Notify .dll hijacker

[InsanelyConfuse]

Hello people. Unfortunately, because I am somewhat stupid, I was using IE instead of Firefox and managed to pick up what looks like the notify .dll hijacker. The .dll file it seems to be calling on changes its name after every boot. I can't end the winlogon.exe to delete the file because apparently I don't have the permissions(I am an admin, but I assume its some sort of windows safety mechanism?). Anyways, I'm figuring I need to somehow change the access permissions and then get rid of the .dll and its registry entry, yeah? If someone could tell me how to do that, or, if I'm completely wrong, tell me how to get rid of this bloody ridiculous hijacker. It'd be appreciated, thanks.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:56 AM, on 11/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.563\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\jtjo0713e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eveskod.exe (file missing)
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)



Oh yeah and I killed eveskod.exe quite a few months ago, I guess i never really cleaned it up though.

[sUBs]

Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close any programs you have open since this step requires a reboot.

• From the l2mfix folder, double click l2mfix.bat
• Select option #2 for Run Fix by typing 2 and then pressing enter.
• When prompted for a password, enter - bye (lowercase)

Your desktop and icons will disappear as L2mfix scans/disinfects your computer.
When finished, you will be required to press any key to automatically reboot.
On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.

[InsanelyConfuse]

I appreciate the help and all.. but twould have been nice if you just told me what it was I needed to accomplish, rather than trying to guide me through each individual step w/ a post back. I didnt realize it was an app initial dll so I'm pretty sure I can kill it now. But just in case, here's the log you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:28 AM, on 11/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.016\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\jtjo0713e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eveskod.exe (file missing)
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

[sUBs]

Quote:

but twould have been nice if you just told me what it was I needed to accomplish, rather than trying to guide me through each individual step w/ a post back.

I'm not quite sure what you desire. The name of your infection is Look2Me if that's what you wanna know.

It's still there. Didn't the tool produce a log for you?

[InsanelyConfuse]

Ah, sorry about that, I was sort of frustrated and had a bit of a hangover. Nah, I had to run it twice and then run the "find log" command to get the log.(for some reason it saved somewhere besides the l2mfix directory. Here it is.

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr4005hme.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[sUBs]

You seem to have posted the incorrect log. The proper log is named log.txt & is located within the l2mfix folder.

Here's an example of what it should look like ...

http://www.techsupportforum.com/396882-post5.html

[InsanelyConfuse]

well.. it appears as if its not creating the log at all. There are no log files or any extra files being saved in the l2mfix directory after the "fix"(2) command has been run in the "l2mfix.bat" file. Nor is the file loading on the screen after reboot. I can post the text it reads during the "fix" process?(The readme gives me the impression that its the "second.bat" file that creates the log. And when I tried to run in manually after the boot(when the log wasn't created) I was redirected to the text file "not.txt", also in the l2mfix directory, which reads that "Second.bat is Not intended to be run on its own ". Thanks

[sUBs]

You're the 2nd person who's been experiencing problems running this revised tool. Did you receive an error message like this:

Quote:

The user name could not be found.

More help is available by typing NET HELPMSG 2221.

Checking for L2MFix account:
The user name could not be found.

More help is available by typing NET HELPMSG 2221.

Checking for L2MFix account:

If so, I like you to create a new user profile & named it as L2MFiX before running the tool again.

[InsanelyConfuse]

Actually, no. I didn't get anything. But I don't think that's our problem. You see, the reason I posted the topic as "Notify .dll Hijacker" is because I'm 99% sure thats the correct identification. Look2me is a spyware is it not? I've checked several different ways of killing look2me and tried to do them only it seems as if I don't even have the files needed to be deleted. I then earliar before posting this topic checked with "AdWare Away" which found no instances of look2me(I checked specifically for look2me, there's an option) but rather the "Notify .dll Hijacker", "The hardest-to-kill hijacker yet, unable to be automatically removed". I originally got Adware Away to check for that specific hijacker, because programs like Lavasofts's Adaware and Spybot S&D, and Norton Antivirus don't even register it. The popups that appear do appear regardless of wheter I'm already connected to a browser or not, as long as the connection is existant(broadband) then the popups will appear. Adware Away asks that you write to them for specific instructions on how to remove it, it can only be done manually, and the reason I posted here was to avoid doing that. Thanks again, If anyone knows how to deal with it, it would be appreciated.

Oh and here's the url to Adware Away's description http://www.adwareaway.com/notifydll.htm

[sUBs]

Please do me a favor & run option #1 of the tool.

It would produce a log for you. If it's Look2Me, you will see files that look similar to the one below.(take note of the filesize & date of creation) .If you have those, you can be certain it's Look2Me

Quote:

Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 80CC-DB30

Directory of C:\WINDOWS\System32

23/11/2005 18:28 234,908 guard.tmp
23/11/2005 16:13 234,175 hr8005lme.dll
23/11/2005 16:07 234,175 ore2nls.dll
23/11/2005 16:07 234,908 fpls0337e.dll
23/11/2005 16:00 234,175 ode2nls.dll
23/11/2005 15:55 234,175 enp6l17s1.dll
23/11/2005 11:33 234,175 n24slch71f4.dll
23/11/2005 11:06 234,175 jt6s07j7e.dll
22/11/2005 14:41 234,175 l4j8le1u1h.dll
21/11/2005 18:07 234,175 m4820eloehqc0.dll
21/11/2005 16:48 236,178 dn8601lse.dll
21/11/2005 14:50 236,178 sde.dll

[InsanelyConfuse]

Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 88BC-7108

Directory of C:\WINDOWS\System32

11/24/2005 01:05 PM 236,239 guard.tmp
11/24/2005 01:02 PM 236,239 uoib.dll
11/24/2005 12:39 PM 236,239 n64s0gh7e64.dll
11/24/2005 12:33 PM 236,239 l0j8la1u1d.dll
11/24/2005 10:42 AM 236,239 gp66l3js1.dll
11/22/2005 11:24 PM 235,922 mv08l9du1.dll
11/22/2005 11:22 PM 235,922 ncwrsptb.dll
10/27/2005 03:04 PM <DIR> dllcache
09/21/2005 05:27 AM <DIR> Microsoft
7 File(s) 1,653,039 bytes
2 Dir(s) 79,251,513,344 bytes free

well, that's at least nice to know. Apparently l2mfix isn't creating logs for me. And I havn't gotten any sort of error message.

[sUBs]

You seem to know your way around Windows. Please try using the method I used in this thread > Constant Pop Ups and Spyware issues

If you come up against any problems, let me know

[InsanelyConfuse]

Finally, I had tried something similar with killbox before but I had neglected the guard.tmp file. Thanks a bunch.

[sUBs]

Have Hijackthis fix the errant 020 entry that says file missing

You still need to address the orphaned reg entries it created. Feel free to post your Option #1 log if you require assistance.

[InsanelyConfuse]

Nope. I've got it from here. Thanks Again.