Please HELP!!! Generic Downloader.bt Trojan

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rajsa

Thread Starter
Joined
Feb 6, 2007
Messages
56
I have this on my laptop and I really need help. Please help.
C:\windows\system32\xlibgfl254.dll is infected by the Generic Downloader.bt troajn
 

rajsa

Thread Starter
Joined
Feb 6, 2007
Messages
56
I have this on my my laptop and I have no idea how I got this but i need this off my laptop. Can anyone help me???
 
Joined
Feb 3, 2007
Messages
215
Hold on. More details please. I know I'm probably not going to be the most helpful person on this site, but it always helps to include as much detail as possible.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi rajsa, I have Merged your two threads about this problem into one thread. Please make all replies and posts Here in this thread, using the Reply button. TSG rules allow only one thread per poster for the same issue.

Do the following:

go to Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Please also do this:
Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.
 

rajsa

Thread Starter
Joined
Feb 6, 2007
Messages
56
Byteman, thank you. here is the list from the first scan

Logfile of HijackThis v1.99.1
Scan saved at 10:26:13 AM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireTray.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
c:\program files\mcafee.com\vso\mcvsmap.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16313
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://bsc1.tourolaw.edu/sre/Downloads/ICSScanner.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Here is the list from the "Please do this also" request:

Ad-Aware SE Personal
Adobe Reader 7.0.8
AIM 6.0
AOL Instant Messenger
AOLIcon
Bluetooth Stack for Windows by Toshiba
Broadcom Management Programs
Conexant HDA D110 MDC V.92 Modem
Corel Paint Shop Pro X
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Support 3.1
Digital Content Portal
Digital Line Detect
DivX Content Uploader
DivX Web Player
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
ESPNMotion
Games, Music, & Photos Launcher
GemMaster Mystic
Get High Speed Internet!
Google Earth
Google Pack Screensaver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Deskjet 5400 series
HP Extended Capabilities 5.0
HP Image Zone 5.0
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Internet Service Offers Launcher
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
McAfee Desktop Firewall 8.5
McAfee Uninstaller
mCore
MCU
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
Modem Helper
Mouse Suite for Laptop Computers
Mozilla Firefox (2.0.0.1)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
NetZeroInstallers
Norton Ghost 10.0
Otto
Picasa 2
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer
Search Assist
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
SlingPlayer
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SopCast 1.0.1
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Ultra soft
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
WordPerfect Office 12
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, I need to confirm one or two things about this file- there is no simple fix for it, if it is what I think....

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK".

Now I want you to open Wndows Explorer and navigate down to Drive C:\WINDOWS and see if these files are present:

WARNING!! Do Not tamper with or try to delete these files now!!!!! If you see them, post which ones you can find. They will be dealt with later. You will not be able to delete them now!

C:\WINDOWS\INF\ultra.inf
C:\WINDOWS\LastGood\system32\xlibgfl254.dll
C:\WINDOWS\SYSTEM32\ultra\ultra.inf
C:\WINDOWS\SYSTEM32\ultra\xlibgfl254.dll
C:\WINDOWS\SYSTEM32\xlibgfl254.dld <<<Note .dld

Just post back about them.

Next:

HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

make sure you use the View Report button when your Panda online scan finishes....Next, Hit the "Save Report" button, that is what saves the log, which we Very badly need to see... save the file to the desktop as activescan.txt and copy and paste it into your reply here.
 

rajsa

Thread Starter
Joined
Feb 6, 2007
Messages
56
C:\WINDOWS\INF\ultra.inf ----- I found this
C:\WINDOWS\LastGood\system32\xlibgfl254.dll ----- only folder under Last Good is INF and xlibgfl254.dll isn't in there
C:\WINDOWS\SYSTEM32\ultra\ultra.inf ----- no folder titled ultra, but a file called ultra.sys in drivers folder
C:\WINDOWS\SYSTEM32\ultra\xlibgfl254.dll ----- no folder called ultra
C:\WINDOWS\SYSTEM32\xlibgfl254.dld <<<Note .dld ----- no dld file under SYSTEM32

Does it matter that the system 32 folder on my laptop is not on All Caps? I was able to find only one system32 folder under WINDOWS and it was system32.

Here is the log of Active Scan:


Incident Status Location

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\xlibgfl254.dll
Spyware:spyware/new.net Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\prksk6bk.default\cookies.txt[.go.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.zedo.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.com.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.overture.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shahriar Raju\Cookies\[email protected][1].txt
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, The post that had a list of this malware's file locations, may have had a typo, and meant .dll not .dld, but anyway, we found the guys:

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\xlibgfl254.dll <<don't try to delete it, it's not going to just yet.

I didn't have that exact location listed so you must have not seen it.


How are you with working in the Windows Registry, have you ever edited your Registry? Fixing this bug includes some of that.

It will be awhile before I get the info posted keep checking.
 

rajsa

Thread Starter
Joined
Feb 6, 2007
Messages
56
Windows Registry? May be I know it by another term. But, if you continue to give me the directions that you are giving, I think I will be able to work with it. Your directions have been clear and easy to follow. Thanks for your help. I'll keep checking.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
The Registry, Start>Run>regedit

It's the vital settings for everything that makes things work, software, hardware, etc.

takes the ability to be careful, follow the steps, make sure you are in the right Reg key, I have a thread at another forum that shows you, in pictures, how to check the settings and change to what is correct, and I will post that link. You could probably follow that guide, for the Registry settings changes which may need to be done.
There are things we need to do first. I will be a few minutes, if you are able to stay on, do so, I will be here till about 1 AM.
The scans involved, may be an hour each, depends on the computer and your Net connection.

It's something that can be started this evening, and finished tomorrow, also, so don't stay up all night with it. Nothing worse than that for you and if you need sleep to go to work by all means, just take off and do that. I will be here tomorrow, and the next and the next....I live here! (Well, not all the time, for instance I will be out from 1:45pm Thursday until about 5 PM.). And, I am not online until about noon.

OK, I don't want this link and what it looks like you have to go through to put you off, since I think we can shorten it a bit as you don't have the whole load here, so look through what they have the guy do at the link and see what you think.

The link is at the Castlecops forum, but they are Updating some software it says, it should be back up and running momentarily I hope:

http://www.castlecops.com/posts176821-30.html

The next link you see will get you to the thread with steps, but don't do anything yet, as I will have them for you here, you can use the screenshots there to go by, OK?

As soon as they get updated or whatever I'll post the link for you.
 

rajsa

Thread Starter
Joined
Feb 6, 2007
Messages
56
Yea, that's fine. I'll keep checking for the new link. But, I don't think I can stay up. I'm a college student.

Edit to say: Do you just want me to check out the link that up right now? And, you will add the link w/ directions for me? Right? This is for my clarification. Thanks.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
hi, Questions you had before:

The site I need to get you to look at is still down, so that can wait till tomorrow.

(The new link will be posted in a reply from me, hopefully tomorrow morning)

The downloads, and installs and scans will take a long time tonite, so skip it, do it all tomorrow!

1.The system32 folder spelling is OK, that's the normal way it is.

1. the file ultra.sys is a Maxtor driver so do not delete it.

Just posting this so you have it tomorrow when you have time:


Next: Downloads> follow the directions carefully, as to settings you need to make, updating, and use.

download SuperAntiSpyware Home Edition Free Version

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, (it will take a while) and when finished, lists all the infections found.
Make sure everything found has a check next to it, and let the scanner fix it.

Restart the computer.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
Notepad should open, or other text editor...
Please copy the information in the SuperAntiSpyware log and post in your reply.

_ _ _ _ _ _ _ _ _ _ Next: _ _ _ _

COMBO FIX:
Download ComboFix to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
Note: Do not mouseclick combofix's window while it's running as that may cause it to stall

You will probably have the above done when I am online around noon and I will check.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Wonderful, Castlecops is working again....

I didn't want you to look at this tonite, as it might keep you up too late (or put you into a coma) It's done by someone very experienced in resetting Registry items, for security, which this malware changes. I think we will have an easier time, but I wanted you to be able to have a better idea of what it looks like, etc.

So, don't be thinking you cannot do all that, because it's a lot easier than it looks. Heres the place:

http://www.castlecops.com/postx176821-0-0.html

It's 4 pages, much to much to get through tonite. Lot of it is screenshots, and slightly hard to see, but I can get better ones.

Edit: If you had a good idea when this malware got in, you could probably do a System Restore back a ways and avoid having to fix it.... ever done a System Restore? This is not reinstalling, it's part of XP that puts the computer back to a state it was in at a previous time.... like GoBack.
 

rajsa

Thread Starter
Joined
Feb 6, 2007
Messages
56
After I run the Combofix, then you want me to run HijackThis in the Safe Mood too? Clarification for me. Thanks.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Sorry....no, we need Hijackthis log made in Normal Mode, which you will be in after you restart from doing Combo Fix.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top