Stubborn Trojan, random popups, errors upon rebooting

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by silverdragon0082, Jul 4, 2005.

  1. silverdragon0082

    silverdragon0082 Private E-2

    (I hope this is remotely coherent; it's very late here and I drove four hours home from over a week's vacation today. My brain is officially fried.)

    System Specs: Windows XP Home Edition, Version 2002, Service Pack 2; 1.79 GHz AMD Athalon XP 2200+; 256 MB RAM; eMachines W2260.

    I have had AVG, Spybot, and Ad-Aware installed on my computer for a long time and I use each regularly, keeping them up to date. I also use Windows' automatic update feature. Somehow or other I recently ended up with a Trojan, as AVG kept popping up to tell me. Scanning with AVG wasn't working to get rid of it completely; it'd tell me it was fixed only for it to keep popping up saying "Virus Detected!" after that.

    I was referred here and I went through most of the steps on the Basic Spyware, Virus and Trojan Removal thread. I disabled System Restore. I enabled viewing of all hidden files/folders. I downloading everything listed there and went into safe mode.

    In safe mode, it wanted me to chose either the Administrator or my user name, though I don't have to pick when I boot up in normal mode and I've never used the Administrator profile, so I have no idea what to do about that, if anything. I don't have any users set up on this system except myself and I don't know why I'm not set up as the administrator. I did everything under my username in safe mode.

    I did the Trend Micro online scan, and when I first tried it it just closed on its own. I tried it again, and while it was scanning, two programs were downloaded in the background: Ad Destroyer and Virtual Bouncer. They showed up in my system tray, but only after they were at 100% installed. The Trend scan couldn't delete two of the eight virus files it found, but I deleted what I could.

    I went on to the Symantic scan, which would not load at all. Clicking on the GO button just brought up a window that wouldn't load, and several popups came up instead. So I skipped that one.

    I then proceeded to run the rest of the programs as indicated. Ad-Aware got rid of a LOT of stuff for me; I believe Spybot got rid of the Ad Destroyer and Virtual Bouncer crap that mysteriously appeared.

    about:Buster gave me an error: "Runtime error 339--component comctl32.ocx or one of its dependencies not currently registered: a file is missing or invalid." But it seemed to work all right and only gave me that error after I'd run the program.

    I ran the Trend Micro scan again and this time it couldn't delete the file located at C:\Windows\system32\vidctrl\vidctrl.exe because it was in use. I ctrl-alt-deleted so I could disable it, then changed the folder out of read-only and manually deleted it. I also used the Java remove tool so I could install Sun Java.

    I decided to reboot into normal mode, and the first time I got the error: "error loading AINP2.DLL: the specific module could not be found" and the computer rebooted on its own. I tried again, this time I got the same error and also this one: "c:\windows\Nail.exe: Windows cannot access the specified device path or file. You may not have the appropriate permission to acces the item." This time though I was able to exit out of the errors and get into my computer in normal mode.

    I started getting random popups again, so I decided to try running Ad-Aware again. The computer froze, and when I rebooted I got the same two errors as before but the system didn't reboot itself so I was able to get into it. AVG is again popping up with Virus Detected messages, files like C:\Windows\svcproc.exe and Nail.exe.

    Then I installed Sun Java, but it told me that it could not verify my installation. I'm using IE 6.0. No idea what to do about this, either.

    I have downloaded HijackThis but I haven't installed it yet or ran it because it looks complicated and I'm not THAT computer-savvy. I don't know what to do anymore; I'm at the end of my rope. I've given as much information as I can remember, considering I've been doing all this for the past six hours or so. If you need any more info, please just ask. I appreciate any help anyone can give me, and thank you for reading this.

    EDIT: I forgot to mention, I have cable internet so I didn't disconnect the cord from my computer, though I did make sure that the only time I had anything open was when I was doing the online scans. Should I have completely disconnected my computer from our cable modem?
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you complete the steps in the READ ME FIRST? It is not clear from your message.

    To boot in safe mode you must log into an Administrator account. So any account that has admin priviledges would have to be used.

    Why are you running about:Buster? It and HSremove are only for about:blank and HSA hijack problems which it does not sound like you have.

    Please follow the steps below:

    - download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

    - Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

    - Now boot into safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

    - When abiremover finishes just reboot into normal and continue with the below steps.


    Also download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program

    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  3. silverdragon0082

    silverdragon0082 Private E-2

    Yes, I completed the steps in "Read Me First." This is what I was talking about...the thread "Basic Spyware, Virus and Trojan Removal."

    It must be that my username account has administrator privildges then, beacuse as I said I've never used this other Administrator account.

    I ran about:Buster because I was doing what I was instructed in the Read Me First thread. I am sorry if I did not understand what it was to be used for; I didn't realize that it wouldn't help the problem I was having.

    I followed your instructions with the Nail/Boulder/Aurora remover. When I rebooted into normal mode, the Nail.exe error was gone, but the "error loading AINP2.DLL" was still there. I did unplug my internet cable from my computer while running it.

    I also used Hoster, and that seemed to work just fine. However, I rebooted to see if the "error loading AINP2.DLL" still came up, and it did. I also still have random pop-ups, although the frequency has been greatly diminished. And once since I have had the computer on, AVG told me I had the following viruses found in C:\Windows - svcproc.exe, DrPMon.dll, and Nail.exe.

    So, I have followed your instructions for HJT and have attached the log to this message. Thank you for your help so far, it is appreciated.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a load of problems. This is going to take a few stages to remove and we will need some additional tools. Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Only run what I tell you to run. Some items will be using later. Make sure you download them from the links below:

    HOSTER

    L2MeFix Tool

    Pocket KillBox

    LSP - Fix


    Let's start stage 1.

    Run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the aplsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move aplsp.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.


    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to .NET Framework Service (if not found look for .NET Connection Service ) Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    .NET Framework Service


    If that does not work, use: .NET Connection Service


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\krpjpl.exe
    C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
    c:\windows\system32\kddisul.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
    O4 - HKLM\..\Run: [bjlwhi] c:\windows\system32\bjlwhi.exe
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\krpjpl.exe reg_run
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [krtasd] c:\windows\system32\kddisul.exe r
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\vidctrl <--- the whole folder
    C:\Program Files\VBouncer <--- the whole folder
    C:\WINDOWS\system32\nsvsvc <--- the whole folder
    C:\WINDOWS\cfgmgr52.dll
    C:\WINDOWS\systb.dll
    c:\windows\system32\bjlwhi.exe
    C:\WINDOWS\AUNPS2.DLL or C:\WINDOWS\system32\AUNPS2.DLL
    C:\WINDOWS\system32\krpjpl.exe
    C:\WINDOWS\wupdt.exe
    c:\windows\system32\kddisul.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working. There will still be some problems remaining at this point. After posting your log, do not power down or reboot because the problems could mutate and spread. That would make any suggested fixes a waste of time.
     
  5. silverdragon0082

    silverdragon0082 Private E-2

    Thanks again for responding.

    Between my last post and your last post, I noticed that the popups increased in quantity, and that they seemed to pop up more often when I had IE open rather than just at random. Also, we lost power yesterday so my computer has rebooted since I posted my first HJT log...maybe that's why some of the things you instructed me about weren't there?

    I followed all your instructions. LSP-Fix worked fine, services.msc had ".NET Framework Service" but HJT deleted ".NET Connection Service." I have kept system restore disabled since I did the tutorial, and I doublechecked that it was still off and it was. I also still have all hidden files/folders able to be shown.

    For Kill Processes in HJT, "c:\windows\system32\kddisul.exe" wasn't present. In the scan and fix sections, which I did without anything running or open except HJT, a lot of the entries weren't there, but I checked everything that was there and didn't get any errors when I clicked Fix.

    In safe mode, most of the things I was supposed to delete in Windows Explorer weren't there, but I deleted what was present. Although for the entry you have, "C:\WINDOWS\cfgmgr52.dll," I had the file cfgmgr32.dll but not 52.dll...should I have deleted the one I had instead?

    CCleaner didn't give me any errors, and I followed the instructions to reset my web settings.

    After booting into normal mode, several of the same error popped up: "Generic Host Process for Win32 Services encountered a problem" and after clicking on the more info link, they all had to do with "SzAppName: svchost.exe."

    Since I rebooted only a few minutes ago, I have had only a few popups, but AVG again warned me about the same viruses. I know the problem's not fixed yet but I'm just letting you know what's happening.

    Attached is my HJT log again...I will be sure not to reboot my computer (as long as we don't get another storm) until I hear back from you. Thanks again so very much for all your help; I'd be absolutely lost trying to fix this myself!
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Your current Hijackthis log show two problem O4 process lines. To fix the one that says [KavSvc] will need to run some special tools first (given below in steps 1 and 2) to find a bunch of hidden files. However before doing that, I want you to check your current HJT log and see if you still see the O4 line with the joliuk.exe process. If so, please look in c:\windows\system32 for joliuk.exe and then look for a similarly named file ending with a .dll rather than .exe (by similar I mean something like joliukxxxx.dll, where the xxxx can be any number of characters or numbers.) If you find a dll and the joliuk.exe file, try renaming the .dll to a .ddd file (joliukxxxx.ddd) and rename the joliuk.exe to joliuk.xxx (assuming it lets you rename the files).

    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\krpjpl.exe reg_run
    O4 - HKLM\..\Run: [uxkvod] c:\windows\system32\joliuk.exe r


    1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

    2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

    Now I know I had you reboot so post a new HJT log to. And then do not reboot or power down.
     
  7. silverdragon0082

    silverdragon0082 Private E-2

    Hi again,

    I still have the O4 entry about joliuk.exe, but after looking I only have that file, no .dll file. So I didn't do anything...should I still change the joliuk.exe to joliuk.xxx?

    Also, I didn't go any farther than that when I clicked on your link for Qoologic Tool and the window that popped up said, "findqoologic is no longer available, use an alternative such as scanning with a current updated version of Ewido While in safe mode please." Is there another place I can get this file or should I use another program?

    Awaiting further instructions before doing anything else...
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just get the RKFiles program and get the log for it in safe mode. Then reboot and post that log and also a new HJT log. Then DO NOT reboot or power down your PC. Wait for the follow up post before you reboot or power down.
     
  9. silverdragon0082

    silverdragon0082 Private E-2

    (Sorry so long between your last post and this reply. We just had a new cable modem installed today because our internet has been sporadic since we've had so many thunderstorms. Our power has gone out multiple times so my computer has been rebooted since my last post. Also, when the internet was working, these forums never emailed me to tell me you'd replied even though I had it set up to. So again, I apologize.)

    Okay, I ran the RKfiles program and it seemed to run fine. Also ran HJT. Both logs are attached.

    I am still having random popups and such, and now some icon keeps appearing on my desktop that says something like "click here to fix selected problems" when it's nothing that I personally have installed. I just delete the icon. AVG has popped up with virus warnings in my temporary internet files, but not the usual ones I was getting before. They are also a lot less frequent. Just letting you know what symptoms I have currently.

    I will certainly attempt not to power down or reboot, but I can't promise anything with the weather being the way it has been lately. I apologize once again.

    Thank you very much for all your help!
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please download the following tool: Pocket KillBox

    Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\w?aclt.exe
    C:\Program Files\etea\rpen.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\krpjpl.exe reg_run
    O4 - HKCU\..\Run: [Qkcxrvf] C:\WINDOWS\system32\w?aclt.exe
    After clicking Fix, exit HJT.

    Now run Pocket Killbox.

    Now, Copy and Paste C:\Program Files\etea\rpen.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

    Now, Copy and Paste C:\WINDOWS\system32\rpen.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

    Now, Copy and Paste C:\WINDOWS\system32\krpjpl.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

    Now, Copy and Paste C:\WINDOWS\system32\w?aclt.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

    Now, Copy and Paste C:\WINDOWS\efcgnazngjs.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

    Now, Copy and Paste C:\WINDOWS\icont.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

    Now, Copy and Paste C:\WINDOWS\ru.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    If you get an error message about Pending Operations, just reboot your PC yourself.

    Now after reboot get a new HJT log and post it here. And tell us how these steps went and how things are working.

    DO NOT reboot or power down your PC at this point. If you are still infected the symptoms and files may change, and that would make my next suggestions less than useful.
     
  11. silverdragon0082

    silverdragon0082 Private E-2

    System restore has been disabled since I first posted here, and hidden files and folders have been viewable since then as well.

    When I tried to kill the process "C:\Program Files\etea\rpen.exe" it gave me an error along the lines of "process wasn't killed because it may already be closed or it may be a service" so I couldn't kill that one. But I did kill the first one, "C:\WINDOWS\system32\w?aclt.exe."

    I was able to delete both lines in HJT with no problems.

    In KillBox, the following are the only ones who showed up in blue: C:\Program Files\etea\rpen.exe, C:\WINDOWS\efcgnazngjs.exe, C:\WINDOWS\icont.exe, and C:\WINDOWS\ru.exe. I deleted the others anyway, just to be safe. When I rebooted, I didn't get any message about pending operations.

    I'm still getting popups...when I came to this site one came up for geeks.com, so they seem to be tailoring the popups to where I'm visiting. Haven't had any AVG virus warnings yet, but those have been a lot less frequent since the last couple times you posted instructions for me.

    Attached is my new HJT log...will not power down till I hear from you again. I think the storms are over for a while at least, so I should be safe from power outages, too.

    Thanks again, really appreciate all your help.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have HJT fix the below line:


    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab


    Now continue with the below steps:

    Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

    Exit Browsers now before continuing


    Please move the L2MeFix Tool (I had you download this in message # 4) to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

    NOTE: Please do not run any other options or files in the l2mfix Folder!

    Now reconnect and come back here and post as an attachment the l2mfix log. Based on the log, we will determine the next steps.


    Please DO NOT REBOOT after scanning for these logs!! Otherwise potential problems may mutate and spread. Wait for me to get back to you with the next steps.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try to keep you moving along. After completing the steps in my previous post continue with the below:


    L2Mefix cleanup

    Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

    Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

    Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
    Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

    Again, don't run any other files in the L2MeFix folder.
    Now get a new HJT log and post it along with the L2MeFix log.
     
  14. silverdragon0082

    silverdragon0082 Private E-2

    I was able to delete that line in HJT with no problems. Also, I didn't have any trouble with the L2Mefix tool.

    Attached are the two L2MeFix logs, HJT log to follow. Thanks again for all your help.
     

    Attached Files:

  15. silverdragon0082

    silverdragon0082 Private E-2

    And here's the HJT log.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not mention how things are working now!

    Your HJT log is clean.
     
  17. silverdragon0082

    silverdragon0082 Private E-2

    YAY! :)

    Yeah, I didn't mention how things were working because I'd only had the computer on after the reboot for a couple of minutes, and I was on my way out the door so I didn't really know how they were working.

    I haven't had any popups, nor has AVG given me any notices, so I think I'm finally done with this whole virus mess.

    The only strange thing I've noticed has to do with the buttons on my keyboard. I know there's a word for these, but I can't think of it...basically, I can press one button on my keyboard marked "Internet" and Internet Explorer pops up. Anyway, what I've noticed with the Internet, Email and Calculator buttons is that when I press them once, two instances of the program open up. Like when I press the Email button, my email program opens up twice in two separate windows. This isn't much of a problem, but it's something that my computer wasn't doing before I had all these problems. I don't know if it means anything.

    So since my HJT log is clean, does this mean I'm allowed to power down my computer at will and set up System Restore again?

    Thank you ten billion times for your help; without this forum I'd have had to take this thing somewhere and it would have cost me hundreds of dollars that I simply don't have. So again, thank you.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    You may have a keyboard that allows programming of hot keys. You should check on this over in the Hardware and maybe Software Forums.

    Yes, you can enable system restore and you can power down your system now.

    And you should also follow the steps in the below thread to help keep you clean.

    How to Protect yourself from malware!
     
  19. silverdragon0082

    silverdragon0082 Private E-2

    Thanks for the forum suggestions...it seems to be working fine now, no double programs opening. If it starts up again though, I'll definitely post over there.

    And I'm heading to the malware protection link right now! Thanks again for all your help and putting up with us morons who get viruses and such. :D Take care.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds