Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Dll's


  • Please log in to reply
7 replies to this topic

#1 disfunctionl

disfunctionl

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 24 March 2007 - 02:52 PM

Does anyone know what the following DLL files are? I pulled both of these from a HijackThis log file. Both are located in the System32 folder, and so far I have not been able to find any information on them by searching the internet. This is my roommates computer. He's getting a TON of pop-ups and the system is running super slow, so I have a feeling one or both of these might be the cause. Any help would be greatly appreaciated.

O20 - AppInit_DLLs: c:\windows\system32\gebyyvu.dll
O20 - Winlogon Notify: dsaul15 - C:\WINDOWS\SYSTEM32\dsaul15.dll

P.S. I'm a Computer Consultant by trade. I have A+ and MCSE certifications, so if you want to get technical feel free. :thumbsup:

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,985 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:51 PM

Posted 24 March 2007 - 03:56 PM

Try the programs below. They are both excellent for removing adware and trojans.
If you can find out more info on exactly what the infection is there are numerous tutorials here that can help remove specific infections. Otherwise, I would post a hijack this log after running the two programs. Be sure and post it in the Hijack This Forum. Not this one.

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

Post a Hijack This log in the appropriate forum by following the directions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 PM

Posted 25 March 2007 - 07:35 AM

Anytime you come across a suspicious file for which you cannot find any information about, you can submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 disfunctionl

disfunctionl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 25 March 2007 - 01:29 PM

Thank you both for the suggestions.

Buddy, I appreaciate you pointing me to Super AntiSpyware. It found things that AdAware, Spybot, and A Squared have all missed. This might become my new favorite Adware/Spyware scanning software. The dsaul15.dll was one of the things it found. Apparently it's associated with the Adware.Sended/Resident BHO. I had Super Antispyware clean it off, but then ran another scan and it's still there, apparently creating various dll files each time I delete one of them. It has now found a file HHSIAL.dll that is part of it. So far I haven't found the root source of Adware.Sended, but I'm still looking and researching. I really hate these types, they're such a pain to get completely cleaned off.

Queitman, I'll try the two websites you listed for the other dll file I was asking about. Hopefully, they'll be able to give me more information on it.

Thanks again for the help guys, and I'll see how this goes. If I can't fix it myself soon I'll post a HJT log.

#5 buddy215

buddy215

  • BC Advisor
  • 12,985 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:51 PM

Posted 25 March 2007 - 01:57 PM

Try running the Smitfraudfix using the directions in the link below.
http://www.bleepingcomputer.com/forums/t/17258/how-to-remove-the-smitfraud-generic-zlob-quicknavigate-virtual-maid/

If you haven't run Bit Defender, you are missing using a good tool for finding and removing malware.

Turn off system restore and leave it off until free of malware. Install and run Ccleaner. Doing those two things will speed up your scanning. Just remember to turn system restore back on when clean of malware.
Disable System Restore - File Purge - Turn Off Windows XP System Restore
http://www.ccleaner.com/
Use the default settings in Ccleaner. Do not use the advanced settings or Issues button which is a registry cleaner.

Edited by buddy215, 25 March 2007 - 02:07 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 disfunctionl

disfunctionl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 25 March 2007 - 03:39 PM

Okay, so my suspicion was right. I uploaded the gebyyvu.dll file to virustotal.com like quietman suggested, and sure enough several of the programs it scans the file with came back showing it infected. So, I rebooted in safe mode, deleted gebyyvu.dll and made sure that dsaul15.dll and hhsial.dll were both gone. I also searched the registry and deleted all keys and references to all 3 files, including the CLSID key that was registering hhsial.dll. It seems to have finally gotten rid of Adware.Sended, because I ran SAS again and all it found this time was a couple of tracking cookies (which I cleaned).

I've rebooted normally again, now I'm gonna run the online BitDefender, online Trend, and then HJT one last time and see where I'm at.

Thanks again for the links guys. That helped a bunch.

#7 buddy215

buddy215

  • BC Advisor
  • 12,985 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:51 PM

Posted 25 March 2007 - 04:15 PM

Since you are kind enough to give a play by play, mind telling us the identities of the malware that the Jotti scans found?

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 disfunctionl

disfunctionl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 25 March 2007 - 04:36 PM

OH, I didn't run the Jotti, just the virustotal.com one. And...unfortunately I didn't write down all the results from the scan of the gebyyvu.dll file. They were varied with each of the programs it checks with. Most reported no virus, but a couple simply said "suspect", and I remember noticing that Panda reported it as a Trojan, but again...I didn't really look at which one. Sorry.

Bit defender is still running on that computer (we have 3 networked together). There's a lot of data on the computer so it's taking a while to scan all the files. I'm glad I did though, it's already found and deleted several Temp files and Temporary Inet files that were infected. Looks like I might have to reinstall AIM and Yahoo msger though, because the exe files for both were also infected and deleted. Oh well.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users