Options

leealee.dll - PC constanly crashing and processes ending

Unknown
edited June 2007 in Spyware & Virus Removal
hi, guys, this is my first post, i'm in real trouble.

PC started running slow, so using Security Task Manager, leealee.dll was identified with a rating of 92, it is located in the system32 folder. however i cannot remove the file. i have googled the dll name, but there are no results whatsoever

if this helps, the txt in the file is:

This program must be run under Win32
hrr Eeo
gt gL2ua
4,rVCp.V oS
WLEventLogoff
ServiceMain
DllUnregisterServer
DllRegisterServer
DllGetClassObject
DllCanUnloadNow
lzaqgts.dll
CharNextA
SHDeleteKeyA
shlwapi.dll
SysFreeString
oleaut32.dll
FreeSid
advapi32.dll
LoadLibraryA
GetProcAddress
kernel32.dll
qoptjxV1k.1_1Q\6
spoj.tVh0N
xkQsV_RqD,H/\a
/\ho
uKgk3n
poxx
jrpi
HMddHuf
AvXo
X\im
0hsVim
Eoodys
TFpo
/luk
uu1lwGi
IpaC
BMlpze
pgf_RaHb
AcvUi
nadmjD
gnaN_0\gg
IasqT
RDAbe0KLJj\
tieCwm
MmoMl
yhfeUU
eukc
Sa,i
egvms
ujok
FigW
ARek
DenF
DZob
Xayac
_ost
okx7Lu
eBr9sk
gw_o2olN
qb/i7Ii
Haq.
PuuH
,Wgu
\Cka
JbgYe
\uqU
\_er
NamZ
YovP
fgoVHu
dUbozVH
pid,gBJ
/mVe
hwzrgafUXn
1qp_ucrX
XuXa
uwxn
Tu/v
wotNnnyr
Muom
ipogg
FvXe
DaxN
COtu
Bwu_
owfp
_Eid
SeBo
LCwo
FSka
.edata
.idata
.text

on removal, there is a problem removing a key from the registry, sorry for the long post, i hope somebody can guide me in the right direction

thanks
sorry for the long post, a

Comments

  • Linkola
    edited May 2007
    Hi ,

    Welcome to Short-Media Forums.

    As we work together to resolve your problem please read the instructions carefully. You may wish to print them off or copy them into Notepad.
    If you have question please don't hesitate to ask
    The instructions I give are specific to your current problem and should not be used on other systems.
    Post your replies to this thread.

    ========

    Download Hijackthis ver. 1.99.1 from HERE and save it to your Desktop.
    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\HijackThis.

    Then

    Rename HijackThis.exe

    1. Right click on the HijackThis icon.

    hjtrename1.jpg

    2. Select Rename.

    hjtrename2.jpg

    3. Now type the following scanner.exe <<< NOTE: make sure to put period before exe when typing.
    Hit the enter key on keyboard.

    hjtrename3.jpg

    Double click on Scanner.exe.
    Click on Do a system scan and save a logfile. Post log in next reply.


    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
  • jonesy118
    edited May 2007
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:25:04, on 28/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\Mixer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Tom\Desktop\HiJackThis_v2\Scanner.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.121.43.113:80
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {285272E3-06E3-4B0B-867A-E496F6D78CB3} - c:\windows\system32\leealee.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163414185523
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163414249916
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2FFF88AD-890E-4175-9433-5F409A26C3A7}: NameServer = 192.168.2.1,194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2FFF88AD-890E-4175-9433-5F409A26C3A7}: NameServer = 192.168.2.1,194.168.8.100
    O20 - Winlogon Notify: ixoexnvn - C:\WINDOWS\SYSTEM32\leealee.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    --
    End of file - 5168 bytes


    there you go, help appreciated, thanks
  • Linkola
    edited May 2007
    Please download VundoFix.exe to your desktop.
    • Double-click *VundoFix.exe* to run it.
    • Click the *Scan for Vundo* button.
    • Once it's done scanning, click the *Remove Vundo* button.
    • You will receive a prompt asking if you want to remove the files, click *YES*
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click *OK*.
    • Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.
  • jonesy118
    edited June 2007
    vundofix found no infected files.

    the problems lie within

    O2 - BHO: (no name) - {285272E3-06E3-4B0B-867A-E496F6D78CB3} - c:\windows\system32\leealee.dll

    and

    O20 - Winlogon Notify: ixoexnvn - C:\WINDOWS\SYSTEM32\leealee.dll

    any ideas on how to remove?
  • Linkola
    edited June 2007
    Press Scan for Vundo, next, continue to instruction from this point:
    # Once the scan is complete, Right Click inside the listbox (white box) and click add more files
    # Copy&Paste the 2 entries below into the top 2 boxes

    * C:\WINDOWS\SYSTEM32\leealee.dll
    * C:\WINDOWS\SYSTEM32\eelaeel.*

    # Click Add Files and Click Close Window
    # Click the Remove Vundo button.
    # You will receive a prompt asking if you want to remove the files, click YES
    # Once you click yes, your desktop will go blank as it starts removing Vundo.
    # When completed, it will prompt that it will shutdown your computer, click OK.
    # Turn your computer back on.
    # Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    ;)
Sign In or Register to comment.