This one exceeds my knowledge. Hijaked!

Hedonikos · #1 (**permalink**) 30-10-2005, 06:37 AM

I have ran all the scans I know of and what the forum Moderator has suggested. Can't seem to get the popups to stop. Will wait before trying to fix it further. I have tried everything I know. Popups are happening every two to four minutes.

Neal · #2 (**permalink**) 30-10-2005, 05:03 PM

Hi and welcome to DAL,

You have two very bad guys on your computer but are killable, so let's prepare for battle.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Please go to this website and download the trial version of Spysweeper:
--click on the link to the right titled "Download Spy Sweeper Trial"
http://www.webroot.com/consumer/products/spysweeper

Install the program and when it asks for you to update the program please do.

After the update and you are into the main panel please click the Sweep icon on the left.
Then click Start to begin the fix.

After it is done scanning click Next.
Make sure everything is checked and click Next again.

Then click Finish.

Reboot your computer now.

* Download finditnt2000xp.zip
* Unzip the contents of finditnt2000xp.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy the entire contents of output.txt into your next post.
* DON'T delete/modify any files yet

I need l2mfix log from option #1
finditnt2000xp.zip log
new hijackthis log

thanks

Hedonikos · #3 (**permalink**) 30-10-2005, 05:28 PM

THank you for responding so quickly. Here is the report from 12mfix. I will install the Spysweeper trial and await your advice. If you have time (you must be very busy with this stuff!!!) could you educate me a bit on what this spyware is? I work on a few computers and have had no problems in the past cleaning them but this one has me baffled.

Jim

Neal · #4 (**permalink**) 30-10-2005, 06:07 PM

OK you definately have l2me infection(VX2).

Post the findit log also

Once I get the log go ahead and run spysweeper make sure the whole computer is scanned

Do not reboot or we will have to start over/until later below/if you have rebooted let me know

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\44ldld.exe reg_run
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\VGT3216.DLL

Again make sure all browser windows are closed and click FIX

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so please.

Hedonikos · #5 (**permalink**) 30-10-2005, 06:23 PM

Okay, here is the output file from the fisit log. I will go ahead and run spyweeeper but will not reboot system. Fortunately I run several computer so I can keep that node off the network as you diag and repair it for me.

Hedonikos · #6 (**permalink**) 30-10-2005, 07:44 PM

Okay. I have the log file for l2mFix. It is as follows:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea****@beyondlogic.org
Killing PID 1144 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea****@beyondlogic.org
Killing PID 1188 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (188 bytes security) (deflated 37%)
adding: lo2.txt (188 bytes security) (deflated 50%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (deflated 17%)
adding: test3.txt (188 bytes security) (deflated 17%)
adding: test5.txt (188 bytes security) (deflated 17%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
************************************************** **************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\VGT3216.DLL"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33, 00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e, 00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69, 00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74, 00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69, 00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
************************************************** **************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
************************************************** **************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
"{9CF380D3-2E88-459E-ACF6-4CB3FEA16F2B}"=-
"{4C2FC250-FB66-4F96-AC81-C3CF9F60A2A9}"=-
[-HKEY_CLASSES_ROOT\CLSID\{9CF380D3-2E88-459E-ACF6-4CB3FEA16F2B}]
[-HKEY_CLASSES_ROOT\CLSID\{4C2FC250-FB66-4F96-AC81-C3CF9F60A2A9}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
************************************************** **************************
Desktop.ini Contents:
************************************************** **************************
************************************************** **************************

Also it is attached as well as a final Hijack-This file. Seems there were some questions as to what to check in HJT because certain lines to be checked were not listed when I ran HJT after the Spysweeper. Perhaps they were altered by SS and HJT saw it differently after I ran it. I did however check the lines with the same CLSID numbers. WUAUCLT.DLL and EXE were not listed. It listed it as {no file} but was using the same CLSID.
Please advise me if there is anything else I must do. Seems there was a resident memory spyware that was trying to attach to msgs??.exe and had to run Spy Sweeper again But I did not reboot until after I ran the HJT as directed. At this point I have not seen any adverse reactions to all this and will save this registry as a healthy one.

I thank you for all your assistance on this. I have made a donation to your website. (First time for everything) as this has proven to be one of the better MCSE sites for helping me.

Neal · #7 (**permalink**) 30-10-2005, 08:22 PM

Hi,

Thanks for the donation

I'm a little concerned, the fix did not do what it was supposed to do exactly, almost tho.

Let's try this next.

Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html

don't run the tool yet please just install
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.

1.Uncheck "Cookies" under "Internet Explorer".

2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\VGT3216.DLL (file missing)

Again make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Now run CCleaner, useing the windows tab only please

Now navigate to these file(s) thru WINDOWS EXPLORER and delete them please:if found

ALCXMNTR.EXE---search computer and delete---< file
C:\WINDOWS\system32\VGT3216.DLL---< file---if found

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start

Post a new HJT log for further review

Hedonikos · #8 (**permalink**) 30-10-2005, 09:36 PM

Okay. I followed your advice and here is the HJT file. It was weird that after setting the system back to normal startup that I recieved all sorts of startup items. I will leave them alone for now since they appear to be benign. I did notice that some app was prevented by Zone Alarm from accessing the internet called BACKWEB-2. I prevented it from ever accessing the internet for now for preventive reasons. Other than that it appears that we have cleaned the system. Thanks again and let me know if there is anything I should watch for. I want to educate the customer on preventing this from happening again.

Neal · #9 (**permalink**) 30-10-2005, 10:51 PM

Nice job your log is clean.

That backweb thing is HP trying to update, this can be stopped in msconfig if needed.

Are there any more issues?

If not I will have some prevention programs for you and free and very good.

Let me know.