Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possibly Smitfraud Related

  • Please log in to reply
1 reply to this topic

#1 jhsmurray


  • Members
  • 383 posts
  • Location:6,378 km above the Earth's core
  • Local time:12:14 AM

Posted 19 September 2007 - 06:18 AM

Does anyone know about this type (or these types) of infection, by way of symptoms?

Working on an XPSP2 Dell desktop, on a domain. While installing Symantec Antivirus 10.2 (managed), I was logged in locally with admin rights.
- A got an alert saying the c:\WINDOWS\system32\xlibgfl254.dll is no a valid windows image. This happens under any login on this machine.
- While logged in (under this login only), the windows themselves look a little funny - the minimize, maximize and close buttons on the top right are somewhat smaller and off-centered.
- Alerted by SAV about Zlob infection, which was then reported as cleaned.
- While under this login only, cannot install/uninstall anything, getting errors regarding access rights.
- While under this login only, right click on the IE icon and selecting security tab show that there is only one security zone: restricted.
- while under this login, cannot run HJT due to permission restrictions (although this logon is in the admin group)!

Things I've done so far:
I manually deleted the xlibgfl254.dll file manually, without any problems.
Full updated scan in safe mode with spybot showed nothing.
I did a preliminary HJT log check under a different admin login, and didnt find anything interesting (I am only a trainee still, though)

When the computer is not in use later today, I plan on doing the smitfraud fix, another SAV indepth scan, an online scan with housecall and Mcafee's stinger.
Any things to look for would be appreciated

Acer Aspire 5732z
OS: Windows 7 Ultimate
Processor: Intel Pentium III Xeon, 2200 MHz
Display: Mobile Intel GMA 4500M

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,771 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:14 AM

Posted 19 September 2007 - 01:45 PM

Here is the VirusTotal scan results on xlibgfl254.dll that I found in another posting.

Antivirus Version Update Result
AntiVir 02.07.2007 TR/Zlob.JF
Authentium 4.93.8 02.07.2007 no virus found
Avast 4.7.936.0 02.07.2007 no virus found
AVG 386 02.07.2007 no virus found
BitDefender 7.2 02.08.2007 Trojan.Zlob.JF
CAT-QuickHeal 9.00 02.07.2007 TrojanSpy.Agent.swz
ClamAV devel-20060426 02.08.2007 no virus found
DrWeb 4.33 02.08.2007 DLOADER.Trojan
eSafe 02.07.2007 no virus found
eTrust-InoculateIT 30.4.3374 02.07.2007 no virus found
eTrust-Vet 30.4.3374 02.07.2007 no virus found
Ewido 4.0 02.07.2007 no virus found
Fortinet 02.08.2007 Spy/Agent
F-Prot 02.07.2007 no virus found
F-Secure 6.70.13030.0 02.08.2007 no virus found
Ikarus T3.1.0.31 02.08.2007 Trojan.Zlob.JF
Kaspersky 02.08.2007 no virus found
McAfee 4958 02.07.2007 Generic Downloader.bt
Microsoft 1.2101 02.08.2007 no virus found
NOD32v2 2044 02.07.2007 probably a variant of Win32/Genetik
Norman 5.80.02 02.07.2007 no virus found
Panda 02.07.2007 Adware/SecurityError
Prevx1 V2 02.08.2007 Win32.Malware.gen
Sophos 4.13.0 02.08.2007 no virus found
Sunbelt 2.2.907.0 02.02.2007 Trojan-Downloader.Win32.Agent.bfj
Symantec 10 02.08.2007 no virus found
TheHacker 02.07.2007 no virus found
UNA 1.83 02.07.2007 no virus found
Aditional Information
File size: 18432 bytes
MD5: 3e4852736ba5345cb497ad240b409b4f
SHA1: 0391103a561532b771916174e8e9b7dc19312711
packers: UPX
packers: UPX
packers: UPX

I'm finding it with all sorts of other malware and you probably should post a Hijackthis log in the HijackThis Logs and Malware Removal forum, for a second opinion to see what else is lurking about.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users