Help me to delete spyware dll files

Discussion in 'adware, spyware & hijack cleaning' started by ozzie1451, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. ozzie1451

    ozzie1451 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    3
    adaware finds a spyware file but can not remove it. I allow it to remove at next start up but file changes its name. I can only find the file with winfile search, it is invisible. Winfile shows it in a window with no accessability. I can use only delete key to remove it but it creates a back up file and restores itself with a different name. My internet connection then redirected to search200.com. I delete this entry with hijackthis but it comes back. The name I have for the file now is ailui.dll in system32 directory. Is there a way to delete it. I have also AVG AV program and it does not detect anything.


    Logfile of HijackThis v1.97.7
    Scan saved at 2:34:45 PM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Spybot - Search &
    Destroy\TeaTimer.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\WZCBDL Service\WZCBDLS.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Search Page =
    http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Default_Page_URL =
    http://education.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet
    Explorer\Main,Default_Page_URL =
    http://education.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet
    Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection
    Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O3 - Toolbar: &Radio -
    {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker -
    {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program
    Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\Program
    Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [WinPatrol]
    "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program
    Files\D-Link\Air USB Utility\AirCFG.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program
    Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program
    Files\Spybot - Search & Destroy\TeaTimer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet
    Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet
    Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
    (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
    (ActiveScan Installer Class) -
    http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    http://v4.windowsupdate.microsoft.com/CAB/...8109.3714236111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
    (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
    (McFreeScan Class) -
    http://download.mcafee.com/molbin/iss-loc/...360/mcfscan.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi ozzie1451,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Search Page =
    http://search200.com/searchbar.html

    Also check that it is not WinPatrol or Spybot that is holding on to the IE settings.

    Regards,

    Pieter
     
    Last edited: Jun 16, 2004
  3. ozzie1451

    ozzie1451 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    3
    I have removed the entry and scaned with adaware. It found two new dll files and it says they are vx2 variant malware, data miner. When I mark them to be deleted, adaware can not delete and asks me to delete at next start up, i say OK but after start up I scan and new dll names are present. Then something is trying to hijack my start page to search200.com. New dll names aeledit.dll and aetxprxy.dll
     
Thread Status:
Not open for further replies.