I have ran all the scans I know of and what the forum Moderator has suggested. Can't seem to get the popups to stop. Will wait before trying to fix it further. I have tried everything I know. Popups are happening every two to four minutes.
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Install the program and when it asks for you to update the program please do.
After the update and you are into the main panel please click the Sweep icon on the left.
Then click Start to begin the fix.
After it is done scanning click Next.
Make sure everything is checked and click Next again.
Then click Finish.
Reboot your computer now.
* Download finditnt2000xp.zip
* Unzip the contents of finditnt2000xp.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy the entire contents of output.txt into your next post.
* DON'T delete/modify any files yet
I need l2mfix log from option #1
finditnt2000xp.zip log
new hijackthis log
THank you for responding so quickly. Here is the report from 12mfix. I will install the Spysweeper trial and await your advice. If you have time (you must be very busy with this stuff!!!) could you educate me a bit on what this spyware is? I work on a few computers and have had no problems in the past cleaning them but this one has me baffled.
Once I get the log go ahead and run spysweeper make sure the whole computer is scanned
Do not reboot or we will have to start over/until later below/if you have rebooted let me know
Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:
Again make sure all browser windows are closed and click FIX
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so please.
Okay, here is the output file from the fisit log. I will go ahead and run spyweeeper but will not reboot system. Fortunately I run several computer so I can keep that node off the network as you diag and repair it for me.
Okay. I have the log file for l2mFix. It is as follows:
Setting Directory
C:\
C:\
System Rebooted!
Running From:
C:\
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea****@beyondlogic.org
Killing PID 1144 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea****@beyondlogic.org
Killing PID 1188 'rundll32.exe'
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
************************************************** **************************
Windows Registry Editor Version 5.00
The following are the files found:
************************************************** **************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
************************************************** **************************
REGEDIT4
Also it is attached as well as a final Hijack-This file. Seems there were some questions as to what to check in HJT because certain lines to be checked were not listed when I ran HJT after the Spysweeper. Perhaps they were altered by SS and HJT saw it differently after I ran it. I did however check the lines with the same CLSID numbers. WUAUCLT.DLL and EXE were not listed. It listed it as {no file} but was using the same CLSID.
Please advise me if there is anything else I must do. Seems there was a resident memory spyware that was trying to attach to msgs??.exe and had to run Spy Sweeper again But I did not reboot until after I ran the HJT as directed. At this point I have not seen any adverse reactions to all this and will save this registry as a healthy one.
I thank you for all your assistance on this. I have made a donation to your website. (First time for everything) as this has proven to be one of the better MCSE sites for helping me.
don't run the tool yet please just install
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.
1.Uncheck "Cookies" under "Internet Explorer".
2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:
Okay. I followed your advice and here is the HJT file. It was weird that after setting the system back to normal startup that I recieved all sorts of startup items. I will leave them alone for now since they appear to be benign. I did notice that some app was prevented by Zone Alarm from accessing the internet called BACKWEB-2. I prevented it from ever accessing the internet for now for preventive reasons. Other than that it appears that we have cleaned the system. Thanks again and let me know if there is anything I should watch for. I want to educate the customer on preventing this from happening again.
I have ran all the scans I know of and what the forum Moderator has suggested. Can't seem to get the popups to stop. Will wait before trying to fix it further. I have tried everything I know. Popups are happening every two to four minutes.
Newbie
This one exceeds my knowledge. Hijaked! 