Jump to content
Sign in to follow this  
jfreeman

How do I remove a spyware .dll from AppInit_DLLs? Help!

Recommended Posts

Hey guys,

 

This is my first post on this forum. I found this forum while looking for help with my problem with a tricky program that keeps putting itself in my AppInit_DLLs registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. The appinit_dlls points to a "XMwrap32.dll", googling it I find nothing! I am using Windows XP Home and running Adaware and hijackthis. Adaware says my system is clean, and HJT shows this problem. Here is what I have done:

 

1. Updated Adware and Ran it, said system is clean.

2. Ran HJT, shows this DLL, I "fix" it, restart, and it is still there.

1. Everytime I try to delete it in regedit, it re appears.

2. I restarted in safe mode and applied a registry patch (.reg file) that resets the Appinit_dlls key.

 

Obviously the .dll is loaded by windows and keeps replacing itself in the registry key. How can I get rid of this, not knowing what it is? Is there a way to do it in DOS? I suspec this is a kind of Trojan or something.

 

Thanks! :)

Share this post


Link to post
Share on other sites

Here is my HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 2:48:56 PM, on 2/7/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Documents and Settings\Justin\Desktop\HijackThis.exe

 

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O20 - AppInit_DLLs: XMwrap32.dll

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

:sparkle:There are a couple of things you can do before posting in the HJT forum.....

Download CleanUp40.exe to the Desktop....How to use CleanUp!

by Steven R. Gould

 

Download Ewido Anti-Malware...http://www.ewido.net/en/download/

In the folder where EWIDO is located, double click the EWIDO Setup file

Follow the prompts and reboot when done.

When the prompt with Additional Options appears, uncheck:

Install background guard

Install scan via context menu

When the program starts, do an online update for the latest signature files....reboot to Safe Mode

Run EWIDO...Complete System Scan... The scan may find malware entries and request action to clean up. Agree.

However, if EWIDO finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None

When EWIDO is done, reboot

If you find you still have a problem.......Do another HJT log and create a post in the HJT forum for expert assistance.

 

Share this post


Link to post
Share on other sites

I would add a couple of other suggestions:

* Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

 

* You also need to provide a complete HJT logfile, what you have provided there is not nearly the total log. Revert anything you have set to 'ignore' back to default detection, also be sure to produce a log in 'Normal' mode, not safe mode.

 

By what you have posted there, no one can decipher exactly what's going on with your machine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

Click here to Read Amazon Reviews!



×