Page 2 - Please Help!!! Hijack This! Log Enclosed

Hi Tom,


When I go into Killbox to delete the files, it doesn't give me the option to check "Unregister.dll before deleting" - is that a problem?

I didn't want to do it until I heard...

I'm sorry, sometimes that option is greyed-out. It's OK to proceed with the rest of the fix.

Tom

It let me delete all of them except the following

C:\WINDOWS\SYSTEM32\m628lg~1.dll Sat Jan 1 2005 10:42:02p ..S.R 225,899 220.60 K

I'm going to reboot now in safe mode

Okay, I did the safe mode thing, deleted the files you said, and here is my Hijack this log

Logfile of HijackThis v1.99.0
Scan saved at 9:06:41 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [t77i3tP] datfaxa.exe
O4 - HKCU\..\Run: [cwosRjj3V] dhcmodem.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

My recycle bin still looks like it has stuff in it (even though it doesn't) and my computer now only "goes to sleep" when it wants...
Grrrrrr

OK we are making progress!

Please move or unzip HijackThis to a permanent folder such as C:\HJT It is important that it is in it's own folder as it will make important backups of what we will fix.

Please go to Start > My Computer > double-click your C:\ drive > click: File > New > Folder > name it HJT and put HijackThis into that folder.

PeopleonPage is considered foistware and you should consider removing it. Here's a link to the removal process:

http://www.pchell.com/support/peopleonpage.shtml

Logoff your internet connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" < peopleonpage
O4 - HKLM\..\Run: [t77i3tP] datfaxa.exe
O4 - HKCU\..\Run: [cwosRjj3V] dhcmodem.exe

Boot into Safe Mode. Restart your computer, start tapping F8 when your computer first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Search for and delete the following files:

datfaxa.exe
dhcmodem.exe

Search for and delete the following folder:

C:\Program Files\AutoUpdate < delete the entire AutoUpdate folder

Next....

Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following:

Temporary Internet Files
Recycle Bin
Temporary Files

Then click OK.

Reboot normally.

I would like you to rescan with DllCompare and following the directions previously posted, remove the malware .dlls with Killbox.

Next...

Is you McAfee VirusScan up to date? If not, download AVG7 Free edition. Then make sure you are disconnected from the internet (pull your ethernet or USB cable if you use cable or DSL) Either uninstall McAfee or disable all features and install AVG7. Reconnect to the internet and update AVG and perform a full system scan.

http://free.grisoft.com/freeweb.php.

Also, I don't see a firewall running in your log. Are you using the firewall in Service Pack 2's Security Center? If so, are you aware that it only blocks incoming traffic?

ZoneAlarm has a free firewall:

http://www.zonelabs.com/store/conte...reeDownload.jsp

Please post a fresh HijackThis log and the results of DllCompare,

Tom

Hi Tom,

Here is the HiJack This log

Logfile of HijackThis v1.99.0
Scan saved at 2:41:13 PM, on 1/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

And here is the dll log

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

[B]C:\WINDOWS\SYSTEM32\f0l0la~1.dll Wed Jan 5 2005 12:42:42p ..S.R 225,103 219.82 K
C:\WINDOWS\SYSTEM32\hpl023~1.dll Wed Jan 5 2005 12:31:02p ..S.R 224,073 218.82 K[/B]C:\WINDOWS\SYSTEM32\lvr409~1.dll Mon Jan 3 2005 9:07:56p ..S.R 224,572 219.31 K
________________________________________________

1,455 items found: 1,455 files (3 H/S), 0 directories.
Total of file sizes: 313,580,105 bytes 299.05 M

Administrator Account = True

--------------------End log---------------------
The ones I marked in bold (the top two of dll) wouldn't allow me to delete them...

My computer is still possessed. I did download that firewall, and the antivirus thing as well.

Ok you're doing great. This infection is proving to be a tough one. I just read through 16 pages of posts, where experts are working together for a solution.

LineOFire has graciously posted the most effective fix so far, let's see if we can use his techinque to get your computer fixed up.

Download

finditnt2000xp.zip

Unzip the contents of finditnt2000xp.zip to a convenient location.
Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.
Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

Tom

Okay...my computer must be really messed up.

I did what you instructed - both times it ran, but didn't give a log - it just closed. No output.txt, nothing. Just closed on me.

*sigh*

I appreciate your help so much, but I feel like my computer is just damned!

I'm running it right now. It just came back with the results. It takes awhile to run.

Can you boot into Safe Mode and give it a try?

Tom

PS: Your computer isn't damned It's just some of these malware creators needs their butts kicked!!!

Hi Tom,

Still didn't work

An expert is developing a fix and will hopefully be released for public use soon.

Please hold on, I won't forget you

Tom

Thank you. You have been such a great help!

Just bumping your thread. The removal tool is in it's testing phase. We have not forgotten about you

Tom

Yay! Thanks so much!

Thank you for being so patient

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Many thanks to Shadowwar for the fix and OSC for the writeup!!!

Tom

Thank you guys so much for all of your help.

L2MFIX find log 1.02
These are the registry keys present

Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup&