NEXT:
Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\hlfltoo.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\Nail.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SvcProc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.


After windows has loaded from reboot,



FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After doing ALL of the above, once windows has loaded post a fresh HJT log. Lets see if that service is gone this time along with the files.

 

Followed all instructions very carefully....Rebooted back to normal mode and they all came back. Nail.exe reinstalls, SvcProc regenerates, and Aurora pop ups (AKA offeroptimizer, AKA, abetterinternet) continue. During my reboot to normal windows, I noticed an additional folder on my root drive that was not there before. It was entitiled !Submit. I deleted it obviously. Also, in my Windows folder I found a EXE named ijsbnf or something like that....It had the Aurora icon with it, so I deleted it as well. None of these actions seem to be working and I'm losing hope. As you can see in my log, the file has now taken on the name of frmexc.exe.

 

Let do this before we do anything else!

Download Generic Detection Tool - NT/2000/XP

NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

OK, here you go. Good morning to you....ready for battle?? LOL

 

First:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Second:
After doing the above, post a fresh HJT log. We need to find out whats keeping this thing here.

 

OK, Reg entry done and posted a new log.

 

Have you deleted that service because its still showing up?

 

Look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

gssiwak.exe


Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [cvdfqh] c:\windows\system32\gssiwak.exe

Make sure All Browser Windows are Closed when you Click FIX.


Click Start > Run > type system.ini

Now, remove this line and save!

Shell=Explorer.exe C:\WINDOWS\Nail.exe


Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services

Look for this entry:
System Startup Service (SvcProc)

When found, right click and delete it, exit registry editor.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled.

Now, find each one of these files and delete them when found!

C:\WINDOWS\svcproc.exe

C:\WINDOWS\System32\gssiwak.exe

C:\WINDOWS\Nail.exe

After doing the above post a fresh HJT log.

 

It doesn't do any good to end process, gssiwak.exe because it restarts itself under a different name. Nail.exe also reinstalls itself from somewhere that I cannot find. Also Nail.exe does not show as a line in my system.ini when I run it. Unfortunately the instructions you just posted have been done several times with the same results, but I will try again.

 

Make sure you remove that service, you should have done this a long time ago.

 

LOL!

Thanks Chas!

 

My curiosity got me and I started looking at sample system.ini files on google. I think there's something terribly wrong with mine. I think there is a ton of data missing from it. I posted it as an attachment, tell me if you agree.

 

That looks ok!

Have you completed what Chas requested?

 

OK, did the command prompt that Chas spoke of and Nail.exe as well as svcproc seems to be gone and staying gone. Still getting the Aurora pops, but mostly with a script error. Sometimes without and sometimes blank, so what were doing is kickin it in the back side. ) After deleting svcproc, I looked in Services and System Start Up is still in there, but staying disabled, it used to reinstall and reset it to automatic. I did a couple of searches of C: drive for Nail.exe and SvcProc.exe, they are still gone. However, the suspicious EXE is still running and changing names upon ending process. Currently it is named kvvifj.exe.

 

If you removed the service via regedit as per my request you will have to reboot before the service list will be refreshed.

The only other problem I see is the kvvifj.exe, let me ask Chas about this one, one moment! (Chas needs to clear out some old PM's) LOL

 

Do you see this file when you try to look for it?

C:\WINDOWS\System32\kvvifj.exe

 

Yes, I can look at the files as they recreate themselves in System32, however I cannot delete them fast enough because they always startup on their own. I have also tried throwing a dummy file on top of it, but it wont let me change it because it's running. I also found SvcProc in my registry under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC. Tried to delete it but it wouldn't let me.

 

OK guys, here's the answer that's going to make your Aurora job really easy. I emailed Direct Revenue LLC and here is the response that I got.......

Thank you for contacting Mypctuneup support! We apologize for the delayed response to your email, and thank you for your patience.

Mypctuneup.com performs technical support for a number of companies and we are sorry to hear that advertising software is causing you problems. We will gladly assist you in removing our partners' advertising software from your computer as expeditiously as possible.
From our website you can scan your PC and determine whether or not the software is installed on your machine, and if so, you can then choose to uninstall. To run the uninstall tool click on the link below:
http://www.mypctuneup.com/evaluate.php
Or go to www.mypctuneup.com and click on free uninstall tool and follow the steps.

We hope you find this helpful. Thanks again for your continued patience.


Anyway, I took a chance and ran the uninstall tool. During the setup they mention that there is NO EULA for the uninstall tool and there will be no information used off of the installing of their program. I ran the uninstaller and VOILA, it's all gone!!
In closing I want to thank you guys for your endless support and mention that sometimes the simplest solution is the best one!!

 

As an added precaution, here's my new HJT log.

 

Your HJT log is clean, are you having any further problems?

 

None at all!! I'm stoked. I started a new thread with the links so that others could hopefully see it. Thanks again for your help!!

 

Glad everything is better!

You should see this article on How to Protect yourself from malware!

 

Thank You, I will do that!! Here's the new thread if you want to take a look.

http://forums.majorgeeks.com/showthread.php?t=60904

 

Ok, Thanks!