(Common?) Hijack

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You need to run the ALL of the steps from the READ ME first. You have not done that. We did not ask for pc-cillin nor pest patrol but we do have a bunch of other things we want you to run. I can see that neither online scan was run? Is there a reason why? These are not optional steps as noted in the READ ME.

Then please do the following:

Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
Pocket KillBox

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing


First Step:

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do it later when we reconnect).

Second Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Third Step:

Now reconnect and come back here and post as attachments the l2mfix log and the find.bat log (normally already named output.txt). Based on those logs, we will determine the next steps.

Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

On the contrary, we have good results! We just have not finished fixing all of the problems yet. These kind of problems take a few steps.
- initial standard cleanup
- additional specialty scans
- analyze scans
- perform additional scans/cleaning using special tools and manual repair as necessary.

What we are working on now is your L2Me VX2 problems. I'll post the next steps soon.

 

Moving along! Here are the next steps! I know this is tedious but we are making progress and these next steps are going to clean up a load of bad stuff.

Step 1:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 2:

Reboot to normal mode. Now reconnect to the internet.
Now download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.

Step 3:

Scan with HJT to create a new log.
Come back here and post the new HJT log along with the L2MeFix Log from step 1.

 

Also one other note! Did you install this:

O4 - HKLM\..\Run: [sysmgr32] sa2

As far as I know it is a key logger/password hacking tool. If you did not install it, I would have HJT fix that line.

 

Okay that fixed a bunch of problems.

Please answer what I asked in message # 8. That's the only potential visible problem remaining.

How are things working right now?

 

Okay! So what it it? Was my guess correct?

You're welcome!

You really need to check each user account individually to see what may be in them. Similar problems may be solved the same way (but not always).

Some people feel that not having an admin count connected can be helpful. I personally have no problems being connected with an admin account and never have. It is a matter of proper security settings and software you use and also where you surf, what you click on, and reading license agreements before clicking OK.

For addition suggestions, I always recommend that you make sure you have completed all steps in: How to Protect yourself from malware!

 

Not off the top of my head! Could it some how be related to sa2?

Or maybe a registry key setting! The history is stored here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Someone in the Software Forum may know about this.