Help me to delete spyware dll files

Discussion in 'adware, spyware & hijack cleaning' started by ozzie1451, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. ozzie1451

    ozzie1451 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    3
    adaware finds a spyware file but can not remove it. I allow it to remove at next start up but file changes its name. I can only find the file with winfile search, it is invisible. Winfile shows it in a window with no accessability. I can use only delete key to remove it but it creates a back up file and restores itself with a different name. My internet connection then redirected to search200.com. I delete this entry with hijackthis but it comes back. The name I have for the file now is ailui.dll in system32 directory. Is there a way to delete it. I have also AVG AV program and it does not detect anything.


    Logfile of HijackThis v1.97.7
    Scan saved at 2:34:45 PM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Spybot - Search &
    Destroy\TeaTimer.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\WZCBDL Service\WZCBDLS.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Search Page =
    http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Default_Page_URL =
    http://education.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet
    Explorer\Main,Default_Page_URL =
    http://education.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet
    Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection
    Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O3 - Toolbar: &Radio -
    {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker -
    {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program
    Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\Program
    Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [WinPatrol]
    "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program
    Files\D-Link\Air USB Utility\AirCFG.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program
    Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program
    Files\Spybot - Search & Destroy\TeaTimer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet
    Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet
    Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
    (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
    (ActiveScan Installer Class) -
    http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    http://v4.windowsupdate.microsoft.com/CAB/...8109.3714236111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
    (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
    (McFreeScan Class) -
    http://download.mcafee.com/molbin/iss-loc/...360/mcfscan.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi ozzie1451,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Search Page =
    http://search200.com/searchbar.html

    Also check that it is not WinPatrol or Spybot that is holding on to the IE settings.

    Regards,

    Pieter
     
    Last edited: Jun 16, 2004
  3. ozzie1451

    ozzie1451 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    3
    I have removed the entry and scaned with adaware. It found two new dll files and it says they are vx2 variant malware, data miner. When I mark them to be deleted, adaware can not delete and asks me to delete at next start up, i say OK but after start up I scan and new dll names are present. Then something is trying to hijack my start page to search200.com. New dll names aeledit.dll and aetxprxy.dll
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.