1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please HELP!!! Generic Downloader.bt Trojan

Discussion in 'All Other Software' started by rajsa, Feb 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. rajsa

    rajsa Thread Starter

    Joined:
    Feb 6, 2007
    Messages:
    56
    I have this on my laptop and I really need help. Please help.
    C:\windows\system32\xlibgfl254.dll is infected by the Generic Downloader.bt troajn
     
  2. rajsa

    rajsa Thread Starter

    Joined:
    Feb 6, 2007
    Messages:
    56
    I have this on my my laptop and I have no idea how I got this but i need this off my laptop. Can anyone help me???
     
  3. wish i had a mac

    wish i had a mac

    Joined:
    Feb 3, 2007
    Messages:
    215
    Hold on. More details please. I know I'm probably not going to be the most helpful person on this site, but it always helps to include as much detail as possible.
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi rajsa, I have Merged your two threads about this problem into one thread. Please make all replies and posts Here in this thread, using the Reply button. TSG rules allow only one thread per poster for the same issue.

    Do the following:

    go to Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


    Please also do this:
    Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.
     
  5. rajsa

    rajsa Thread Starter

    Joined:
    Feb 6, 2007
    Messages:
    56
    Byteman, thank you. here is the list from the first scan

    Logfile of HijackThis v1.99.1
    Scan saved at 10:26:13 AM, on 2/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireTray.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    c:\program files\mcafee.com\vso\mcvsmap.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16313
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://bsc1.tourolaw.edu/sre/Downloads/ICSScanner.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    Here is the list from the "Please do this also" request:

    Ad-Aware SE Personal
    Adobe Reader 7.0.8
    AIM 6.0
    AOL Instant Messenger
    AOLIcon
    Bluetooth Stack for Windows by Toshiba
    Broadcom Management Programs
    Conexant HDA D110 MDC V.92 Modem
    Corel Paint Shop Pro X
    Corel Photo Album 6
    Dell Digital Jukebox Driver
    Dell Support 3.1
    Digital Content Portal
    Digital Line Detect
    DivX Content Uploader
    DivX Web Player
    Documentation & Support Launcher
    EarthLink setup files
    EducateU
    ELIcon
    ESPNMotion
    Games, Music, & Photos Launcher
    GemMaster Mystic
    Get High Speed Internet!
    Google Earth
    Google Pack Screensaver
    Google Toolbar for Internet Explorer
    Google Toolbar for Internet Explorer
    High Definition Audio Driver Package - KB835221
    Hijackthis 1.99.1
    HijackThis 1.99.1
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB888795)
    Hotfix for Windows XP (KB891593)
    Hotfix for Windows XP (KB895961)
    Hotfix for Windows XP (KB899337)
    Hotfix for Windows XP (KB899510)
    Hotfix for Windows XP (KB902841)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    HP Deskjet 5400 series
    HP Extended Capabilities 5.0
    HP Image Zone 5.0
    HP Imaging Device Functions 5.0
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.0
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless Software
    Internet Service Offers Launcher
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_03
    Learn2 Player (Uninstall Only)
    LiveReg (Symantec Corporation)
    LiveUpdate 2.6 (Symantec Corporation)
    McAfee Desktop Firewall 8.5
    McAfee Uninstaller
    mCore
    MCU
    mDriver
    mDrWiFi
    mHelp
    Microsoft .NET Framework 1.0 Hotfix (KB887998)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Professional 2007 Trial
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    mIWA
    mLogView
    mMHouse
    Modem Helper
    Mouse Suite for Laptop Computers
    Mozilla Firefox (2.0.0.1)
    mPfMgr
    mPfWiz
    mProSafe
    mSSO
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    Musicmatch for Windows Media Player
    Musicmatch® Jukebox
    mWlsSafe
    mWMI
    mXML
    mZConfig
    NetWaiting
    NetZeroInstallers
    Norton Ghost 10.0
    Otto
    Picasa 2
    PowerDVD 5.7
    QuickSet
    QuickTime
    RealPlayer
    Search Assist
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB926255)
    SlingPlayer
    Sonic DLA
    Sonic Encoders
    Sonic MyDVD LE
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    SopCast 1.0.1
    Spybot - Search & Destroy 1.4
    Synaptics Pointing Device Driver
    Ultra soft
    Update for Windows Media Player 10 (KB913800)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    URL Assistant
    Viewpoint Media Player
    WebCyberCoach 3.2 Dell
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890927
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB925766
    WordPerfect Office 12
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I need to confirm one or two things about this file- there is no simple fix for it, if it is what I think....

    Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK".

    Now I want you to open Wndows Explorer and navigate down to Drive C:\WINDOWS and see if these files are present:

    WARNING!! Do Not tamper with or try to delete these files now!!!!! If you see them, post which ones you can find. They will be dealt with later. You will not be able to delete them now!

    C:\WINDOWS\INF\ultra.inf
    C:\WINDOWS\LastGood\system32\xlibgfl254.dll
    C:\WINDOWS\SYSTEM32\ultra\ultra.inf
    C:\WINDOWS\SYSTEM32\ultra\xlibgfl254.dll
    C:\WINDOWS\SYSTEM32\xlibgfl254.dld <<<Note .dld

    Just post back about them.

    Next:

    HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

    make sure you use the View Report button when your Panda online scan finishes....Next, Hit the "Save Report" button, that is what saves the log, which we Very badly need to see... save the file to the desktop as activescan.txt and copy and paste it into your reply here.
     
  7. rajsa

    rajsa Thread Starter

    Joined:
    Feb 6, 2007
    Messages:
    56
    C:\WINDOWS\INF\ultra.inf ----- I found this
    C:\WINDOWS\LastGood\system32\xlibgfl254.dll ----- only folder under Last Good is INF and xlibgfl254.dll isn't in there
    C:\WINDOWS\SYSTEM32\ultra\ultra.inf ----- no folder titled ultra, but a file called ultra.sys in drivers folder
    C:\WINDOWS\SYSTEM32\ultra\xlibgfl254.dll ----- no folder called ultra
    C:\WINDOWS\SYSTEM32\xlibgfl254.dld <<<Note .dld ----- no dld file under SYSTEM32

    Does it matter that the system 32 folder on my laptop is not on All Caps? I was able to find only one system32 folder under WINDOWS and it was system32.

    Here is the log of Active Scan:


    Incident Status Location

    Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\xlibgfl254.dll
    Spyware:spyware/new.net Not disinfected Windows Registry
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\prksk6bk.default\cookies.txt[.go.com/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.fastclick.net/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.advertising.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[servedby.advertising.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.fastclick.net/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.2o7.net/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.mediaplex.com/]
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.zedo.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.realmedia.com/]
    Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.tradedoubler.com/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.questionmarket.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.adrevolver.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.com.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.statcounter.com/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.atwola.com/]
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.hitbox.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.bs.serving-sys.com/]
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.as-us.falkag.net/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.tribalfusion.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.go.com/]
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.ehg-dig.hitbox.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.trafficmp.com/]
    Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.valueclick.com/]
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.xiti.com/]
    Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.bluestreak.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.247realmedia.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.ads.pointroll.com/]
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.overture.com/]
    Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[data.coremetrics.com/]
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[statse.webtrendslive.com/]
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.perf.overture.com/]
    Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.hotlog.ru/]
    Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.spylog.com/]
    Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.linksynergy.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.microsofteup.112.2o7.net/]
    Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[www.burstbeacon.com/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.burstnet.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Shahriar Raju\Application Data\Mozilla\Firefox\Profiles\m0jrrq02.default\cookies.txt[.apmebf.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shahriar Raju\Cookies\[email protected][1].txt
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, The post that had a list of this malware's file locations, may have had a typo, and meant .dll not .dld, but anyway, we found the guys:

    Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\xlibgfl254.dll <<don't try to delete it, it's not going to just yet.

    I didn't have that exact location listed so you must have not seen it.


    How are you with working in the Windows Registry, have you ever edited your Registry? Fixing this bug includes some of that.

    It will be awhile before I get the info posted keep checking.
     
  9. rajsa

    rajsa Thread Starter

    Joined:
    Feb 6, 2007
    Messages:
    56
    Windows Registry? May be I know it by another term. But, if you continue to give me the directions that you are giving, I think I will be able to work with it. Your directions have been clear and easy to follow. Thanks for your help. I'll keep checking.
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    The Registry, Start>Run>regedit

    It's the vital settings for everything that makes things work, software, hardware, etc.

    takes the ability to be careful, follow the steps, make sure you are in the right Reg key, I have a thread at another forum that shows you, in pictures, how to check the settings and change to what is correct, and I will post that link. You could probably follow that guide, for the Registry settings changes which may need to be done.
    There are things we need to do first. I will be a few minutes, if you are able to stay on, do so, I will be here till about 1 AM.
    The scans involved, may be an hour each, depends on the computer and your Net connection.

    It's something that can be started this evening, and finished tomorrow, also, so don't stay up all night with it. Nothing worse than that for you and if you need sleep to go to work by all means, just take off and do that. I will be here tomorrow, and the next and the next....I live here! (Well, not all the time, for instance I will be out from 1:45pm Thursday until about 5 PM.). And, I am not online until about noon.

    OK, I don't want this link and what it looks like you have to go through to put you off, since I think we can shorten it a bit as you don't have the whole load here, so look through what they have the guy do at the link and see what you think.

    The link is at the Castlecops forum, but they are Updating some software it says, it should be back up and running momentarily I hope:

    http://www.castlecops.com/posts176821-30.html

    The next link you see will get you to the thread with steps, but don't do anything yet, as I will have them for you here, you can use the screenshots there to go by, OK?

    As soon as they get updated or whatever I'll post the link for you.
     
  11. rajsa

    rajsa Thread Starter

    Joined:
    Feb 6, 2007
    Messages:
    56
    Yea, that's fine. I'll keep checking for the new link. But, I don't think I can stay up. I'm a college student.

    Edit to say: Do you just want me to check out the link that up right now? And, you will add the link w/ directions for me? Right? This is for my clarification. Thanks.
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi, Questions you had before:

    The site I need to get you to look at is still down, so that can wait till tomorrow.

    (The new link will be posted in a reply from me, hopefully tomorrow morning)

    The downloads, and installs and scans will take a long time tonite, so skip it, do it all tomorrow!

    1.The system32 folder spelling is OK, that's the normal way it is.

    1. the file ultra.sys is a Maxtor driver so do not delete it.

    Just posting this so you have it tomorrow when you have time:


    Next: Downloads> follow the directions carefully, as to settings you need to make, updating, and use.

    download SuperAntiSpyware Home Edition Free Version

    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

    Install the program

    Run SuperAntiSpyware and click: Check for updates
    Once the update is finished, on the main screen, click: Scan your computer
    Check: Perform Complete Scan
    Click Next to start the scan.

    Superantispyware scans the computer, (it will take a while) and when finished, lists all the infections found.
    Make sure everything found has a check next to it, and let the scanner fix it.

    Restart the computer.

    Obtain the SuperAntiSpyware log as follows:
    Click: Preferences
    Click the Statistics/Logs tab
    Under Scanner Logs, double-click SuperAntiSpyware Scan Log
    Notepad should open, or other text editor...
    Please copy the information in the SuperAntiSpyware log and post in your reply.

    _ _ _ _ _ _ _ _ _ _ Next: _ _ _ _

    COMBO FIX:
    Download ComboFix to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall

    You will probably have the above done when I am online around noon and I will check.
     
  13. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Wonderful, Castlecops is working again....

    I didn't want you to look at this tonite, as it might keep you up too late (or put you into a coma) It's done by someone very experienced in resetting Registry items, for security, which this malware changes. I think we will have an easier time, but I wanted you to be able to have a better idea of what it looks like, etc.

    So, don't be thinking you cannot do all that, because it's a lot easier than it looks. Heres the place:

    http://www.castlecops.com/postx176821-0-0.html

    It's 4 pages, much to much to get through tonite. Lot of it is screenshots, and slightly hard to see, but I can get better ones.

    Edit: If you had a good idea when this malware got in, you could probably do a System Restore back a ways and avoid having to fix it.... ever done a System Restore? This is not reinstalling, it's part of XP that puts the computer back to a state it was in at a previous time.... like GoBack.
     
  14. rajsa

    rajsa Thread Starter

    Joined:
    Feb 6, 2007
    Messages:
    56
    After I run the Combofix, then you want me to run HijackThis in the Safe Mood too? Clarification for me. Thanks.
     
  15. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Sorry....no, we need Hijackthis log made in Normal Mode, which you will be in after you restart from doing Combo Fix.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/541926

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice