I got spyware

I have been infected by one of the nasty ones. System is behind a server with NAT, running Norton AV with updates, Norton Anti-spyware with updates, Spybot_S&D, Adaware SE and other tools as required. System OS, XP Home, sp2.

I can clean out everything that looks like spyware, run all the tools and comes up clean, disable system restore, run in "Safe mode" and then reboot. Read email, from known addresses only, and within a couple of minutes, IE will launch and display an ad for a gaming site or similar. Been fighting this for a week. but cannot rid myself of this thing. I have HJT installed and have used it to look for the culprit too, but to no avail.

I would greatly appreciate some expert advice on this one.

Jgeekman

 

OK, here is the HJT file, attached. The scans did not all function, Trend Micro could not complete with out hanging, the shredder did not function correctly. A number of attempts were made with each prior to moving ahead with the cleaning process. The HJT file is the end result.

Thanks - JGM

 

Edit by: bjgarrick

removed instructions due to wrong HJT log.

 

Ignore this HJT file, posted the wrong one. Will repost with correct file. JGM

 

Attach your current HJT log so I can get you started. If your new log has the below entry you have major problems I need to get you started on.

O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\s088lalu1dq8.dll

 

If this log was from your computer, Im pretty sure that entry isnt going anywhere. So procede...

Since Chas isnt here at the moment I will get you started.

First:
Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

• C:\Documents and Settings\Kathy\My Documents\security\hijackthis\HijackThis.exe

Second:
Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Third:
Download the following items:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox


Fourth:

NOW:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

Please don't run any other files in the L2MFix folder.

After doing ALL of the above, reboot and post a fresh HJT log along with the L2MFix Log.

Good Luck!

 

You guys should run the "Find Log" first as it may help you pin down lzmpmn.exe. Or not. . . . but you should at least try. Probably should have waited for new HJT log so you know EXACTLY what you are dealing with and what to look for.

Just a thought

 

Here are the new log files (2) - JGM

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

WebPosition 3

First:
Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Second:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

lzmpmn.exe

Wpsched3.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

(Note: HOSTER should take care of these, if not remove if HJT finds them again)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lzmpmn.exe
O4 - HKCU\..\Run: [WPSched3] "C:\Program Files\WebPosition 3\Wpsched3.exe" MINIMIZE
O4 - HKCU\..\Run: [FSMonthly] "C:\Documents and Settings\Kathy\My Documents\purchases\$67ResaleRights\library\freesoftwaremonthly\fsm\fsm.exe" /s

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\WebPosition 3 ←–– Delete this whole folder if it exist!

C:\Documents and Settings\Kathy\My Documents\purchases ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\lzmpmn.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

Almost Done..

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post along with a current HJT log.


Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

DO NOT REBOOT AFTER POSTING THESE LOGS!

 

Some notes while launching an offensive against sypware HQ. The following two entries, which you want me to delete, are ones created by me and used frequently for the last year. I dont think that they are anything to worry about. One is a program for distributing info to registered users and the other is a list of online resources. Both predated the spyware problem by more than 12 months. They are:

C:\Program Files\WebPosition 3 ←–– Delete this whole folder if it exist!

C:\Documents and Settings\Kathy\My Documents\purchases ←–– Delete this whole folder if it exist!

This entry is the bad guy
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lzmpmn.exe

I have deleted it (I can only do it from a cmd prompt (safe mode) after I remove the archive attribute [attrib -A]) but still returns after a reboot. If I attempt it when running windows (safe mode) it gives me an "Access Denied" error message.

Also there is a file "capk.exe" that I cannot discover what it does or what program it works with. I'm temped to delete it, but I think I'll rename it and see if any thing different happens. Are you familar with this file, ring any bells or alarms?

Thanks for the assistance - jgm

 

Okay! Ignore anything you see in my fixes that you know and are comfortable staying on your computer.

Now, about those files. Attach me a current HJT log with a Generic Detection Log as per my previous request.

We will address each issue one at a time. Also, after attaching the Generic Detection log DO NOT REBOOT or else it will mutate as something different.

 

Here are the latest scans you requested. Thanks JGM

 

First:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Second:

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\picsvr ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\lzmpmn.exe

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

New Hijack file as requested:

 

Look in Task Manager (Control+Shift+Esc) and locate lzmpmn.exe. Once located, right click and select "End Process".

Now scan with HJT and have it fix the below entry:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lzmpmn.exe


Download Pocket KillBox

Now, Copy and Paste C:\WINDOWS\system32\lzmpmn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Reboot and post one last HJT log.

 

here is the latest HJT file.

 

Please boot into Safe Mode with the viewing of hidden files and folders enabled per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lzmpmn.exe

Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\lzmpmn.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\capk.exe

NOW:
Do this just to be sure this thing is gone!

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\system32\lzmpmn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Hi BJ,

I think that we may have some success now. Your last post did not remove the capk and lzmpmn files. On reboot into normal mode and after HJT scan they showed up again. I decided to make a small change. In normal mode I FIXED the lzmpmn file in HJT. I then used Pocket KillBox and placed the capk file in it, delete on reboot and rebooted back into normal mode.

I have attached the latest HJT file. It looks clean of both files. So keeping my fingers crossed and see where things go from here. This does look good.

I also wanted to let you and the rest of the "techs" on Major Geeks how much I appreciate the assistance everyone provided. This was a nasty situation with a stranglehold on IE and a performance hit on the computer.

A Geek Court Marshal for the programers of this one sounds almost too kind.

Thanks again, I hope that we are done with this one for a while.

JGeekman

 

As of right now it looks as if its gone, however it may come back. To be sure it doesnt see the below.

How to Protect yourself from malware!