Junior Member
After installing Macfee to deal with the ads, IE stopped working, meaning, no internet connection. When I opened Outlook, it's said "The application or DLL C:\Windows\sys32\aelupsvc32.dll is not a valid Windows image. Please check this against your installation diskette." I uninstalled Mscfee but the problem is still there. Anyone can help me out? Thanks a lot!!!!!!
High-Voltage Messiah
Hi Greenfish,
aelupsvc32.dll is malware. You should delete it (though I am not certain it will correct your connection issue) or at least rename it aelupsvc32.BAD.
Chances are good that there are additional malware besides this one on your machine.
Are you able to get a HJT Log as per my linky below?
You should be able to put HJT on a floppy, run it, save the log on floppy and upload it from another machine.
Best luck
PP
* I'll move this thread to the Spyware Forum where Judy will see it.
* Additionally, you'll likely need to run LSPFix to regain your internet connnection. Judy can talk you through that as she is here more often than I.
Last edited by PhilliePhan; 12-14-2006 at 12:12 AM.
Administrator
greenfish, Follow PP's suggestions and I will check things out when you have completed the steps he has advised.
Judy
Junior Member
Thank you, PP and Judy! However, I could not delect or rename "aelupsvc32.dll". It's said that "access is denied. make sure the disk is not full or write protected and that the file is not currently in use."
Thanks again for your quick response. I really appreciate that!
Administrator
Well then just complete his request for a HiJackThis log and post it back here. This will give us an idea of what we are working on here and hopefully can come up with a fix.
Judy
Last edited by jholland1964; 12-14-2006 at 03:48 PM.
High-Voltage Messiah
We will probably have to remove it in Safe Mode with the bare minimum running.Originally Posted by greenfish
Better yet, we can try to get everthing in one fell swoop after looking at your HijackThis Log. Let us know if you have problems getting that.
-- Rename hijackthis.exe to HJTScan.exe and then run it. A certain malware detects hijackthis.exe.
-- If you are able, please go to this link and follow the instructions to scan with WinPFind by OldTimer.
You may need to put it on a floppy as well to get it to run on the ill computer if there is still no connection.
Please submit the WinPFind Log along with the fresh HJT Log.
PP
Junior Member
Here are the logs from HJT scan and WinPFind. The logs may contain some Chinese characters but those are normal information of my files and programs. Thanks again for your help!
High-Voltage Messiah
Happy to help!
Actually, I am surprised - I do not see much in those logs. You do, however, have one big baddie. It's the Chinese RooGoo LSP Hijacker.
O4 - HKLM\..\Run: [WinStar] C:\WINDOWS\IEXPL0RE.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
C:\WINDOWS\system32\drivers\wsfit32.sys
Components of this are hidden by a rootkit. The rootkit driver is likely wsfit32.sys above. Are you familiar with rootkits and how they work? Basically, we'll need specialized tools to TRY to dig everything out of your machine.
Let's first try to get the ill machine back online - That may leave you open to attack, but will better facilitate using the Anti-Rookit Tools you'll need to run.
You'll have to use a floppy again to transfer this tool.
-- Please Download LSPFix and extract it from the ZIP and transfer it to the sick machine.
-Please run LSPFix.
-Check the Box labeled "I know what I'm doing" and then click on the aelupsvc32.dll file (in the “Keep” section) to select it.
-Then, Select the >> button to move aelupsvc32.dll into the Remove section.
-Now, click the Finish Button. When the Repair Summary box appears, click OK.
Reboot and see if you can get back online - Be sure your Firewall and AV are operating!
Let us know how that goes and we'll go on from there. I'll try to check back tomorrow evening (EST).
If the LSPFix procedure goes well, please give me a fresh HJT log and a StartupList.
Run HijackThis and open the Misc Tools section.
-- Check the boxes to List minor sections & List empty sections
-- Click Generate StartupList & Yes
-- Please submit that log for me along with the new HJT.
Best Luck
PP
Last edited by PhilliePhan; 12-15-2006 at 12:15 AM.
Junior Member
PP, I followed your steps but it seems that aelupsc32 is still there. And the IE is still not working. However, I found one interesting thing. One program, QQ, similar to MSN or AOL but it's a Chinese program, is working. Is it possible that something is wrong with the internet explorer? I also tried Firefox but it doesn't work, either.
I attached the Hijackthis log and Startupthis log, just in case you may want to have a look.
Thank you again for your time and efforts!
High-Voltage Messiah
Happy to try to help
I have been in relative "retirement" from fighting malware for a while due to real life matters, so I am not as up-to -date on this particular baddie as I might otherwise be.
I am guessing that the hijacker is protected by elements currently hidden by a rootkit.
Please do two more quick scans for me and then we'll start ripping things out . . .!!
-- First, please download and run this little program I wrote and attach the log. The directions are on the page: ISeeYouXP
-- Also, please go to this site and run Blacklight Beta as per their instructions and attach the log.
That should give me enough information to have you try to remove this thing!
Will check back as time permits.
Best
PP
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
