strange, tough, inpenetrable xlibgfl254.dll

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

shark67

Thread Starter
Joined
Feb 8, 2007
Messages
1
Hello Tech Guys-
I have recently managed to get rid of about 3 of those trojan programs that load flashing alerts onto the bottom toolbar that redirect you to a website that tells you to buy trojan removal software :cool: . Now when I run my AOL virus scanner (McAfee), there is just one infected file, in my windows sys32 file: xlibgfl254.dll What is this file? My McAfee kept asking me if I wanted to delete it because they could not clean or quarantine it. I'm sure it was not wise, but I Okayed the delete. Mcafee unable to delete it. I opened in safe mode and tried to delete it manually, still would not let me. :mad: Is this file native to WindowsXP and neccessary to operate my system? How much danger am I in if I just leave it? Mcafee identified the virus as a "trojan downloader" or somesuch. There are no other (visible) problems other than the warning I get from McAfee everytime I start AOL.

I also have Spybot search and destroy software.

Any wisdom you could shine my way would be appreciated.
shark
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, It's a trojan and is deleteable but you need a special tool.

None of the programs will clean it, but there is a way to deal with it.

I found a thread, not here at TSG, but a close relative of ours...
where it is fixed. It does involve a little Registry editing since this malware changes security zone settings for you, so you have to put the settings back manually.
It would be wise to both make a new Restore Point, and back up the Registry, before doing the fixing. As you may know, an average Registry backup is quite good sized, (around 39 Megabytes for my home computer with XP made last night). It takes only a minute or so, and the backup can be saved in a folder right at the root of the C: drive or anywhere you prefer such as a CD.


BACKUP REG
Go to Start > Run
Type:
  • regedit
Click OK.
  • On the left side, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


To Create a new Restore Point:

You have to have System Restore turned "On" and the service running> you can verify that it is enabled by right clicking My Computer, > Properties > System Restore tab > if it says "Monitoring" it is enabled.

Create the new Point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

OK, here is the thread about this same malware, called by Panda scan, the Adware:SecurityError

http://www.castlecops.com/postx176821-0-0.html


In that thread, at first they deal with some common other ad and spyware, then they get into removing what you have, and correcting the Registry. Not for the faint of heart.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, It has been told to me that you don't need to do all that Registry correction as in the Castlecops thread, and we can help you delete the bad file and possibly other items, this way:

We need to be able to see the location of all the associated files, so please do this:


First:

go to Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Next:

Download ComboFix to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
Restart the computer normally, into regular Windows, and run a new scan with Hijackthis, post
both Combo Fix and HJT logs here in a reply.
 
Joined
Feb 12, 2007
Messages
1
Logfile of HijackThis v1.99.1
Scan saved at 1:12:31 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\AOL\1141133705\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1141133705\ee\SSCEvtHdlr.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\PC MightyMax\pcmm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\AOL\1141133705\ee\aolsoftware.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe
c:\program files\common files\aol\1141133705\ee\anotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141133705\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1141133705\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141132825109
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1141133705\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

"HP_Owner" - 07-02-12 1:29:52 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\HP_Owner\My Documents"

((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))


2007-02-12 00:45 <DIR> d-------- C:\Program Files\Hijackthis
2007-02-11 22:49 <DIR> d-------- C:\Program Files\PC MightyMax
2007-02-11 07:49 <DIR> d-------- C:\WINDOWS\report
2007-02-11 07:48 86,094 --a------ C:\WINDOWS\BPMNT.dll
2007-02-11 07:48 71,749 --a------ C:\WINDOWS\hcextoutput.dll
2007-02-11 07:48 229,957 --a------ C:\WINDOWS\tsc.exe
2007-02-11 07:48 1,101,904 --a------ C:\WINDOWS\vsapi32.dll
2007-02-11 07:48 <DIR> d-------- C:\WINDOWS\AU_Backup
2007-02-11 07:46 69,689 --a------ C:\WINDOWS\UNZIP.DLL
2007-02-11 07:46 507,904 --a------ C:\WINDOWS\TMUPDATE.DLL
2007-02-11 07:46 286,720 --a------ C:\WINDOWS\PATCH.EXE
2007-02-11 07:46 <DIR> d-------- C:\WINDOWS\AU_Temp
2007-02-11 07:46 <DIR> d-------- C:\WINDOWS\AU_Log
2007-02-08 00:09 <DIR> d-------- C:\Program Files\BitComet Acceleration Patch
2007-02-08 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\IDM
2007-02-08 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\DMCache
2007-02-08 00:01 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-02-07 18:36 <DIR> d-------- C:\DOCUME~1\HP_Owner\.housecall6.6
2007-02-06 21:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-02-05 22:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe(2)
2007-02-04 03:12 3,670,016 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-01-30 23:55 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-30 23:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-30 23:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-27 07:05 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Viewpoint
2007-01-12 15:25 98,304 --a------ C:\WINDOWS\system32\ATR062xLUSB.dll
2007-01-12 15:25 98,304 --a------ C:\WINDOWS\ATR062xLUSB.dll
2007-01-12 15:25 69,972 --a------ C:\WINDOWS\system32\FTSERIAL.SYS
2007-01-12 15:25 69,632 --a------ C:\WINDOWS\system32\FTD2XX.dll
2007-01-12 15:25 69,632 --a------ C:\WINDOWS\FTD2XX.dll
2007-01-12 15:25 640,512 --a------ C:\WINDOWS\system32\OC30.DLL
2007-01-12 15:25 57,404 --a------ C:\WINDOWS\system32\drivers\ftser2k.sys
2007-01-12 15:25 56,031 --a------ C:\WINDOWS\system32\drivers\FTCSER2K.SYS
2007-01-12 15:25 51,821 --a------ C:\WINDOWS\system32\ftserui2.dll
2007-01-12 15:25 48,625 --a------ C:\WINDOWS\system32\FTCSUI2.DLL
2007-01-12 15:25 48,625 --a------ C:\WINDOWS\FTCSUI2.DLL
2007-01-12 15:25 46,592 --a------ C:\WINDOWS\system32\libusb0.dll
2007-01-12 15:25 46,592 --a------ C:\WINDOWS\libusb0.dll
2007-01-12 15:25 43,058 --a------ C:\WINDOWS\system32\drivers\FTCUSB.SYS
2007-01-12 15:25 414,208 --a------ C:\WINDOWS\system32\lasunin.exe
2007-01-12 15:25 414,208 --a------ C:\WINDOWS\system32\FTDIUNIN.EXE
2007-01-12 15:25 414,208 --a------ C:\WINDOWS\system32\ftcunin.exe
2007-01-12 15:25 414,208 --a------ C:\WINDOWS\lasunin.exe
2007-01-12 15:25 414,208 --a------ C:\WINDOWS\ftcunin.exe
2007-01-12 15:25 36,864 --a------ C:\WINDOWS\system32\FTLang.dll
2007-01-12 15:25 33,792 --a------ C:\WINDOWS\system32\drivers\libusb0.sys
2007-01-12 15:25 25,316 --a------ C:\WINDOWS\system32\FTSENUM.SYS
2007-01-12 15:25 25,316 --a------ C:\WINDOWS\system32\drivers\FTCSENUM.SYS
2007-01-12 15:25 24,209 --a------ C:\WINDOWS\system32\drivers\ftdibus.sys
2007-01-12 15:25 22,592 --a------ C:\WINDOWS\system32\FTSERUI.DLL
2007-01-12 15:25 22,592 --a------ C:\WINDOWS\system32\FTCSUI.DLL
2007-01-12 15:25 22,592 --a------ C:\WINDOWS\FTCSUI.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 22:49 -------- d---s---- C:\DOCUME~1\HP_Owner\Application Data\microsoft
2007-02-07 18:38 -------- d-------- C:\Program Files\america online 9.0a
2007-02-05 22:08 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\adobeum
2007-02-02 20:47 3884 --a--c--- C:\WINDOWS\viassary-hp.reg
2007-01-12 17:07 -------- d-------- C:\Program Files\skytrx
2007-01-07 14:12 -------- d-------- C:\Program Files\edmark
2007-01-07 09:34 69000 --a--c--- C:\WINDOWS\hpoins05.dat
2007-01-02 23:17 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\weatherbug
2006-12-31 23:33 -------- d-------- C:\Program Files\easy internet signup
2006-12-29 06:48 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\research in motion
2006-12-29 06:47 -------- d-------- C:\Program Files\research in motion
2006-12-29 06:47 -------- d-------- C:\Program Files\Common Files\research in motion
2006-12-29 06:47 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\blackberry desktop
2006-12-25 09:56 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\adobe
2006-12-23 22:35 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\google
2006-12-23 21:46 -------- d-------- C:\Program Files\google
2006-12-23 21:45 -------- d-------- C:\Program Files\java
2006-12-15 08:53 -------- d-------- C:\Program Files\aol
2006-12-15 08:49 -------- d-------- C:\Program Files\Common Files\scanner
2006-12-15 08:48 -------- d-------- C:\Program Files\Common Files\aol
2006-12-15 08:47 -------- d-------- C:\Program Files\ca
2006-12-15 08:45 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\aol
2006-12-08 00:28 10920 --a------ C:\aolconnfix.exe
2006-11-21 12:00 16904 --a------ C:\WINDOWS\system32\xlibgfl254.dll
2006-11-16 11:44 103984 --a------ C:\WINDOWS\system32\aoldial.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1141133705\\ee\\AOLSoftware.exe"
"AOLSPScheduler"="C:\\Program Files\\Common Files\\AOL\\1141133705\\ee\\services\\safetyCore\\ver210_5_2_1\\AOLSP Scheduler.exe"
"sscRun"="C:\\Program Files\\Common Files\\AOL\\1141133705\\ee\\SSCRun.exe"
"OASClnt"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
"EmailScan"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"eFax 4.1"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R"
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MPFExe"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Motive SmartBridge"="C:\\PROGRA~1\\verizon\\SMARTB~1\\MotiveSB.exe"
"PCMMRealtime"="C:\\Program Files\\PC MightyMax\\pcmm.exe /R"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"hirtellous"="{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"none"="C:\\Program Files\\Video ActiveX Object\\pmsngr.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 1:31:23
C:\ComboFix2.txt ... 07-02-12 01:06
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi,

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop so avenger.exe shows on your Desktop.

1. Please double click on Avenger.exe.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Files to delete:

C:\WINDOWS\system32\xlibgfl254.dll
C:\WINDOWS\INF\ultra.inf 
C:\WINDOWS\LastGood\system32\xlibgfl254.dll 
C:\WINDOWS\SYSTEM32\ultra\ultra.inf 
C:\WINDOWS\SYSTEM32\ultra\xlibgfl254.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


Next:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
(You do that by clicking the .zip folder on the desktop, and select "Extract All" in the wizard window, use the Browse button, and change whatever shows as the location to unzip TO, to "Desktop", and click OK, uncheck "Show Extracted Files" first.
Find the newly created SmitFraudFix folder....
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


So, two logs....Avenger, and SmitFraudfix.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top