Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cant remove a dll [RESOLVED]


  • This topic is locked This topic is locked

#1
dond3

dond3

    New Member

  • Member
  • Pip
  • 2 posts
When I came back to my computer I found the work offline message on the screen. I canceled it and then decided to look throught the computer and found three prefetchs that were not there before they were CMD.exe MSNI.EXE and XVFPVRD.COM I then checked the system32 folder and found three files had been added. I could find two of the three based on modifed dates but not the last one. The files were Lovefly.dll and smart.dll they both are listed as some FrameBuffer display driver. When I tried to delete them it stopped me saying they were in use. I ran ad aware but that didn't help and then ran spybot.

After running spybot it found 3 registry files called W32.agent.pz or something like that. The problem is the scan wont finish it will get halfway through and will then say error checking and stop.I never had this problem before and no matter how many times I retried it would always stop at some random place. Even though it doesn't finish I was able to remove the three entries shown I then looked up the virus and found instructions on running something called sdfix so I ran that and it didn't change anything. So I went into safe mode tried spybot again and it failed then went and tried to delete the two dlls I had found. I was able to delete Lovefly.dll but not smart.dll and I still dont know what the third file is either.

After looking around the system32 folder I then found other files such as framebuf.dll that listed itself as being the same thing FrameBuffer but these files were listed as having the default creation date of 8/18/2001. Are these files legitament and the spyware I have is masking its two files to look like framebuffer or is the spyware advanced enough to create files with fake dates? The reason im sure Lovefly.dll and smart.dll are virus related is that both had the creation time of 8:50 which is the same time as the one on msni.exe prefetch (CMD.exe and XVFPVRD.COM had 8:46). The hijackthis log has smart.dll listed as winlogon notify but I havent done anything to take care of it yet.Also after the computer has been rebooted alg.exe has started to run at startup which it has never done before so I suspected it has something to do with the spyware trying to access something which would explain the do you want to work offline message I found earlier.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:40 PM, on 5/15/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\TI-Calculator\America Online 7.0\waol.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://fpdownload.macromedia.com
O15 - Trusted Zone: http://www.macromedia.com
O15 - Trusted Zone: http://moneycentral.msn.com
O15 - Trusted Zone: http://sdc.shockwave.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40E66073-8C5A-46A8-B36C-43A48833F7D3}: NameServer = 205.188.146.145
O20 - Winlogon Notify: Fly - C:\WINDOWS\SYSTEM32\smart.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4054 bytes
  • 0

Advertisements


#2
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi dond3,

You appear to have posted over at Castle Cops a few days ago and received a response. It is the exact same response you will get here. What about the response don't you like? The forums are very busy and posting to multiple forums just clogs things up even more. I would recommend you continue to follow the instructions over at CC. If I am mistaken or you have objection to this then let me know.

http://www.castlecop...PATCHED_XP.html

Good luck,
Dave
  • 0

#3
dond3

dond3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Yeah sorry about that. The reason I didn't want to patch up is because being on dial up aol at that doesn't make that the easiest task at the moment and waiting days for microsoft to send a cd seemed like a waste. I planned on securing the computer up once it was safe and figured it would only take a few minutes for someone to post a solution because from what I can tell I dont have that bad of an infection only a dll that cant be removed and I had used the analyzer at http://www.hijackthis.de/en and it said all the entries were clean and safe except for O20 - Winlogon Notify: Fly - C:\WINDOWS\SYSTEM32\smart.dll which was listed as unknown and that happens to be the dll that cant be deleted and created the time of the infection so I just wanted advice on if having hijackthis fix that would be alright since it looked at least to me that this was the only thing needed to be killed. Sorry about all of this if you think it looks like that isn't all that would be needed then you can close this and i'll go back to where I posted.
  • 0

#4
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi,

No problem, I understand. I would recommend highly that you do the update though. If you don't your chances for re-infection are so much greater. Also, just because that is the only file/entry seen in HJT does not mean that's the only problem. HJT does not see everything and there may very well be more. Also, it may not even be bad! I would stick with the thread at CC and get fixed up there. We would just advise the same thing here any way.

Regards,
Dave
  • 0

#5
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP