[Last Call] Learn how to a build a cloud-first strategyRegister Now


Can not delete spyware DLL

Posted on 2006-05-27
Medium Priority
Last Modified: 2012-05-05
I have a laptop that was filled with spyware and a couple of virus' i am pretty sure i got rid of everything but one.  I am still having a problem with a dll called i0nmla511d.dll.  I can not delete this file, no matter how i try... (safe mode, cmd prompt, knoppix, etc) nothing will delete it.  The problem is, if i let the laptop sit, it will get random pop ups even in safe mode.  I ran all the usual cleaner tools (spybot, adaware, hijack this, stinger, panda, housecall, etc) nothing will help me delete this file.  I am pretty sure i pin pointed the final problem to this DLL.  Its in my system start up as a winlogon, value= shellserviceobjectdelayload.  every program that i use, fails to keep it deleted from the start up process.

Hijack this will fix it, but if i do another scan it will be there again, same with spy bot.... any suggestions?
Question by:Justin Imes
  • 6
  • 5
  • 2

Author Comment

by:Justin Imes
ID: 16775832
Also i found it using regedit, its located:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\Notify\ShellServiceObjectDelayLoad as a DllName but same thing, if i delete it from here, and refresh, the file is back.

Author Comment

by:Justin Imes
ID: 16775878
One more thing i noticed, is that i'm stuck in windows theme classic.... if i try to revert to XP Mode, the start menu and everything is still in classic mode?
LVL 32

Expert Comment

ID: 16775891
Try this:

First locate the file named i0nmla511d.dll (probably in c:\windows or c:\windows\system32)


(0) If running XP Home, boot in safe mode, if XP Pro or Win/2000, then start with step (1)

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot.

After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone.
When you clear it with HJT now, it will stay gone.

I also suggest you do a scan next with any AV program, plus one good anti-spyware program (I recommend Windows Defender, free from: http://www.microsoft.com/athome/security/spyware/software/default.mspx

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.


Author Comment

by:Justin Imes
ID: 16780074
that didn't seem to work, well in way, i guess it did...

but once i rebooted, that file is now gone, but still same symptoms (popups) and now i have a different dll starting up in winlogin.  

i think at this point, my only option is to wipe it and start fresh...
any last minute suggestions?
LVL 32

Expert Comment

ID: 16780104
Well, reformatting and reinstalling will definitely fix it, but the fact that it reappears under a different name suggests that there is more than one bad file active on your system. If you still want to try fixing the problem, try the folowing:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

This will help get a grip on the extent of the infection.

In case you decide to reformat, be sure that all importanmt files are backed up. This includes email (plus attachments), favorites list, music, pictures, documents, etc.


Author Comment

by:Justin Imes
ID: 16780140

and if you look, the dll is now labeled n6p4lg7q16.dll
LVL 32

Expert Comment

ID: 16780207
Try this:

Try to fix that O20 entry (relating to n6p4lg7q16.dll) with HJT itself, then reboot, run HJT again and see it it is really gone.

If not, then do the following:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then copy-and-paste it here.

I am gone for a bit but will check back every so often.
Good luck.

Author Comment

by:Justin Imes
ID: 16781044
i tried this, and once again when i reboot, there is a new dll that starts up.  this time its i4060edseh060.dll
here is my autorun log file


+ Advanced Tools Check      Norton AntiVirus Advanced Tools Integrity Checker      Symantec Corporation      c:\program files\norton antivirus\advtools\advchk.exe

+ ATIModeChange      ATI 2D Mode component      ATI Technologies, Inc.      c:\windows\system32\ati2mdxx.exe

+ ATIPTA      ATI Desktop Control Panel      ATI Technologies, Inc.      c:\program files\ati technologies\ati control panel\atiptaxx.exe

+ ccApp      Common Client User Session      Symantec Corporation      c:\program files\common files\symantec shared\ccapp.exe

+ Cpqset                  c:\program files\hpq\default settings\cpqset.exe

+ Display Settings      hptasks      Hewlett-Packard      c:\program files\hpq\notebook utilities\hptasks.exe

+ Lexmark X5100 Series      Lexmark X5100 Series Button Manager      Lexmark International, Inc.      c:\program files\lexmark x5100 series\lxbabmgr.exe

+ PreloadApp                  c:\hp\drivers\printers\photosmart\hphprld.exe

+ QT4HPOT      One-Touch      Dritek System Inc.      c:\program files\hpq\one-touch\onetouch.exe

+ Symantec NetDriver Monitor      Symantec Security Drivers Install Monitor      Symantec Corporation      c:\program files\symnetdrv\sndmon.exe

+ SynTPEnh      Synaptics TouchPad Enhancements      Synaptics, Inc.      c:\program files\synaptics\syntp\syntpenh.exe

+ SynTPLpr      TouchPad Driver Helper Application      Synaptics, Inc.      c:\program files\synaptics\syntp\syntplpr.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup                  

+ Adobe Gamma Loader.lnk      Adobe Gamma Loader      Adobe Systems, Inc.      c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Adobe Reader Speed Launch.lnk      Adobe Acrobat SpeedLauncher      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup                  

+ Adobe Gamma.lnk      Adobe Gamma Loader      Adobe Systems, Inc.      c:\program files\common files\adobe\calibration\adobe gamma loader.exe


+ updateMgr      Adobe Update Manager      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\reader\adobeupdatemanager.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  

+ Adobe.Acrobat.ContextMenu      Adobe Acrobat Elements      Adobe Systems Inc.      c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll

+ AutoCAD Digital Signatures Icon Overlay Handler      AcSignIcon Module      Autodesk      c:\windows\system32\acsignicon.dll

+ Autodesk Drawing Preview      AcThumbnail Module      Autodesk      c:\program files\common files\autodesk shared\thumbnail\acthumbnail16.dll

+ HyperTerminal Icon Ext      HyperTerminal Applet Library      Hilgraeve, Inc.      c:\windows\system32\hticons.dll

+ Trojan Remover Shell Extension      Trojan Remover Shell Extension      Simply Super Software      c:\program files\trojan remover\trshlex.dll

+ tuaffic.dll                  c:\windows\system32\tuaffic.dll

+ tuaffic.dll                  c:\windows\system32\tuaffic.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar                  

+ acroiefavclient.dll                  c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll

+ Norton AntiVirus      Norton AntiVirusNAVShellExt Module      Symantec Corporation      c:\program files\norton antivirus\navshext.dll

Task Scheduler                  

+ Norton AntiVirus - Scan my computer.job      Norton AntiVirus Scanner Module      Symantec Corporation      c:\program files\norton antivirus\navw32.exe

+ Symantec NetDetect.job      Symantec NetDetect      Symantec Corporation      c:\program files\symantec\liveupdate\ndetect.exe


+ ccEvtMgr      Symantec Event Manager      Symantec Corporation      c:\program files\common files\symantec shared\ccevtmgr.exe

+ ccSetMgr      Symantec Settings Manager      Symantec Corporation      c:\program files\common files\symantec shared\ccsetmgr.exe

+ HPConfig      HPConfig Module      Hewlett-Packard      c:\windows\system32\hpconfig.exe

+ HPWirelessMgr      HPWirelessMgr Module      Hewlett-Packard Co.      c:\program files\hpq\notebook utilities\hpwirelessmgr.exe

+ LexBceS      LexBce Service      Lexmark International, Inc.      c:\windows\system32\lexbces.exe

+ navapsvc      Handles Norton AntiVirus Auto-Protect events.      Symantec Corporation      c:\program files\norton antivirus\navapsvc.exe

+ NProtectService      Norton Protection Status      Symantec Corporation      c:\program files\norton antivirus\advtools\nprotect.exe

+ SAVScan      Handles Norton AntiVirus Auto-Protect Archive Scanning      Symantec Corporation      c:\program files\norton antivirus\savscan.exe

+ SBService      ScriptBlocking registration      Symantec Corporation      c:\program files\common files\symantec shared\script blocking\sbserv.exe

+ Symantec Core LC      Symantec Core LC      Symantec Corporation      c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe


+ AliIde      ALi mini IDE Driver      Acer Laboratories Inc.      c:\windows\system32\drivers\aliide.sys

+ ALiIRDA      ALi Fast Infrared Driver      Acer Laboratories Inc.      c:\windows\system32\drivers\aliirda.sys

+ allegro      ES1988/ES1998/ES199A Adapter Driver      ESS Technology, Inc.      c:\windows\system32\drivers\es198x.sys

+ ati2mtag      ATI Radeon Miniport Driver      ATI Technologies Inc.      c:\windows\system32\drivers\ati2mtag.sys

+ atimpab      ATI2MPAB Miniport Driver      ATI Technologies Inc.      c:\windows\system32\drivers\atimpab.sys

+ caboagp      ATI AGP driver      ATI Technologies Inc.      c:\windows\system32\drivers\atisgkaf.sys

+ CALIAUD      Conexant WDM AC97 Audio Driver      Conexant Systems Inc.      c:\windows\system32\drivers\caliaud.sys

+ CALIHALA      Conexant AmcHal Driver      Conexant Systems Inc.      c:\windows\system32\drivers\calihal.sys

+ CE3      Ndis 5 Miniport for Ethernet 10/100      Xircom, Inc.      c:\windows\system32\drivers\ce3n5.sys

+ DKbFltr      Dritek Keyboard Filter Driver      Dritek System Inc.      c:\windows\system32\drivers\dkbfltr.sys

+ DP83815      National Semiconductor Corp. DP83815/816 10/100 MacPhyter NDIS 5.0 Miniport Driver      National Semiconductor Corp.      c:\windows\system32\drivers\dp83815.sys

+ HPCI      HP Configuration Interface Driver      Hewlett-Packard      c:\windows\system32\drivers\hpci.sys

+ HSF_DP      HSF_DP driver      Conexant Systems, Inc.      c:\windows\system32\drivers\hsf_dp.sys

+ HSFHWALI      HSFHWALI WDM driver      Conexant Systems, Inc.      c:\windows\system32\drivers\hsfhwali.sys

+ LEX_NIC_SERVICE      NDIS 5.1 Driver      LAN-Express      c:\windows\system32\drivers\express.sys

+ mdmxsdk      Diagnostic Interface DRIVER      Conexant      c:\windows\system32\drivers\mdmxsdk.sys

+ NAVENG      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20060520.005\naveng.sys

+ NAVEX15      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20060520.005\navex15.sys

+ NPDriver      Norton Protection Driver      Symantec Corporation      c:\windows\system32\drivers\npdriver.sys

+ Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys

+ RimUsb      RIM handheld driver      Research In Motion Limited      c:\windows\system32\drivers\rimusb.sys

+ SAVRT      AutoProtect      Symantec Corporation      c:\program files\norton antivirus\savrt.sys

+ SAVRTPEL      SAVRTPEL      Symantec Corporation      c:\program files\norton antivirus\savrtpel.sys

+ Secdrv      SafeDisc driver            c:\windows\system32\drivers\secdrv.sys

+ StreamDispatcher      Conexant Stream Dispatcher      Conexant Systems, Inc.      c:\windows\system32\drivers\strmdisp.sys

+ SymEvent      Symantec Event Library      Symantec Corporation      c:\program files\symantec\symevent.sys

+ symlcbrd                  c:\windows\system32\drivers\symlcbrd.sys

+ SYMREDRV      Redirector Filter Driver      Symantec Corporation      c:\windows\system32\drivers\symredrv.sys

+ SYMTDI      Network Dispatch Driver      Symantec Corporation      c:\windows\system32\drivers\symtdi.sys

+ SynTP      Synaptics Touchpad Driver      Synaptics, Inc.      c:\windows\system32\drivers\syntp.sys

+ UXDCMN                  File not found: D:\Tools\WINSTRESS\UXDCMN.SYS

+ winachsf      HSF_CNXT driver      Conexant Systems, Inc.      c:\windows\system32\drivers\hsf_cnxt.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

+ Dynamic Directory                  c:\windows\system32\i4060edseh060.dll

+ Internet Settings                  File not found: C:\WINDOWS\system32\en2ql1f51.dll


+ Adobe PDF Port      Acrobat ® PDF Port      Adobe Systems Incorporated.      c:\windows\system32\adobepdf.dll

+ Lexmark Network Port      LEXLMPM DLL      Lexmark International, Inc.      c:\windows\system32\lexlmpm.dll

+ PrimoMon                  c:\windows\system32\primomonnt.dll

LVL 47

Accepted Solution

rpggamergirl earned 500 total points
ID: 16781281
What is showing in your hijackthis log is a Look2Me infection. Please run Look2Me Destroyer and post the link of a new hiajckthis log after.

Please download Look2Me-Destroyer.exe to your desktop.
Close all windows before continuing.
Double-click "Look2Me-Destroyer.exe" to run it.
Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
LVL 32

Assisted Solution

r-k earned 500 total points
ID: 16781506
Yes, I agree. Seems like Look2Me.
Do as suggested by rpggamergirl and send us an update.

rpggamergirl, I think the following two files are working in tandem:

+ tuaffic.dll               c:\windows\system32\tuaffic.dll
+ Dynamic Directory               c:\windows\system32\i4060edseh060.dll

so disabling one at a time does no good. But disabling both and rebooting will probably fix it. But that is what the tool you suggested will do as well, hopefully.
LVL 47

Expert Comment

ID: 16781544
>>rpggamergirl, I think the following two files are working in tandem:

+ tuaffic.dll               c:\windows\system32\tuaffic.dll
+ Dynamic Directory               c:\windows\system32\i4060edseh060.dll<<

Yes r-k, those are both l2m files.
Look2Me infection creates a lot of random files that change their names or rename themselves except for one file (the master file) "guard.tmp" guard.tmp is the only look2me file that will not change or rename itself.
Before Look2Me Destroyer was created, and while l2mfix.exe were having trouble removing look2me infection, what we would do was to try and kill guard.tmp first and it was a  difficult job to do because guard.tmp keep reviving itself so it was needed to kill it many times until it stopped showing up in Process explorer before searching the rest of the files and killing them.

Atribune did a GREAT job creating Look2Me Destroyer, it's quick and simple.
Whereas using l2mFix.exe (first tool created to remove vx2/look2me infections by shadowwar) has to be done in 2 steps  fix while the user must not reboot in between steps.

We can see how many random files it created when we see the look2me destroyer log text. It varies, some are plentiful while some infected pc only have a few random files.


Author Comment

by:Justin Imes
ID: 16782165
I think that did it!
excellent work, thanks guys!
LVL 32

Expert Comment

ID: 16782173
Thanks, and good luck.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question