1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

strange, tough, inpenetrable xlibgfl254.dll

Discussion in 'Virus & Other Malware Removal' started by shark67, Feb 8, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. shark67

    shark67 Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    1
    Hello Tech Guys-
    I have recently managed to get rid of about 3 of those trojan programs that load flashing alerts onto the bottom toolbar that redirect you to a website that tells you to buy trojan removal software :cool: . Now when I run my AOL virus scanner (McAfee), there is just one infected file, in my windows sys32 file: xlibgfl254.dll What is this file? My McAfee kept asking me if I wanted to delete it because they could not clean or quarantine it. I'm sure it was not wise, but I Okayed the delete. Mcafee unable to delete it. I opened in safe mode and tried to delete it manually, still would not let me. :mad: Is this file native to WindowsXP and neccessary to operate my system? How much danger am I in if I just leave it? Mcafee identified the virus as a "trojan downloader" or somesuch. There are no other (visible) problems other than the warning I get from McAfee everytime I start AOL.

    I also have Spybot search and destroy software.

    Any wisdom you could shine my way would be appreciated.
    shark
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, It's a trojan and is deleteable but you need a special tool.

    None of the programs will clean it, but there is a way to deal with it.

    I found a thread, not here at TSG, but a close relative of ours...
    where it is fixed. It does involve a little Registry editing since this malware changes security zone settings for you, so you have to put the settings back manually.
    It would be wise to both make a new Restore Point, and back up the Registry, before doing the fixing. As you may know, an average Registry backup is quite good sized, (around 39 Megabytes for my home computer with XP made last night). It takes only a minute or so, and the backup can be saved in a folder right at the root of the C: drive or anywhere you prefer such as a CD.


    BACKUP REG
    Go to Start > Run
    Type:
    • regedit
    Click OK.
    • On the left side, click to highlight My Computer at the top.
    • Go up to "File > Export"
      • Make sure in that window there is a tick next to "All" under Export Branch.
        Leave the "Save As Type" as "Registration Files".
        Under "Filename" put backup
    • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
    • Click save and then go to File > Exit.
    This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


    To Create a new Restore Point:

    You have to have System Restore turned "On" and the service running> you can verify that it is enabled by right clicking My Computer, > Properties > System Restore tab > if it says "Monitoring" it is enabled.

    Create the new Point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    OK, here is the thread about this same malware, called by Panda scan, the Adware:SecurityError

    http://www.castlecops.com/postx176821-0-0.html


    In that thread, at first they deal with some common other ad and spyware, then they get into removing what you have, and correcting the Registry. Not for the faint of heart.
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, It has been told to me that you don't need to do all that Registry correction as in the Castlecops thread, and we can help you delete the bad file and possibly other items, this way:

    We need to be able to see the location of all the associated files, so please do this:


    First:

    go to Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


    Next:

    Download ComboFix to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
    Restart the computer normally, into regular Windows, and run a new scan with Hijackthis, post
    both Combo Fix and HJT logs here in a reply.
     
  4. jlchellman

    jlchellman

    Joined:
    Feb 12, 2007
    Messages:
    1
    Logfile of HijackThis v1.99.1
    Scan saved at 1:12:31 AM, on 2/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\Common Files\AOL\1141133705\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
    C:\Program Files\mcafee.com\antivirus\oasclnt.exe
    C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
    C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\1141133705\ee\SSCEvtHdlr.exe
    C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
    C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
    C:\Program Files\PC MightyMax\pcmm.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
    C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\AOL\1141133705\ee\aolsoftware.exe
    C:\Program Files\mcafee.com\personal firewall\MPFService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    c:\program files\common files\aol\1141133705\ee\anotify.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\WINDOWS\system32\dwwin.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141133705\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
    O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1141133705\ee\SSCRun.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
    O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
    O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
    O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141132825109
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: LMIinit - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    "HP_Owner" - 07-02-12 1:29:52 Service Pack 2
    ComboFix 07-02-11 - Running from: "C:\Documents and Settings\HP_Owner\My Documents"

    ((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))


    2007-02-12 00:45 <DIR> d-------- C:\Program Files\Hijackthis
    2007-02-11 22:49 <DIR> d-------- C:\Program Files\PC MightyMax
    2007-02-11 07:49 <DIR> d-------- C:\WINDOWS\report
    2007-02-11 07:48 86,094 --a------ C:\WINDOWS\BPMNT.dll
    2007-02-11 07:48 71,749 --a------ C:\WINDOWS\hcextoutput.dll
    2007-02-11 07:48 229,957 --a------ C:\WINDOWS\tsc.exe
    2007-02-11 07:48 1,101,904 --a------ C:\WINDOWS\vsapi32.dll
    2007-02-11 07:48 <DIR> d-------- C:\WINDOWS\AU_Backup
    2007-02-11 07:46 69,689 --a------ C:\WINDOWS\UNZIP.DLL
    2007-02-11 07:46 507,904 --a------ C:\WINDOWS\TMUPDATE.DLL
    2007-02-11 07:46 286,720 --a------ C:\WINDOWS\PATCH.EXE
    2007-02-11 07:46 <DIR> d-------- C:\WINDOWS\AU_Temp
    2007-02-11 07:46 <DIR> d-------- C:\WINDOWS\AU_Log
    2007-02-08 00:09 <DIR> d-------- C:\Program Files\BitComet Acceleration Patch
    2007-02-08 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\IDM
    2007-02-08 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\DMCache
    2007-02-08 00:01 <DIR> d-------- C:\Program Files\Internet Download Manager
    2007-02-07 18:36 <DIR> d-------- C:\DOCUME~1\HP_Owner\.housecall6.6
    2007-02-06 21:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
    2007-02-05 22:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe(2)
    2007-02-04 03:12 3,670,016 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
    2007-01-30 23:55 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-01-30 23:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-01-30 23:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-01-27 07:05 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Viewpoint
    2007-01-12 15:25 98,304 --a------ C:\WINDOWS\system32\ATR062xLUSB.dll
    2007-01-12 15:25 98,304 --a------ C:\WINDOWS\ATR062xLUSB.dll
    2007-01-12 15:25 69,972 --a------ C:\WINDOWS\system32\FTSERIAL.SYS
    2007-01-12 15:25 69,632 --a------ C:\WINDOWS\system32\FTD2XX.dll
    2007-01-12 15:25 69,632 --a------ C:\WINDOWS\FTD2XX.dll
    2007-01-12 15:25 640,512 --a------ C:\WINDOWS\system32\OC30.DLL
    2007-01-12 15:25 57,404 --a------ C:\WINDOWS\system32\drivers\ftser2k.sys
    2007-01-12 15:25 56,031 --a------ C:\WINDOWS\system32\drivers\FTCSER2K.SYS
    2007-01-12 15:25 51,821 --a------ C:\WINDOWS\system32\ftserui2.dll
    2007-01-12 15:25 48,625 --a------ C:\WINDOWS\system32\FTCSUI2.DLL
    2007-01-12 15:25 48,625 --a------ C:\WINDOWS\FTCSUI2.DLL
    2007-01-12 15:25 46,592 --a------ C:\WINDOWS\system32\libusb0.dll
    2007-01-12 15:25 46,592 --a------ C:\WINDOWS\libusb0.dll
    2007-01-12 15:25 43,058 --a------ C:\WINDOWS\system32\drivers\FTCUSB.SYS
    2007-01-12 15:25 414,208 --a------ C:\WINDOWS\system32\lasunin.exe
    2007-01-12 15:25 414,208 --a------ C:\WINDOWS\system32\FTDIUNIN.EXE
    2007-01-12 15:25 414,208 --a------ C:\WINDOWS\system32\ftcunin.exe
    2007-01-12 15:25 414,208 --a------ C:\WINDOWS\lasunin.exe
    2007-01-12 15:25 414,208 --a------ C:\WINDOWS\ftcunin.exe
    2007-01-12 15:25 36,864 --a------ C:\WINDOWS\system32\FTLang.dll
    2007-01-12 15:25 33,792 --a------ C:\WINDOWS\system32\drivers\libusb0.sys
    2007-01-12 15:25 25,316 --a------ C:\WINDOWS\system32\FTSENUM.SYS
    2007-01-12 15:25 25,316 --a------ C:\WINDOWS\system32\drivers\FTCSENUM.SYS
    2007-01-12 15:25 24,209 --a------ C:\WINDOWS\system32\drivers\ftdibus.sys
    2007-01-12 15:25 22,592 --a------ C:\WINDOWS\system32\FTSERUI.DLL
    2007-01-12 15:25 22,592 --a------ C:\WINDOWS\system32\FTCSUI.DLL
    2007-01-12 15:25 22,592 --a------ C:\WINDOWS\FTCSUI.DLL


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-02-11 22:49 -------- d---s---- C:\DOCUME~1\HP_Owner\Application Data\microsoft
    2007-02-07 18:38 -------- d-------- C:\Program Files\america online 9.0a
    2007-02-05 22:08 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\adobeum
    2007-02-02 20:47 3884 --a--c--- C:\WINDOWS\viassary-hp.reg
    2007-01-12 17:07 -------- d-------- C:\Program Files\skytrx
    2007-01-07 14:12 -------- d-------- C:\Program Files\edmark
    2007-01-07 09:34 69000 --a--c--- C:\WINDOWS\hpoins05.dat
    2007-01-02 23:17 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\weatherbug
    2006-12-31 23:33 -------- d-------- C:\Program Files\easy internet signup
    2006-12-29 06:48 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\research in motion
    2006-12-29 06:47 -------- d-------- C:\Program Files\research in motion
    2006-12-29 06:47 -------- d-------- C:\Program Files\Common Files\research in motion
    2006-12-29 06:47 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\blackberry desktop
    2006-12-25 09:56 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\adobe
    2006-12-23 22:35 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\google
    2006-12-23 21:46 -------- d-------- C:\Program Files\google
    2006-12-23 21:45 -------- d-------- C:\Program Files\java
    2006-12-15 08:53 -------- d-------- C:\Program Files\aol
    2006-12-15 08:49 -------- d-------- C:\Program Files\Common Files\scanner
    2006-12-15 08:48 -------- d-------- C:\Program Files\Common Files\aol
    2006-12-15 08:47 -------- d-------- C:\Program Files\ca
    2006-12-15 08:45 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\aol
    2006-12-08 00:28 10920 --a------ C:\aolconnfix.exe
    2006-11-21 12:00 16904 --a------ C:\WINDOWS\system32\xlibgfl254.dll
    2006-11-16 11:44 103984 --a------ C:\WINDOWS\system32\aoldial.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe"
    "updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
    "AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
    "HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
    "HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
    "VTTimer"="VTTimer.exe"
    "AGRSMMSG"="AGRSMMSG.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "AlcWzrd"="ALCWZRD.EXE"
    "Alcmtr"="ALCMTR.EXE"
    "HostManager"="C:\\Program Files\\Common Files\\AOL\\1141133705\\ee\\AOLSoftware.exe"
    "AOLSPScheduler"="C:\\Program Files\\Common Files\\AOL\\1141133705\\ee\\services\\safetyCore\\ver210_5_2_1\\AOLSP Scheduler.exe"
    "sscRun"="C:\\Program Files\\Common Files\\AOL\\1141133705\\ee\\SSCRun.exe"
    "OASClnt"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
    "EmailScan"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
    "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
    "eFax 4.1"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R"
    "A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"
    "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "MPFExe"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
    "KBD"="C:\\HP\\KBD\\KBD.EXE"
    "Motive SmartBridge"="C:\\PROGRA~1\\verizon\\SMARTB~1\\MotiveSB.exe"
    "PCMMRealtime"="C:\\Program Files\\PC MightyMax\\pcmm.exe /R"
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "hirtellous"="{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "none"="C:\\Program Files\\Video ActiveX Object\\pmsngr.exe"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

    *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


    ********************************************************************

    catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-02-12 1:31:23
    C:\ComboFix2.txt ... 07-02-12 01:06
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop so avenger.exe shows on your Desktop.

    1. Please double click on Avenger.exe.

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Files to delete:
    
    C:\WINDOWS\system32\xlibgfl254.dll
    C:\WINDOWS\INF\ultra.inf 
    C:\WINDOWS\LastGood\system32\xlibgfl254.dll 
    C:\WINDOWS\SYSTEM32\ultra\ultra.inf 
    C:\WINDOWS\SYSTEM32\ultra\xlibgfl254.dll 


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.


    Next:

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    (You do that by clicking the .zip folder on the desktop, and select "Extract All" in the wizard window, use the Browse button, and change whatever shows as the location to unzip TO, to "Desktop", and click OK, uncheck "Show Extracted Files" first.
    Find the newly created SmitFraudFix folder....
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm


    So, two logs....Avenger, and SmitFraudfix.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/542498

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice