A couple of weeks ago I was hit with spyware when uninstalling a downloaded program (received from a p2p network). Ad-Aware Plus (& Trend Micro) have usually taken care of all of my problems until now. "Popupsearches" & "Aurora" pop-ups (among other things) became unstoppable. Over time I've gotten rid of most of it, but there's still something there that I can't detect/remove. One change in my PC performance is data transfer through USB2.0 ports to external drives. I now get delay write failures. A hijackthis logfile can be posted. Thanks for any input....

two things found: patch (http://www.microsoft.com/downloads/details.aspx?FamilyID=733dd867-56a0-4956-b7fe-e85b688b7f86&DisplayLang=en) , or video card drivers updated, changed back...:)

Sounds like nail.exe , aurora's newest demon, and it is a B?#$% to get rid of. Post your HT log.

Downloaded/ran the patch, but still have problems with transfers... Logfile of HijackThis v1.99.1 Scan saved at 7:05:29 AM, on 5/7/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\WINNT\System32\DeltTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe C:\Program Files\Write DVD!\saimon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\WINNT\System32\svchost.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Palm\HOTSYNC.exe C:\WINNT\System32\wuauclt.exe C:\WINNT\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Pop Blocker\updatedl.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.etree.org/ F3 - REG:win.ini: load=?????? ?????????? F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe O4 - HKLM\..\Run: [System Update] sysupdt32.exe O4 - HKLM\..\Run: [MMtask Service] mmtask.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [DeltTray] DeltTray.exe O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.exe O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Taylor Caine\My Documents\Winamp\winampa.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINNT\System32\mmtask.exe (file missing) O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Forgot to mention, when I remove several of the suspicious programs from the scan, they reload themselves. Ad-Watch immediately detects them.

Hey phoam, first set the computer up to show hidden files. Go to control panel>folder options>view>check the circle beside" show hidden files and folders">apply>ok. Clean up some temp files. Go to C:\WINNT\Temp and delete the contents of that folder(not the folder itself ) Go to C:\WINNT\Prefetch and delete the contents of the folder. For each user of the computer go to C:\Documents and Settings\<each user>\Local Settings and delete the contenets of these three folders if they exist: Temp Temporary Internet Files History And for each user go to C:\Documents and Settings\<each user>\Cookies and delete the contents of that folder. Index files will not delete. (You will need this so print them if you need to)How to get into Safe Mode (You will need this too)How to purge System Restore To make a new restore point go to start>run>type in msconfig>ok>launch syatem restore>create a restore point>next>name it anything you want to>create>close. Update adaware then download these two programs and update but do not run them yet.Cwshredder (use the stand alone version on the right side of the screen) then Spybot (for now don't use tea timer or sd helper)Close all browers and windows then rescan with HT and place a check beside these item to delete: F3 - REG:win.ini: load=??? ??? ??? ? ? ????? F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe O4 - HKLM\..\Run: [System Update] sysupdt32.exe O4 - HKLM\..\Run: [MMtask Service] mmtask.exe O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startupRogue Program uninstall with add/remove programs O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)Remove weatrher bug in add/remove programs O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt Boot into safe mode and delete these files if found: C:\WINNT\System32\pntask.exe C:\WINNT\sysupdt32.exe C:\WINNT\mmtask.exe C:\WINNT\System32\dp-him.exe c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe C:\WINNT\System32\pgvoutm.exe C:\WINNT\System32\mpnpmgru.exe C:\WINNT\System32\ap9h4qmo.exe C:\WINNT\farmmext.exe C:\WINNT\System32\dfsshlex.exe These folders if they exist: C:\Program Files\AWS C:\WINNT\tgbcde C:\Program Files\SpyKiller While still in safe mode run Spybot, Adaware, Cwsredder and your antivirus. Purge the restore folder and make a new restore point. Reboot and post a new HT log the varmint farmmext.exe will still need to be removed most likely but clean this up for now.

jabuck, thanks for helping out, but I don't believe I've made any progress. I followed the steps above (entirely), and after everything is removed with hijackthis, my Ad-Watch monitor immediately pops back up detecting all of the "deleted" programs. Basically, everything reloads itself instantly. Here is an updated logfile: Logfile of HijackThis v1.99.1 Scan saved at 8:58:10 PM, on 5/8/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.exe C:\WINNT\System32\svchost.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\WINNT\System32\DeltTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe C:\Program Files\Write DVD!\saimon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\System32\wuauclt.exe C:\WINNT\System32\wuauclt.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.etree.org/ F3 - REG:win.ini: load=?????? ?????????? F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [DeltTray] DeltTray.exe O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.exe O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Taylor Caine\My Documents\Winamp\winampa.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe O4 - HKLM\..\Run: [System Update] sysupdt32.exe O4 - HKLM\..\Run: [MMtask Service] mmtask.exe O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINNT\System32\mmtask.exe (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe