Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly Smitfraud Related


  • Please log in to reply
1 reply to this topic

#1 jhsmurray

jhsmurray

  • Members
  • 383 posts
  • OFFLINE
  •  
  • Location:6,378 km above the Earth's core
  • Local time:03:34 PM

Posted 19 September 2007 - 06:18 AM

Does anyone know about this type (or these types) of infection, by way of symptoms?

Working on an XPSP2 Dell desktop, on a domain. While installing Symantec Antivirus 10.2 (managed), I was logged in locally with admin rights.
- A got an alert saying the c:\WINDOWS\system32\xlibgfl254.dll is no a valid windows image. This happens under any login on this machine.
- While logged in (under this login only), the windows themselves look a little funny - the minimize, maximize and close buttons on the top right are somewhat smaller and off-centered.
- Alerted by SAV about Zlob infection, which was then reported as cleaned.
- While under this login only, cannot install/uninstall anything, getting errors regarding access rights.
- While under this login only, right click on the IE icon and selecting security tab show that there is only one security zone: restricted.
- while under this login, cannot run HJT due to permission restrictions (although this logon is in the admin group)!

Things I've done so far:
I manually deleted the xlibgfl254.dll file manually, without any problems.
Full updated scan in safe mode with spybot showed nothing.
I did a preliminary HJT log check under a different admin login, and didnt find anything interesting (I am only a trainee still, though)

When the computer is not in use later today, I plan on doing the smitfraud fix, another SAV indepth scan, an online scan with housecall and Mcafee's stinger.
Any things to look for would be appreciated

Acer Aspire 5732z
OS: Windows 7 Ultimate
Processor: Intel Pentium III Xeon, 2200 MHz
RAM: 3 GB
Display: Mobile Intel GMA 4500M

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:34 PM

Posted 19 September 2007 - 01:45 PM

Here is the VirusTotal scan results on xlibgfl254.dll that I found in another posting.

Antivirus Version Update Result
AntiVir 7.3.1.34 02.07.2007 TR/Zlob.JF
Authentium 4.93.8 02.07.2007 no virus found
Avast 4.7.936.0 02.07.2007 no virus found
AVG 386 02.07.2007 no virus found
BitDefender 7.2 02.08.2007 Trojan.Zlob.JF
CAT-QuickHeal 9.00 02.07.2007 TrojanSpy.Agent.swz
ClamAV devel-20060426 02.08.2007 no virus found
DrWeb 4.33 02.08.2007 DLOADER.Trojan
eSafe 7.0.14.0 02.07.2007 no virus found
eTrust-InoculateIT 30.4.3374 02.07.2007 no virus found
eTrust-Vet 30.4.3374 02.07.2007 no virus found
Ewido 4.0 02.07.2007 no virus found
Fortinet 2.85.0.0 02.08.2007 Spy/Agent
F-Prot 4.2.1.29 02.07.2007 no virus found
F-Secure 6.70.13030.0 02.08.2007 no virus found
Ikarus T3.1.0.31 02.08.2007 Trojan.Zlob.JF
Kaspersky 4.0.2.24 02.08.2007 no virus found
McAfee 4958 02.07.2007 Generic Downloader.bt
Microsoft 1.2101 02.08.2007 no virus found
NOD32v2 2044 02.07.2007 probably a variant of Win32/Genetik
Norman 5.80.02 02.07.2007 no virus found
Panda 9.0.0.4 02.07.2007 Adware/SecurityError
Prevx1 V2 02.08.2007 Win32.Malware.gen
Sophos 4.13.0 02.08.2007 no virus found
Sunbelt 2.2.907.0 02.02.2007 Trojan-Downloader.Win32.Agent.bfj
Symantec 10 02.08.2007 no virus found
TheHacker 6.1.6.053 02.07.2007 no virus found
UNA 1.83 02.07.2007 no virus found
Aditional Information
File size: 18432 bytes
MD5: 3e4852736ba5345cb497ad240b409b4f
SHA1: 0391103a561532b771916174e8e9b7dc19312711
packers: UPX
packers: UPX
packers: UPX


I'm finding it with all sorts of other malware and you probably should post a Hijackthis log in the HijackThis Logs and Malware Removal forum, for a second opinion to see what else is lurking about.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users