Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xlib(something)254.bll


  • Please log in to reply
32 replies to this topic

#1 marionyoshi

marionyoshi

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 08:00 AM

ive been tryin to delete this trogjan with help from otehr forums, and applications, but this site looks like it can help me.

i forgot the middle of the name, but it went soemthing like this,

xlib---254.bll

please post somethings that MIGHT be it. it may jolt my memory, because MY TOOLABR HAS BEEN GONE FOR A LONG TIME. im gonna restart my computer and check back here for replies, thank you.

~MarioNYoshi


EDIT:

The name of it is

xlibgfl254.bll


EDITx2:

I found its directory.

C:\WINDOWS\system32\xlibgfl254.bll

When I try to delete it says:

"This program is being used by another system/operator"

Edited by marionyoshi, 13 April 2007 - 08:32 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 13 April 2007 - 08:39 AM

Welcome to the BleepingComputer HijackThis forum marionyoshi :thumbsup:

Download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default,a desktop shortcut will also be created.
Launch Hijack This and press:'Do a system scan and save a logfile'.
Notepad will pop up showing the Hijack This log.
Copy and paste the contents of that log into your next reply.

*Please Note*
You'll also find the 'hijackthis' logfile in C:\Program Files\Hijackthis.
Posted Image
Posted Image

#3 marionyoshi

marionyoshi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 08:43 AM

The page doesnt work :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 13 April 2007 - 08:51 AM

The page doesnt work

Please explain what you mean by the above,do you mean you're not able to download Hijackthis,is the link working for you because it's working fine here.
Posted Image
Posted Image

#5 marionyoshi

marionyoshi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 08:52 AM

it says "this page cannot be displayed"

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 13 April 2007 - 09:11 AM

I've attached the file to the bottom of this post,you'll have to unzip it to your desktop prior to installation.
Posted Image
Posted Image

#7 marionyoshi

marionyoshi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 09:16 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:15:14 AM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Profiler] "C:\Program Files\Saitek\Software\Profiler.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "c:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\dlm.exe" /windowsstart /startifwork
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.bigalgames.com/online2/bejewe...aploader_v6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 13 April 2007 - 09:36 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Exit Hijackthis.

*********************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

*********************************

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

*********************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#9 marionyoshi

marionyoshi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 09:50 AM

im up to the Java Runtime thingy, and when i click "download" the page is like "The page cannot be displayed"

can u send me a attachment thing while i do the last step?


EDIT:

heres the thingy for that step 3 (combofix)




"Linda" - 07-04-14 7:54:45 Service Pack 2
ComboFix 07-04-13.2.V - Running from: C:\Documents and Settings\Linda\Desktop\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Linda\APPLIC~1.\install.dat


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_MCHINJDRV


((((((((((((((((((((((((((((((( Files Created from 2007-03-14 to 2007-04-14 ))))))))))))))))))))))))))))))))))


2007-04-14 05:43 <DIR> d-------- C:\!KillBox
2007-04-13 21:36 <DIR> d-------- C:\DOCUME~1\Linda\APPLIC~1\Xfire
2007-04-13 21:35 <DIR> d---s---- C:\Program Files\Xfire
2007-04-13 14:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-10 02:29 <DIR> d-------- C:\ca8f404e7290d6efbe76b4
2007-04-07 21:00 <DIR> d-------- C:\Program Files\Call of Duty Single Player Demo
2007-04-07 20:41 <DIR> d-------- C:\Program Files\EA GAMES
2007-04-07 08:54 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-07 08:54 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-07 08:54 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-07 08:54 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-07 08:54 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-07 08:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-07 08:54 <DIR> d-------- C:\DOCUME~1\Linda\APPLIC~1\PC Tools
2007-04-07 08:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-06 01:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-02 00:55 <DIR> d-------- C:\DOCUME~1\Linda\APPLIC~1\TrojanHunter
2007-04-02 00:11 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-04-01 23:01 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-01 16:49 <DIR> d-------- C:\DOCUME~1\Linda\APPLIC~1\SpywareBot
2007-04-01 16:10 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-27 23:41 <DIR> d-------- C:\WINDOWS\provisioning
2007-03-27 23:41 <DIR> d-------- C:\WINDOWS\peernet
2007-03-27 23:32 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-03-27 23:15 <DIR> d-------- C:\WINDOWS\EHome
2007-03-25 21:03 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-03-25 21:03 <DIR> d-------- C:\Program Files\Gutterball 2
2007-03-22 02:30 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-03-22 02:30 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-10 19:12 -------- d-------- C:\Program Files\steam
2007-04-10 02:32 -------- d-------- C:\Program Files\messenger
2007-04-07 22:42 -------- d-------- C:\DOCUME~1\Linda\APPLIC~1\skype
2007-04-07 22:36 -------- d-------- C:\DOCUME~1\Linda\APPLIC~1\ign_dlm
2007-04-07 20:41 -------- d--h----- C:\Program Files\installshield installation information
2007-04-07 17:32 -------- d-------- C:\Program Files\wisdom-soft autoscreenrecorder
2007-04-05 23:04 -------- d-------- C:\Program Files\limewire
2007-04-05 22:46 -------- d-------- C:\Program Files\incomplete
2007-04-01 18:17 11376 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-27 23:41 -------- d-------- C:\Program Files\movie maker
2007-03-27 23:31 -------- d-------- C:\Program Files\windows nt
2007-03-27 18:57 -------- d-------- C:\Program Files\microsoft games
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-28 20:34 -------- d-------- C:\Program Files\gamespy arcade
2007-02-27 23:03 -------- d-------- C:\Program Files\oberon media
2007-02-27 23:03 -------- d-------- C:\Program Files\egames
2007-02-23 15:36 -------- d-------- C:\Program Files\gizmoz talking headz
2007-02-05 13:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{243B17DE-77C7-46BF-B94B-0B5F309A0E64} C:\Program Files\Microsoft Money\System\mnyside.dll
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="\"c:\\Program Files\\Microsoft Works\\WkDetect.exe\""
"igndlm.exe"="\"C:\\Program Files\\IGN\\Download Manager\\dlm.exe\" /windowsstart /startifwork"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="\"C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe\""
"Symantec NetDriver Monitor"="\"C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe\" /Consumer"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe\""
"EPSON Stylus CX3800 Series"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE\" /P26 \"EPSON Stylus CX3800 Series\" /O6 \"USB001\" /M \"Stylus CX3800\""
"Profiler"="\"C:\\Program Files\\Saitek\\Software\\Profiler.exe\""
"SaiMfd"="\"C:\\Program Files\\Saitek\\Software\\SaiMfd.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RealTray"="\"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe\" SYSTEMBOOTHIDEPLAYER"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SDTray"="\"C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Linda.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\tasks\wrSpySweeper20060410215352.job
C:\WINDOWS\tasks\wrSpySweeper_581D7AC5ABC44FE6AE9A869D037D8DC2.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-14 8:29:08
C:\ComboFix-quarantined-files.txt ... 07-04-14 08:29

Edited by marionyoshi, 13 April 2007 - 10:49 AM.


#10 marionyoshi

marionyoshi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 11:11 AM

sorry for dp, but

the trojan downloader is deleted! :D

thank you for the dickcleaner, killbot, combofix, and hijacklist.


if i need any more help ill kno where to go :D



THANK YOU!

Edited by marionyoshi, 13 April 2007 - 11:12 AM.


#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 13 April 2007 - 11:31 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

**************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Find and delete:
C:\Documents and Settings\Linda\Application Data\SpywareBot
C:\Program Files\Gamespy Arcade
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************

See if you're able to download Sun Java JRE 6 from here,then follow the install instructions i posted earlier:
http://www.softpedia.com/get/Programming/S...-Java-JRE.shtml

**************************

If everything went ok above,please finally do the following:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#12 marionyoshi

marionyoshi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 02:56 PM

it wont disk clean-up.

when i open it the bar starts at 3, abd never goes up.

it was calculating the space gonna be used or something

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 13 April 2007 - 03:13 PM

Follow these instructions then try Disk Cleanup again:

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Compress old files]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Files]
"LastAccess"=dword:00000000


Posted Image
Posted Image

#14 marionyoshi

marionyoshi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 April 2007 - 11:00 PM

why do i need to diskcheck?

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 14 April 2007 - 07:07 AM

why do i need to diskcheck?

I haven't asked you to do that,have you completed all of the instructions please,are you still having problems.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users