Unknown DLL -> virus ?

[Agurri]

Hello guys & girls

Since 1 week, about 5 minutes after booting my Windows XP, I get an error message saying : AN error has occured when trying to open the file ""..... system32/aklui.cpy.dll" , UMonitor"
So, I checked in the system32 folder, look sfor aklui file, and I found 2 files : the aklui.cpy.dll and aklui.dll. I tried deleting them in normal and safe mode, couldn't.... Help me please ... and I'll give you a cookie.

[aym]

Hi Agurri, and welcome to PC Mech

Looks like you have spyware, check out this for more info:
http://www.pestpatrol.com/PestInfo/h/helpexpress.asp

To remove the spyware, download Ad-aware and SpyBot S&D, and scan your computer.

Good luck.

[Agurri]

Thanks for your help. I did try with Ad-aware and it didnt work. I also tried the built-in spyware cleaner of my firewall (Armor2Net), again nothing. I don't think it's a spyware, but still I'm gonna try with SpyBot too.

[ghost2003]

Also try spyware guard and spyware blaster, they arnt scanners, they will work in the background and keep you spyware free as long as they are updated www.javacoolsoftware.com

[Lobos]

Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise

[Agurri]

Ok Lobos, I run hijack this and it gave me :

Logfile of HijackThis v1.97.7
Scan saved at 16:14:50, on 2004-04-17
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\zstatus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [Configuration Loader] sw32.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27888b03...dxIE601_fr.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/...erAX_Win32.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...937.4261574074
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab



Good or not ?

[Lobos]

ok i just got back to my comp let me go through your log it might take me a little bit so bear with me

but in the mean time i suggest doing an antivirus scan

[Lobos]

and if possible
Run an online antivirus check from at least one and preferably 2 of the following sites....

http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com/
http://www.ravantivirus.com/scan/

it looks like you have the agabot worm

[Agurri]

That's another problem ... I have McaFee VirusScan, which I bough like ... 4 months ago. Everything was fine I could update it with any problems, but since 3 weelks, each time I want to update it ... it crashes. Not the whole comp, nor McAfee, but just the updater.... so I can' t update anything ..... I scanned but nothing was found....

[Agurri]

Quote:

Originally posted by Lobos and if possible Run an online antivirus check from at least one and preferably 2 of the following sites.... http://www.pandasoftware.com/activescan/ http://housecall.trendmicro.com/ http://www.ravantivirus.com/scan/ it looks like you have the agabot worm

I tried with symantec, and they gave me this :

C:\Program Files\Windows Media Player\wmplayer.exe.tmp is infected with Downloader.Trojan
C:\Documents and Settings\laferriere\Local Settings\Temprad414DD.tmp.com is infected with Trojan Horse
C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7afb8f5a-5613a834.zip is infected with Trojan.ByteVerify
C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7271642a-45aa9cc6.zip is infected with Trojan.ByteVerify


agabot ... dont know him

[Lobos]

then i would try one of the online scanners i posted above

[Lobos]

run hjt fix close all browsers and fix these

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [Configuration Loader] sw32.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/...lim/install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...lim/install.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

then reboot into safe mode by pressing f8

and delete these

C:\WINDOWS\alchem.exe
sw32.exe
svchos1.exe

then reboot and post another log please

[ghost2003]

friends dont let friends use McAfee, as glc sais. Just uninstall it and get AVG or avast home. Or if your willing to pay get NOD32 trial.

[Agurri]

Lobos : I fixed everything, deleted alchem, but I couldn't find sw32.exe and svchos1.exe. But is this gonna help my comp or not ?

ghost2003 : Yeah the idea of AVG was around since my friend is using it ... so I might give it a try....

So, what do I do now ?

Btw, I ran the ActiveScan software , results :


Incident Status Location

Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-24c8383a-2e8bdc3d.zip[B.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-24c8383a-2e8bdc3d.zip[V.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-24c8383a-2e8bdc3d.zip[Dummy.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-13e49ae9-5d948502.zip[Counter.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-13e49ae9-5d948502.zip[VerifierBug.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-13e49ae9-5d948502.zip[Gummy.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1803745e-5bda7496.zip[BlackBox.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1803745e-5bda7496.zip[A.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-11141c97.zip[BlackBox.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-11141c97.zip[Dummy.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-11141c97.zip[Beyond.class]
Trj/StartPage.Y Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-11141c97.zip[rundll32.exe]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7afb8f5a-5613a834.zip[Beyond.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7afb8f5a-5613a834.zip[BlackBox.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7afb8f5a-5613a834.zip[Dummy.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7afb8f5a-5613a834.zip[VerifierBug.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7271642a-45aa9cc6.zip[counter.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7271642a-45aa9cc6.zip[Dummy.class]
Exploit/ByteVerify Disinfected C:\Documents and Settings\laferriere\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7271642a-45aa9cc6.zip[VerifierBug.class]
Trj/Alfora.A Disinfected C:\Documents and Settings\laferriere\Local Settings\Temprad414DD.tmp.com

[Lobos]

Sometimes, in computers with Windows XP, even after viruses and other threats have been eliminated the antivirus may detect it again and again in the _restore folder without being able to eliminate it.


but since you have disinfected them they could still be in you restore folder so this is what i would like you to do

run a scan here
http://www.pandasoftware.com/activescan/

if it detects anything have it delete it

if not then come back her and post another hjt log

but if it does then

turn off your systems restore

1. Click with the right button of the mouse on My Computer.
2. Select Properties.
3. Click System Restore.
4. Check the Turn off System Restore or Turn off System Restore on all drives checkbox.
5. Click Apply and then OK.

reboot then

turn back on your systems restore

1. Click with the right button of the mouse on MY Computer.
2. Select Properties.
3. Click System Restore.
4. Disable the Turn off System Restore or Turn off System Restore on all drives checkbox.
5. Click Apply and then OK.

then come back here and post a fresh hjt log

and yes everything helps to keep your system running clean and smooth

[glc]

You probably have the VX2 spyware, which is a real bear to get rid of. You need to boot with the XP CD and use the repair console, and manually delete aklui.dll and aklui.cpy.dll from the command prompt. I spent 2 hours screwing with this the other day, and I finally found this solution. After you do this, then you mop up the mess with Ad-Aware, Spybot, and a good virus scanner - and you may have to disable system restore to completely make it go away.

[Agurri]

Hum wow, I will try it, but I don't have time right now thanks