Can not delete spyware DLL

Posted on 2006-05-27
Last Modified: 2012-05-05
I have a laptop that was filled with spyware and a couple of virus' i am pretty sure i got rid of everything but one.  I am still having a problem with a dll called i0nmla511d.dll.  I can not delete this file, no matter how i try... (safe mode, cmd prompt, knoppix, etc) nothing will delete it.  The problem is, if i let the laptop sit, it will get random pop ups even in safe mode.  I ran all the usual cleaner tools (spybot, adaware, hijack this, stinger, panda, housecall, etc) nothing will help me delete this file.  I am pretty sure i pin pointed the final problem to this DLL.  Its in my system start up as a winlogon, value= shellserviceobjectdelayload.  every program that i use, fails to keep it deleted from the start up process.

Hijack this will fix it, but if i do another scan it will be there again, same with spy bot.... any suggestions?
Question by:Justin Imes
    LVL 9

    Author Comment

    by:Justin Imes
    Also i found it using regedit, its located:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\Notify\ShellServiceObjectDelayLoad as a DllName but same thing, if i delete it from here, and refresh, the file is back.
    LVL 9

    Author Comment

    by:Justin Imes
    One more thing i noticed, is that i'm stuck in windows theme classic.... if i try to revert to XP Mode, the start menu and everything is still in classic mode?
    LVL 32

    Expert Comment

    Try this:

    First locate the file named i0nmla511d.dll (probably in c:\windows or c:\windows\system32)


    (0) If running XP Home, boot in safe mode, if XP Pro or Win/2000, then start with step (1)

    (1) Right click on the file in Windows Explorer or My Computer, select Properties

    (2) Click on the Security tab.

    (3) Click on the Advanced button.

    (4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

    (5) Close all windows.

    (6) Reboot.

    After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone.
    When you clear it with HJT now, it will stay gone.

    I also suggest you do a scan next with any AV program, plus one good anti-spyware program (I recommend Windows Defender, free from:

    LVL 9

    Author Comment

    by:Justin Imes
    that didn't seem to work, well in way, i guess it did...

    but once i rebooted, that file is now gone, but still same symptoms (popups) and now i have a different dll starting up in winlogin.  

    i think at this point, my only option is to wipe it and start fresh...
    any last minute suggestions?
    LVL 32

    Expert Comment

    Well, reformatting and reinstalling will definitely fix it, but the fact that it reappears under a different name suggests that there is more than one bad file active on your system. If you still want to try fixing the problem, try the folowing:

    Download and run HijackThis from
    Copy-and-paste the resulting log back to that same web site (not here)
    Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
    Finally post a link here to the saved analyzed page.

    This will help get a grip on the extent of the infection.

    In case you decide to reformat, be sure that all importanmt files are backed up. This includes email (plus attachments), favorites list, music, pictures, documents, etc.

    LVL 9

    Author Comment

    by:Justin Imes

    and if you look, the dll is now labeled n6p4lg7q16.dll
    LVL 32

    Expert Comment

    Try this:

    Try to fix that O20 entry (relating to n6p4lg7q16.dll) with HJT itself, then reboot, run HJT again and see it it is really gone.

    If not, then do the following:

    (1) Download Autoruns from:

    (2) Run the program. It lists a bunch of things that start when Windows starts.

    (3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

    (4) This will give you a shorter, more meaningful list.

    (5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

    (6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then copy-and-paste it here.

    I am gone for a bit but will check back every so often.
    Good luck.
    LVL 9

    Author Comment

    by:Justin Imes
    i tried this, and once again when i reboot, there is a new dll that starts up.  this time its i4060edseh060.dll
    here is my autorun log file


    + Advanced Tools Check      Norton AntiVirus Advanced Tools Integrity Checker      Symantec Corporation      c:\program files\norton antivirus\advtools\advchk.exe

    + ATIModeChange      ATI 2D Mode component      ATI Technologies, Inc.      c:\windows\system32\ati2mdxx.exe

    + ATIPTA      ATI Desktop Control Panel      ATI Technologies, Inc.      c:\program files\ati technologies\ati control panel\atiptaxx.exe

    + ccApp      Common Client User Session      Symantec Corporation      c:\program files\common files\symantec shared\ccapp.exe

    + Cpqset                  c:\program files\hpq\default settings\cpqset.exe

    + Display Settings      hptasks      Hewlett-Packard      c:\program files\hpq\notebook utilities\hptasks.exe

    + Lexmark X5100 Series      Lexmark X5100 Series Button Manager      Lexmark International, Inc.      c:\program files\lexmark x5100 series\lxbabmgr.exe

    + PreloadApp                  c:\hp\drivers\printers\photosmart\hphprld.exe

    + QT4HPOT      One-Touch      Dritek System Inc.      c:\program files\hpq\one-touch\onetouch.exe

    + Symantec NetDriver Monitor      Symantec Security Drivers Install Monitor      Symantec Corporation      c:\program files\symnetdrv\sndmon.exe

    + SynTPEnh      Synaptics TouchPad Enhancements      Synaptics, Inc.      c:\program files\synaptics\syntp\syntpenh.exe

    + SynTPLpr      TouchPad Driver Helper Application      Synaptics, Inc.      c:\program files\synaptics\syntp\syntplpr.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup                  

    + Adobe Gamma Loader.lnk      Adobe Gamma Loader      Adobe Systems, Inc.      c:\program files\common files\adobe\calibration\adobe gamma loader.exe

    + Adobe Reader Speed Launch.lnk      Adobe Acrobat SpeedLauncher      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup                  

    + Adobe Gamma.lnk      Adobe Gamma Loader      Adobe Systems, Inc.      c:\program files\common files\adobe\calibration\adobe gamma loader.exe


    + updateMgr      Adobe Update Manager      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\reader\adobeupdatemanager.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  

    + Adobe.Acrobat.ContextMenu      Adobe Acrobat Elements      Adobe Systems Inc.      c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll

    + AutoCAD Digital Signatures Icon Overlay Handler      AcSignIcon Module      Autodesk      c:\windows\system32\acsignicon.dll

    + Autodesk Drawing Preview      AcThumbnail Module      Autodesk      c:\program files\common files\autodesk shared\thumbnail\acthumbnail16.dll

    + HyperTerminal Icon Ext      HyperTerminal Applet Library      Hilgraeve, Inc.      c:\windows\system32\hticons.dll

    + Trojan Remover Shell Extension      Trojan Remover Shell Extension      Simply Super Software      c:\program files\trojan remover\trshlex.dll

    + tuaffic.dll                  c:\windows\system32\tuaffic.dll

    + tuaffic.dll                  c:\windows\system32\tuaffic.dll

    HKLM\Software\Microsoft\Internet Explorer\Toolbar                  

    + acroiefavclient.dll                  c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll

    + Norton AntiVirus      Norton AntiVirusNAVShellExt Module      Symantec Corporation      c:\program files\norton antivirus\navshext.dll

    Task Scheduler                  

    + Norton AntiVirus - Scan my computer.job      Norton AntiVirus Scanner Module      Symantec Corporation      c:\program files\norton antivirus\navw32.exe

    + Symantec NetDetect.job      Symantec NetDetect      Symantec Corporation      c:\program files\symantec\liveupdate\ndetect.exe


    + ccEvtMgr      Symantec Event Manager      Symantec Corporation      c:\program files\common files\symantec shared\ccevtmgr.exe

    + ccSetMgr      Symantec Settings Manager      Symantec Corporation      c:\program files\common files\symantec shared\ccsetmgr.exe

    + HPConfig      HPConfig Module      Hewlett-Packard      c:\windows\system32\hpconfig.exe

    + HPWirelessMgr      HPWirelessMgr Module      Hewlett-Packard Co.      c:\program files\hpq\notebook utilities\hpwirelessmgr.exe

    + LexBceS      LexBce Service      Lexmark International, Inc.      c:\windows\system32\lexbces.exe

    + navapsvc      Handles Norton AntiVirus Auto-Protect events.      Symantec Corporation      c:\program files\norton antivirus\navapsvc.exe

    + NProtectService      Norton Protection Status      Symantec Corporation      c:\program files\norton antivirus\advtools\nprotect.exe

    + SAVScan      Handles Norton AntiVirus Auto-Protect Archive Scanning      Symantec Corporation      c:\program files\norton antivirus\savscan.exe

    + SBService      ScriptBlocking registration      Symantec Corporation      c:\program files\common files\symantec shared\script blocking\sbserv.exe

    + Symantec Core LC      Symantec Core LC      Symantec Corporation      c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe


    + AliIde      ALi mini IDE Driver      Acer Laboratories Inc.      c:\windows\system32\drivers\aliide.sys

    + ALiIRDA      ALi Fast Infrared Driver      Acer Laboratories Inc.      c:\windows\system32\drivers\aliirda.sys

    + allegro      ES1988/ES1998/ES199A Adapter Driver      ESS Technology, Inc.      c:\windows\system32\drivers\es198x.sys

    + ati2mtag      ATI Radeon Miniport Driver      ATI Technologies Inc.      c:\windows\system32\drivers\ati2mtag.sys

    + atimpab      ATI2MPAB Miniport Driver      ATI Technologies Inc.      c:\windows\system32\drivers\atimpab.sys

    + caboagp      ATI AGP driver      ATI Technologies Inc.      c:\windows\system32\drivers\atisgkaf.sys

    + CALIAUD      Conexant WDM AC97 Audio Driver      Conexant Systems Inc.      c:\windows\system32\drivers\caliaud.sys

    + CALIHALA      Conexant AmcHal Driver      Conexant Systems Inc.      c:\windows\system32\drivers\calihal.sys

    + CE3      Ndis 5 Miniport for Ethernet 10/100      Xircom, Inc.      c:\windows\system32\drivers\ce3n5.sys

    + DKbFltr      Dritek Keyboard Filter Driver      Dritek System Inc.      c:\windows\system32\drivers\dkbfltr.sys

    + DP83815      National Semiconductor Corp. DP83815/816 10/100 MacPhyter NDIS 5.0 Miniport Driver      National Semiconductor Corp.      c:\windows\system32\drivers\dp83815.sys

    + HPCI      HP Configuration Interface Driver      Hewlett-Packard      c:\windows\system32\drivers\hpci.sys

    + HSF_DP      HSF_DP driver      Conexant Systems, Inc.      c:\windows\system32\drivers\hsf_dp.sys

    + HSFHWALI      HSFHWALI WDM driver      Conexant Systems, Inc.      c:\windows\system32\drivers\hsfhwali.sys

    + LEX_NIC_SERVICE      NDIS 5.1 Driver      LAN-Express      c:\windows\system32\drivers\express.sys

    + mdmxsdk      Diagnostic Interface DRIVER      Conexant      c:\windows\system32\drivers\mdmxsdk.sys

    + NAVENG      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20060520.005\naveng.sys

    + NAVEX15      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20060520.005\navex15.sys

    + NPDriver      Norton Protection Driver      Symantec Corporation      c:\windows\system32\drivers\npdriver.sys

    + Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys

    + RimUsb      RIM handheld driver      Research In Motion Limited      c:\windows\system32\drivers\rimusb.sys

    + SAVRT      AutoProtect      Symantec Corporation      c:\program files\norton antivirus\savrt.sys

    + SAVRTPEL      SAVRTPEL      Symantec Corporation      c:\program files\norton antivirus\savrtpel.sys

    + Secdrv      SafeDisc driver            c:\windows\system32\drivers\secdrv.sys

    + StreamDispatcher      Conexant Stream Dispatcher      Conexant Systems, Inc.      c:\windows\system32\drivers\strmdisp.sys

    + SymEvent      Symantec Event Library      Symantec Corporation      c:\program files\symantec\symevent.sys

    + symlcbrd                  c:\windows\system32\drivers\symlcbrd.sys

    + SYMREDRV      Redirector Filter Driver      Symantec Corporation      c:\windows\system32\drivers\symredrv.sys

    + SYMTDI      Network Dispatch Driver      Symantec Corporation      c:\windows\system32\drivers\symtdi.sys

    + SynTP      Synaptics Touchpad Driver      Synaptics, Inc.      c:\windows\system32\drivers\syntp.sys

    + UXDCMN                  File not found: D:\Tools\WINSTRESS\UXDCMN.SYS

    + winachsf      HSF_CNXT driver      Conexant Systems, Inc.      c:\windows\system32\drivers\hsf_cnxt.sys

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

    + Dynamic Directory                  c:\windows\system32\i4060edseh060.dll

    + Internet Settings                  File not found: C:\WINDOWS\system32\en2ql1f51.dll


    + Adobe PDF Port      Acrobat ® PDF Port      Adobe Systems Incorporated.      c:\windows\system32\adobepdf.dll

    + Lexmark Network Port      LEXLMPM DLL      Lexmark International, Inc.      c:\windows\system32\lexlmpm.dll

    + PrimoMon                  c:\windows\system32\primomonnt.dll

    LVL 47

    Accepted Solution

    What is showing in your hijackthis log is a Look2Me infection. Please run Look2Me Destroyer and post the link of a new hiajckthis log after.

    Please download Look2Me-Destroyer.exe to your desktop.
    Close all windows before continuing.
    Double-click "Look2Me-Destroyer.exe" to run it.
    Put a check next to "Run this program as a task".
    You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
    Once it's done scanning, click the "Remove L2M" button.
    You will receive a Done Scanning message, click OK.
    When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    Your computer will then shutdown.
    Turn your computer back on.
    Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    LVL 32

    Assisted Solution

    Yes, I agree. Seems like Look2Me.
    Do as suggested by rpggamergirl and send us an update.

    rpggamergirl, I think the following two files are working in tandem:

    + tuaffic.dll               c:\windows\system32\tuaffic.dll
    + Dynamic Directory               c:\windows\system32\i4060edseh060.dll

    so disabling one at a time does no good. But disabling both and rebooting will probably fix it. But that is what the tool you suggested will do as well, hopefully.
    LVL 47

    Expert Comment

    >>rpggamergirl, I think the following two files are working in tandem:

    + tuaffic.dll               c:\windows\system32\tuaffic.dll
    + Dynamic Directory               c:\windows\system32\i4060edseh060.dll<<

    Yes r-k, those are both l2m files.
    Look2Me infection creates a lot of random files that change their names or rename themselves except for one file (the master file) "guard.tmp" guard.tmp is the only look2me file that will not change or rename itself.
    Before Look2Me Destroyer was created, and while l2mfix.exe were having trouble removing look2me infection, what we would do was to try and kill guard.tmp first and it was a  difficult job to do because guard.tmp keep reviving itself so it was needed to kill it many times until it stopped showing up in Process explorer before searching the rest of the files and killing them.

    Atribune did a GREAT job creating Look2Me Destroyer, it's quick and simple.
    Whereas using l2mFix.exe (first tool created to remove vx2/look2me infections by shadowwar) has to be done in 2 steps  fix while the user must not reboot in between steps.

    We can see how many random files it created when we see the look2me destroyer log text. It varies, some are plentiful while some infected pc only have a few random files.

    LVL 9

    Author Comment

    by:Justin Imes
    I think that did it!
    excellent work, thanks guys!
    LVL 32

    Expert Comment

    Thanks, and good luck.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now