1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"To Do" and "Aurora" and "nail.exe" removal!

Discussion in 'Virus & Other Malware Removal' started by rolland, Apr 18, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. rolland

    rolland Thread Starter

    Joined:
    Apr 18, 2005
    Messages:
    2
    I have searched on trying to remove the "To Do" and "Aurora" and "nail.exe" files but what I have tried has not worked. Here is my HJT log file. Any help would be greatly appreciated. I can't get any work done with all these pop ads!

    Logfile of HijackThis v1.99.1
    Scan saved at 11:37:47 PM, on 4/18/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\WINDOWS\System32\egovjbm\hdjfdwpv.exe
    C:\WINDOWS\System32\roknpkt\jaopfjaq.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe
    C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
    C:\Program Files\m00iurk4\m00iurk4.exe
    C:\WINDOWS\ANCGDLL.EXE
    C:\WINDOWS\HAYZENC.EXE
    C:\WINDOWS\System32\smcj\qqft.exe
    C:\WINDOWS\System32\viwvqtw\enuxl.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\System32\woquwp\nqye.exe
    C:\WINDOWS\System32\hroxkhe\fbkkddyv.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system\eeeee.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\System32\vllslfo\bsgvfn.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\m00iurk4\66121477.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\killbox virus killer\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.digitalweddingforum.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.digitalweddingforum.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
    O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
    O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
    O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
    O4 - HKLM\..\Run: [m00iurk4] C:\Program Files\m00iurk4\m00iurk4.exe
    O4 - HKLM\..\Run: [ANCGDLL] C:\WINDOWS\ANCGDLL.EXE
    O4 - HKLM\..\Run: [HAYZENC] C:\WINDOWS\HAYZENC.EXE
    O4 - HKLM\..\Run: [qqft] C:\WINDOWS\System32\smcj\qqft.exe
    O4 - HKLM\..\Run: [enuxl] C:\WINDOWS\System32\viwvqtw\enuxl.exe
    O4 - HKLM\..\Run: [ekbpwef] C:\WINDOWS\System32\jxuw\ekbpwef.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [nqye] C:\WINDOWS\System32\woquwp\nqye.exe
    O4 - HKLM\..\Run: [fbkkddyv] C:\WINDOWS\System32\hroxkhe\fbkkddyv.exe
    O4 - HKLM\..\Run: [bsgvfn] C:\WINDOWS\System32\vllslfo\bsgvfn.exe
    O4 - HKLM\..\Run: [jaopfjaq] C:\WINDOWS\System32\roknpkt\jaopfjaq.exe
    O4 - HKLM\..\Run: [hdjfdwpv] C:\WINDOWS\System32\egovjbm\hdjfdwpv.exe
    O4 - HKLM\..\Run: [uhlvrsp] C:\WINDOWS\System32\chtsbu\uhlvrsp.exe
    O4 - HKLM\..\Run: [equo] C:\WINDOWS\System32\jmkq\equo.exe
    O4 - HKLM\..\Run: [igmbot] C:\WINDOWS\System32\cmpefs\igmbot.exe
    O4 - HKLM\..\Run: [agury] C:\WINDOWS\System32\pmahrw\agury.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: OptiCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\OptiCAL\OptiCAL.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Aurigma Image Uploader 2.0 - http://www.photogize.com/PhotogizeImageUploader.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: hdjfdwpvegovjbm - Unknown owner - C:\WINDOWS\System32\egovjbm\hdjfdwpv.exe
    O23 - Service: igmbotcmpefs - Unknown owner - C:\WINDOWS\System32\cmpefs\igmbot.exe
    O23 - Service: jaopfjaqroknpkt - Unknown owner - C:\WINDOWS\System32\roknpkt\jaopfjaq.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
    O23 - Service: uhlvrspchtsbu - Unknown owner - C:\WINDOWS\System32\chtsbu\uhlvrsp.exe
    O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
     
  2. rolland

    rolland Thread Starter

    Joined:
    Apr 18, 2005
    Messages:
    2
    Here is my "Find It_s" log file:

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    »»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Be carefull
    Helpers Only delete file's in this section if both criteria are matched
    Only if file show's in both 1 and 2 (string search's)

    »»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
    Be carefull
    Helpers Only delete file's in this section if both criteria are matched
    Only if file show's in both 1 and 2 (string search's)

    »»»»»»»»»»»»»»»»»»»»»»»» Possible SAHAgent Files found »»»»»»»»»»»»»»»»

    »»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»




    Volume in drive C is DRIVE_D
    Volume Serial Number is A8C2-DC6F

    Directory of C:\WINDOWS\system32

    04/15/2005 03:53 PM 2,238 Casino-on-Net.ico
    04/15/2005 03:54 PM 3,262 creditcard32123123123asdsa.ico
    04/15/2005 03:53 PM 3,262 dice21.ico
    04/15/2005 03:53 PM 3,774 Free Cell Phone.ico
    04/15/2005 03:53 PM 7,358 Free LapTop Computer.ico
    04/15/2005 03:53 PM 3,774 Free Ringtones!.ico
    04/15/2005 03:53 PM 7,358 Free Sony Playstation.ico
    04/15/2005 03:53 PM 7,358 Free U2 iPod.ico
    04/15/2005 03:54 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
    04/15/2005 03:54 PM 4,286 mp3red51aads.ico
    04/15/2005 03:53 PM 3,774 NBA Giveaway.ico
    04/15/2005 03:53 PM 4,286 pop up blaster123213.ico
    04/15/2005 03:53 PM 2,238 red_kas.ico
    04/15/2005 03:53 PM 3,262 vh e233.ico
    14 File(s) 60,516 bytes
    0 Dir(s) 10,904,018,944 bytes free
    Volume in drive C is DRIVE_D
    Volume Serial Number is A8C2-DC6F

    Directory of C:\WINDOWS\SYSTEM32

    Volume in drive C is DRIVE_D
    Volume Serial Number is A8C2-DC6F

    Directory of C:\WINDOWS\SYSTEM

    svcproc.exe
    Nail.exe
     
  3. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Hi. Sorry to keep you waiting. We now have a known and proven working fix.


    Please go here to download the Aurora uninstaller
    http://www.mypctuneup.com/evaluate.php

    Be sure to read the instructions


    Also download the EliteBar (searchmiracle) Removal Tool (must be run in safe mode)
    http://www.simplytech.it/ETRemover/
    http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/EliteToolbar-Remover.shtml


    Please also download the attached RegQuery.zip
    Unzip RegQuery.bat to the desktop
    and make a backup copy of it, eg. in My Documents, just incase.
    See further instructions below.

    _____________________________________________________________


    Close all windows, but stay connected to the net

    Run the Aurora Uninstaller
    Follow the prompts/instructions

    __________________________________________________________


    Boot to Safe Mode

    How to boot into safe mode | 2


    Run the EliteBar SearchMiracle Removal Tool

    Note, you may need to run it more than once.



    Empty all Temp folders (delete all files within):

    C:\Documents and Settings\(profile)\Local Settings\Temp\
    C:\Windows\Temp\
    C:\Temp\ (if it exists)


    Go to: Control Panel > Internet Options
    General tab > Temporary Internet Files > Delete Files:
    Checkmark "Delete all offline content"
    Click OK


    If they still exist, delete all those C:\WINDOWS\system32\*.ico (icon) files listed in the Find-It's log

    _______________________________________


    Reboot into Normal Mode


    Run the ReqQuery.bat file from my attachment
    This will query the keys in the Windows Services section of the Registry.
    A text file (RegQuery.txt) should appear on your desktop.
    Please attach it to your next reply here
    (Attachment feature available via: Post Reply button > Manage Attachments)


    Go to: Control Panel > Internet Options
    General tab > Temporary Internet Files > Delete Files:
    Checkmark "Delete all offline content"
    Click OK

    Go to the "Programs" tab, then click the "Reset Web Settings" button.
    Click Apply.
    Note: You then might need to reset your desired home page c/o General tab

    Go to the "Security" tab
    Click on "Internet Zone" and then click "Default Level"
    Click on "Restricted Sites", then click the "Sites" button
    Type in: *.searchmiracle.com
    Click the "Add" button, then click OK

    Click Apply, then click OK to close Internet Options.


    Click the Post Reply button here.
    Paste in your latest HJT log
    and attach the RegQuery.txt file

    and then we'll clean up whatever is left
    eg. some of those random startup/services entries may still be there, but the main thing is to get rid of Aurora/ToDo and SearchMiracle first...

    _________________________________________
     

    Attached Files:

  4. Shane~E

    Shane~E

    Joined:
    Apr 23, 2005
    Messages:
    1
    I've tried 3 or 4 different fixes for this, and you are the first to have a method that works. Just wanted to say THANK YOU
     
  5. FHH

    FHH

    Joined:
    Apr 27, 2005
    Messages:
    2
    I am not sure but I do know that I had Aurora on my system and I ran this program and it seemed to clean it I am not 100% sure but seemed to have worked. Here is a link to the site where I downloaded the program. http://www.mypctuneup.com/
     
  6. tedkling

    tedkling

    Joined:
    May 3, 2005
    Messages:
    1
    Thanks so much for the instructions for removing "to Do" and Aurora (and nail.exe !). They seems to have worked very well. I registered on this site just to say thanks!!

    Ted
     
  7. JeremyDallas

    JeremyDallas

    Joined:
    May 10, 2005
    Messages:
    1
    Thanks, this worked great.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/354222

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice