Jump to content


Photo

How do I remove a spyware .dll from AppInit_DLLs? Help!


  • Please log in to reply
3 replies to this topic

#1 jfreeman

jfreeman

    New Member

  • Members
  • 2 posts

Posted 07 February 2006 - 05:04 PM

Hey guys, This is my first post on this forum. I found this forum while looking for help with my problem with a tricky program that keeps putting itself in my AppInit_DLLs registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. The appinit_dlls points to a "XMwrap32.dll", googling it I find nothing! I am using Windows XP Home and running Adaware and hijackthis. Adaware says my system is clean, and HJT shows this problem. Here is what I have done: 1. Updated Adware and Ran it, said system is clean. 2. Ran HJT, shows this DLL, I "fix" it, restart, and it is still there. 1. Everytime I try to delete it in regedit, it re appears. 2. I restarted in safe mode and applied a registry patch (.reg file) that resets the Appinit_dlls key. Obviously the .dll is loaded by windows and keeps replacing itself in the registry key. How can I get rid of this, not knowing what it is? Is there a way to do it in DOS? I suspec this is a kind of Trojan or something. Thanks! :)

#2 jfreeman

jfreeman

    New Member

  • Members
  • 2 posts

Posted 07 February 2006 - 05:53 PM

Here is my HJT log: Logfile of HijackThis v1.99.1 Scan saved at 2:48:56 PM, on 2/7/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Documents and Settings\Justin\Desktop\HijackThis.exe O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O20 - AppInit_DLLs: XMwrap32.dll O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#3 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,146 posts
  • Gender:Female


Posted 08 February 2006 - 08:38 AM

:sparkle: There are a couple of things you can do before posting in the HJT forum.....
Download CleanUp40.exe to the Desktop....How to use CleanUp!
by Steven R. Gould

Download Ewido Anti-Malware...http://www.ewido.net/en/download/
In the folder where EWIDO is located, double click the EWIDO Setup file
Follow the prompts and reboot when done.
When the prompt with Additional Options appears, uncheck:
Install background guard
Install scan via context menu
When the program starts, do an online update for the latest signature files....reboot to Safe Mode
Run EWIDO...Complete System Scan... The scan may find malware entries and request action to clean up. Agree.
However, if EWIDO finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None
When EWIDO is done, reboot
If you find you still have a problem.......Do another HJT log and create a post in the HJT forum for expert assistance.


Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#4 TeMerc

TeMerc

    Countermeasures Team Leader

  • Anti-Spyware Brigade
  • 1,584 posts
  • Location:PHX, AZ


Posted 08 February 2006 - 11:38 AM

I would add a couple of other suggestions:
* Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

* You also need to provide a complete HJT logfile, what you have provided there is not nearly the total log. Revert anything you have set to 'ignore' back to default detection, also be sure to produce a log in 'Normal' mode, not safe mode.

By what you have posted there, no one can decipher exactly what's going on with your machine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users