msg121 zestyfind removal

[Pieter_Arntz]

FreeAtLast made a site with the tools to remove this pest.
http://www10.brinkster.com/expl0iter...L2M/Msg121.htm

Make sure you get the one that fits your OS. There is a Win98\ME removal and another for Win2k\Xp





link repaired==bigc

[dvk01]

unfortunately the fix on F A L 's page has been taken down because it has been found that using it on the latest versions of L2M is ineffective so he has removed it and will not allow it to be used any longer

The L2M parasite will autoupdate and the fix won't work at all

[Pieter_Arntz]

http://forums.net-integration.net/in...F%BDentry63572

Quote:

I'll just update everyone...
There are NO LONGER msg### files.

It morphed yesterday.
They are using random names now, and much worse!

The {msg) find will find some of the old files that
are no longer active...

Go to regedit (regedt32 in 2K)
Expand:
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\Guardian<-
*Make a note of the file name there, in System32.

RightClick (top menu>permissions in 2K)>
permissions, uncheck box: "Allow inheritibale permissions"..
Hit ok, and REMOVE on next prompt.
-Restart computer!
Find and delete the <file> that was in that key
along with it's companion from System32:
<file name>.cpy.dll
Go back to registry editor>recheck the permissions box on
that key, right click>
Delete the 'Guardian' folder.

Run SpyBot+Ad-Aware to remove the rest of
the keys+files.

***NOTE: In addition to that they 'hacked' the main
System account of the entire Administartion group!
Some functions (as per the error above) will no longer
work on the system even AFTER the cr@p is gone!

Fixes to restore Admin Groups policies:
http://support.microsoft.com/default...;EN-US;Q329887 (2K)
http://support.microsoft.com/default...b;en-us;313222 (XP)

(My fix pages are removed!.)

Work is being done and progress is made, but very slowly. We will keep you posted.

Regards,

Pieter

[Pieter_Arntz]

A workable solution has been found for Windows 2000 and XP Pro. Posted here by Option^Explicit:
http://forums.broadbandmedic.com/cgi...act=ST;f=1;t=6

Copying it here for ease of use

Quote:

Alrighty,

I have some info on fixing the Admin accounts so you can deal with Killing these files without all the booting from Recovery Console, Although that is a fairly efficient way of removing files such as these.

This info is for XP Pro only but the same method applies for 2000, just the names may vary slightly, but operations are done from the same panels.

Steps to take:
You will need KillBox ver.2.00.0179, so download that and keep it handy, we will need it to remove the Look2Me files.(unzip the files to your Desktop)

Or if you used the recovery console to remove the files, you won't need it.

1.) From Control Panel>>Administrative Tools>>Local Security Policy & Under Local Profiles>>User Rights Assignment...and on the right side look for Debug Programs>>Right Click>>Select Properties.

2.)Click Add User or Group and when the next Window opens, click the Object Types button, and now put a Check in the box for Groups. click OK

3.)That Window will close, and the one you are left with click Advanced and from the next Window Find Now
*Look under Name(RDN) for Administrators and select it & Click OK.

4.)Administrators should show up in the box beside "Check Names" just Click OK, then that Window will close..and the next Window under the only Tab "Local Security Setting" should have Administrators listed in it, if it does Click Apply then OK again.

A ScreenShot of what you should have.
and
Screenshot of what an infected system looks like.

With a reboot that fixes that.
*Make sure you reboot!

After rebooting...
Close all open Windows, open KillBox and under Fix L2M>>Kill VX2.BetterInternet.
As before your Computer will Shut down..
On rebooting, the 2 files will be deleted.

*The Problem
Because we accessed these .dll files, they will have corrupted the User Rights Assignment again , but no big deal.
Repeat the Process of Adding the Administrators Group to the Debug Programs again, and since the offending files are gone, this time those settings will stay put.


Things to do with Killbox after removing these files:
1.)Click Find>>Find VX2.BetterInternet
*Nothing Should show up in the next window, if it does you are infected still. But if Clean then...

2.)Click Find>>User Agent String, click on the CLSID key, and under Action>>Delete User Agent String

3.)Click Fix L2M>>Import L2M.reg to remove various registry keys set by the software.

Run Ad-aware using an Updated reference file to remove anything else I missed.

Edited by Option^Explicit on April 15 2004,01:23

Hope it helps some of you,

Pieter

[Unzy]

In the meantime they are already on 124

To quote Katie (Mosaic) :

Quote:

Download VX2Finder from this link:
http://tools.zerosrealm.com/VX2Finder.exe


Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.
--------------------------------

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

-----------------
Once back in Windows


Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.

[dvk01]

Updated

Now an easy cure courtesy of adaware,

New plug-in available - VX2 Cleaner
------------------------------------------------------------
By Åsa Karlsson - Content Manager
Contributions by Mårten Holmqvist - Research, Stefan Lundström - Software Development

Lavasoft's new plug-in VX2 Cleaner detects the malware VX2 and offers you the ability to remove it from your computer. Some users have experienced a very difficult variant of VX2 which cannot be removed by Ad-Aware. For those users which have this variant, we have developed a plug-in to help you remove this VX2 variant.

This VX2 variant registers itself in a way, which gives it system privileges. It also prevents the user from viewing this information by removing the user's rights to do so. Furthermore it constantly monitors the registry and prevents any attempts to remove its associated values. This makes it very difficult for the user to manually remove it.

The VX2 Cleaner works with all editions of Ad-Aware 6 build 181.


How to use Lavasoft's VX2 Cleaner plug-in

- Close Ad-Aware 6 build 181 and Ad-Watch (if running)
- Download the free VX2 Cleaner at http://updates.ls-servers.com/plvx2cleaner.exe
- Install the VX2 Cleaner
- Start Ad-Aware 6 build 181
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".


If your computer is infected

- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer

More information on VX2 can be found in the TAC database at http://www.lavasoftnews.com/ms/display_main.php?tac=VX2

Download Lavasoft's VX2 Cleaner plug-in at http://updates.ls-servers.com/plvx2cleaner.exe



IMPORTANT INFORMATION
--------------------------------------------------------
* 8 of the 9 new VX2 variants have the same payload: a
DLL file which resists removal. This DLL is different
than what our original VX2 Cleaner plug-in was designed
to locate and remove. The plug-in has been updated
accordingly to allow for removal of this update. The
new version number is 1.01, and can be verified after
running the plug-in. If you have downloaded version
1.00 of the plug-in, you do not need to uninstall prior
to installing this version. Download using the plug-in
download link on our site. For more information, visit
http://www.lavasoft.de/software/plug...2cleaner.shtml

[Pieter_Arntz]

Automated fix for version 200 (also known as UMonitor) is available. (courtesy of Shadowwar and OSC)

Part 1

Quote:

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.


IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Part 2

Quote:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.


IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

NOTE: There is a slightly newer version of this one using a (re-)infector starting as:
O4 - HKLM\..\Run: [ntsmod] C:\WINDOWS\system32\ntsmod.exe

Other files will need to be removed from the system(32) folder:
mplay32.dll = 126976 bytes (a BHO, not always present)
ntec32.exe = 26112 bytes
ntsmod.exe = 28672 bytes
sysdebug32.exe = 28672 bytes

Also look for: msts32.exe

Install report of msts32.exe

[dvk01]

And Symantec have just released a removal tool that seems to clear up most of it as well
http://securityresponse.symantec.com...e.look2me.html

Edited to say that the symantec tool isn't working on the new versions, it only works on the version with the SED folder showing