Tech Support Forum - View Single Post

MicroBell · 07-06-2005, 11:18 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log after we run the next pass.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Please download nailfix at one of these locations…
http://www.noidea.us/easyfile/file.p...50515010747824
http://users.pandora.be/bluepatchy/nailfix.exe

Unzip it to the desktop but do NOT run it yet.

Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Download KillBox http://www.atribune.org/downloads/KillBox.exe

Reboot into safe mode.

Once in Safe Mode, please double-click on Nailfix.cmd (or nail.exe) Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: hpdj - HP - C:\DOCUME~1\ZACHWI~1\LOCALS~1\Temp\hpdj.exe

*Note* It may just be named hpdj - HP

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\DOCUME~1\ZACHWI~1\LOCALS~1\Temp\HQI\aurareco.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [azjptt] c:\windows\system32\jjomtx.exe r
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\guard.tmp
O23 - Service: hpdj - HP - C:\DOCUME~1\ZACHWI~1\LOCALS~1\Temp\hpdj.exe

Run KILL box. Go to Tools > Delete Temp Files > Click *OK* Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

C:\WINDOWS\Nail.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\system32\exp.exe
c:\windows\system32\jjomtx.exe
C:\WINDOWS\system32\guard.tmp

*Note* Some of these files may have already been removed.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Once it's complete you need to reboot the PC.

On the reboot..boot back to safe mode.
[*]Run Ewido.[*]Click on scanner[*]Click on Start Scan[*]Let the program scan the machine[/list]While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

Reboot into normal mode.

Download FindIt's.zip to your desktop: http://forums.net-integration.net/in...post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log and the following logs.

So I need....

Hijackthis log
Ewido log
Findit's log
l2mfix log

07-06-2005, 11:18 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log after we run the next pass. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Please download nailfix at one of these locations… http://www.noidea.us/easyfile/file.p...50515010747824 http://users.pandora.be/bluepatchy/nailfix.exe Unzip it to the desktop but do NOT run it yet. Download and install CleanUp! but do not run it yet. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download, install, and update Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido Download KillBox http://www.atribune.org/downloads/KillBox.exe Reboot into safe mode. Once in Safe Mode, please double-click on Nailfix.cmd (or nail.exe) Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called: hpdj - HP - C:\DOCUME~1\ZACHWI~1\LOCALS~1\Temp\hpdj.exe Note It may just be named hpdj - HP When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\DOCUME~1\ZACHWI~1\LOCALS~1\Temp\HQI\aurareco.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp O4 - HKLM\..\Run: [azjptt] c:\windows\system32\jjomtx.exe r O20 - Winlogon Notify: URL - C:\WINDOWS\system32\guard.tmp O23 - Service: hpdj - HP - C:\DOCUME~1\ZACHWI~1\LOCALS~1\Temp\hpdj.exe Run KILL box. Go to Tools > Delete Temp Files > Click OK Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot. C:\WINDOWS\Nail.exe C:\WINDOWS\cfgmgr52.dll C:\WINDOWS\system32\exp.exe c:\windows\system32\jjomtx.exe C:\WINDOWS\system32\guard.tmp Note Some of these files may have already been removed. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp!* button to start the program. Once it's complete you need to reboot the PC. On the reboot..boot back to safe mode. []Run Ewido.[]Click on scanner[]Click on Start Scan[]Let the program scan the machine[/list]While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report Save the report to your desktop Exit Ewido Reboot into normal mode. Download FindIt's.zip to your desktop: http://forums.net-integration.net/in...post&id=142443 1. Unzip/extract the files inside to a folder on your desktop. 2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ... 3. Then post the results here please, along with the new HijackThis log and the following logs. So I need.... Hijackthis log Ewido log Findit's log l2mfix log __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 07-06-2005 at 11:20 PM.