Aurora Popups Virus Please Help!

Download this: ABIremover

Unzip it into its own folder. Now boot into safe mode with no network support and do not open any browsers. Now run the the ABIremover.exe file.

When done reboot into normal mode and let me know how things look.

 

Why are you running HSremove? You did not say anything about having and HSA hijacker issue.

Are your Aurora popups fixed?

If you have run all the steps in the READ ME, perform the steps below.


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

The READ ME FIRST explains that you only need HSremove (and also about:blank) for specific hijacker problems. The HSA and about:blank hijacks. It is not necessary for you to waste any time running these since you do not have those hijackers. The 8 files that HSremove is indicating is a bug. It always shows 8 when clean.

Why didn't you run the two online scanners from the READ ME FIRST? Did you skip any other steps?

 

The first thing I want you to do is go to Add/Remove programs (from Control Panel) and look for the below programs and uninstall if found:

Media Access
salm
IST Service or ISTbar
Internet Optimizer
BullsEye Network
WinTools
Power Scan
TBPS

Tell me which ones you find and if they uninstall.

Now download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet.

Now reboot into safe mode with no network support, make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds. Tell me what it finds and fixes (or does not fix).

Now reboot into normal mode and post a new HJT log attachment.

 

Did you run the Java version of Trend Micro or regular version?

I have another question for you. The first time you were here with problems in this thread:
http://forums.majorgeeks.com/showthread.php?t=56429

I asked you to run the steps in: How to Protect yourself from malware!

If you followed those steps, I don't think you would be having all of the problems you currently are having. You have a ton a bad stuff installed.

 

OK! Don't forget to run MS Antispyware in safe mode. And then post a new HJT log because I expect a few additional items to remain that require manual removal procedures.

 

It is very important that you always remember to exit browsers before running HJT. You had the below running:
C:\program files\internet explorer\iexplore.exe


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Software Secure Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for: Windows Management Construct

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Software Secure Service

If that does not work try entering the short name: SSISvr32
You will need to cut and paste the short name since the characters are not easily typed.

Now repeat the above HJT step for: Windows Management Construct
Or short name: winmgmc

Now exit HijackThis.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\ssisvr32.exe
C:\WINDOWS\userint32.exe
C:\word.exe
C:\windows\system32\xlg.exe
C:\windows\system32\xlg.exe
C:\WINDOWS\system32\je86qvu8.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [WinScMngr] C:\WINDOWS\winsmc.exe
O4 - HKLM\..\Run: [czMR] C:\windows\system32\czMR.exe
O4 - HKLM\..\Run: [EBcF] C:\windows\system32\EBcF.exe
O4 - HKLM\..\Run: [3NtFWtRdq] C:\windows\system32\3NtFWtRdq.exe
O4 - HKLM\..\Run: [Lsass] C:\word.exe
O4 - HKLM\..\Run: [xlg] c:\windows\system32\xlg.exe
O4 - HKLM\..\Run: [xlg.exe] C:\windows\system32\xlg.exe
O4 - HKLM\..\Run: [je86qvu8] C:\WINDOWS\system32\je86qvu8.exe
O15 - Trusted Zone: *.westlaw.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\ssisvr32.exe
C:\windows\system32\3NtFWtRdq.exe
C:\WINDOWS\userint32.exe
C:\word.exe
C:\windows\system32\xlg.exe
C:\WINDOWS\system32\je86qvu8.exe
C:\WINDOWS\winsmc.exe
C:\windows\system32\czMR.exe
C:\windows\system32\EBcF.exe
C:\WINDOWS\winmgc.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Just two minor items left to hav HJT fix (one is from running HSremove which you do not need to be running):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O15 - Trusted Zone: *.westlaw.com

Other than those you are clean. How are things working?