Next Question
RSS
Let's solve this logically. Iletoxuf.dll doesn't exist on any google queries. What does this means? That an application is generating that name with a random string. I don't think a legitimate application would do that, so it must be some kind of malware instead. Because it reappears, that means that an application resident in the memory is creating it back. It is useless to move a dll to someplace else, or even delete it.
Here's what I think you should do, since spybot and mcafee failed you: download adaware and kaspersky antivirus instead. I have found that kaspersky has a much greater detection rate.
Adaware: http://www.lavasoft.com/single/trialpay.php
Kaspersky: http://www.kaspersky.com/anti-virus_trial
If you are still having problems, download Trend Micro's "Hijack This".
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
When you run this program, it will give you a log of all (malicious) files that are in use. Please copy this log, paste-it to
http://paste2.org/new-paste
and then come back with the url, so that we can see what the problem really is.
Permalink | Report
Disable it in msconfig, try to take out of the "Run" or "RunOnce" keys in the Registry (back it up first), restart and see if it comes back, or if keeps changing names.
Permalink | Report
There are also some other good Multi Engine Malicious file scanners out there, However VirusTotal has been around the longest and in my humble opinion the most reliable.
Some of these Multi Engines distribute the file/s to virus vendors for analysis some don't.
I would also use the SSL option as well.
Then if you don't come up with anything from them, try finding the source of the file. Which is probably a rogue parent application that was installed on your system.
It might also be nothing to worry to much about, as many of these types of files do little harm to the structure of your system itself.
I would then suggest disconnecting the infected machine from any and all networks (Remember folks the internet is A network) until you have "something to go on" (some more information so that you can better characterize the files whereabouts/origins)
Good luck
~X
Permalink | Report
http://www.superantispyware.com/
http://www.malwarebytes.org/mbam.php
Both of those programs are free and should get rid of the malware that is causing that specific dll to regenerate. The fact that it regenerates makes me think there is something more than that one dll file.
Source(s):
Years of experience in removing malware
http://en.wikipedia.org/wiki/Computer_virus
Various anti-malware websites
Permalink | Report
Here's something I would try (and it's saved me a few times). Install Comodo BOClean (it's free). It used to be BOClean, but then was purchased by Comodo.
http://www.comodo.com/boclean/boclean.html
The name comes from the old Trojan Back Orifice (BO). This works differently. It does NOT scan, but instead looks for Malware to begin executing. If it sees such a process start it will kill the process and give you more options.
Most likely, you would need to reboot to see if BOClean will spot the malware when it starts.
No guarantees that it will, but I have had BOClean save me a few times.
Personally, if I had the PC in front of me I would also go poking around in the registry, but I hesitate to give you any instructions along that line remotely.
Source(s):
I am editor-in-chief of RealTechNews, an award-winning tech blog. I also write on my own and have been published in the NY Times.
Permalink | Report
Answered Question
M$1
December 24, 2008 05:13 PM
Iletoxuf.dll... what is it?
Hello,
I was wondering, what is Iletoxuf.dll? Where did it come from?
Not sure what I installed to make this strange .DLL file appear, but whenever I try to rid it from MSCONFIG(Startup), it reappears seconds later. It's located in C:\WINDOWS - I didn't want to delete it in case it's connected to something else, but I did remove it from C:\WINDOWS and put it somewhere else, then tried to uncheck it from Startup. Even though it wasn't in its prior location, it still reappeared back into Startup.
I've tried looking it up in Google, but no page shows up. I scanned it with McAfee and Spybot - Search & Destroy and nothing came up. Don't think it's a virus or spyware, but really have no idea what it is.
Anyone have an idea of what it is and what program it's connected to?
Any help would be most appreciated.
Thanks!
EDIT: Here's a screenshot of the .DLL file in Startup.
http://content.screencast.com/users/Myst3r1o/folders/Jing/media/b03854ec-b43e-4edd-aa8e-5a184dedb059/iletoxuf.dll.png
I was wondering, what is Iletoxuf.dll? Where did it come from?
Not sure what I installed to make this strange .DLL file appear, but whenever I try to rid it from MSCONFIG(Startup), it reappears seconds later. It's located in C:\WINDOWS - I didn't want to delete it in case it's connected to something else, but I did remove it from C:\WINDOWS and put it somewhere else, then tried to uncheck it from Startup. Even though it wasn't in its prior location, it still reappeared back into Startup.
I've tried looking it up in Google, but no page shows up. I scanned it with McAfee and Spybot - Search & Destroy and nothing came up. Don't think it's a virus or spyware, but really have no idea what it is.
Anyone have an idea of what it is and what program it's connected to?
Any help would be most appreciated.
Thanks!
EDIT: Here's a screenshot of the .DLL file in Startup.
http://content.screencast.com/users/Myst3r1o/folders/Jing/media/b03854ec-b43e-4edd-aa8e-5a184dedb059/iletoxuf.dll.png
Interesting Question?
Yes (0)
No (0)
- In Troubleshooting |
- |
- Report |
-
Share
RSS
Best Answer Chosen by Asker
| December 24, 2008 05:24 PM |
Here's what I think you should do, since spybot and mcafee failed you: download adaware and kaspersky antivirus instead. I have found that kaspersky has a much greater detection rate.
Adaware: http://www.lavasoft.com/single/trialpay.php
Kaspersky: http://www.kaspersky.com/anti-virus_trial
If you are still having problems, download Trend Micro's "Hijack This".
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
When you run this program, it will give you a log of all (malicious) files that are in use. Please copy this log, paste-it to
http://paste2.org/new-paste
and then come back with the url, so that we can see what the problem really is.
| Asker's Rating: |
Permalink | Report
Reply
Other Answers (4)
December 24, 2008 05:23 PM
Many virii and spyware apps generate random names for the executables to make them more difficult to detect. It could be anything. Disable it in msconfig, try to take out of the "Run" or "RunOnce" keys in the Registry (back it up first), restart and see if it comes back, or if keeps changing names.
Permalink | Report
Reply
December 24, 2008 05:42 PM
Much like bugsy I agree that it maybe a randomly generated filename, however you might want to find the actual file first and then depending on the size of the file send it threw VirusTotal's multi engine virus scanner. There are also some other good Multi Engine Malicious file scanners out there, However VirusTotal has been around the longest and in my humble opinion the most reliable.
Some of these Multi Engines distribute the file/s to virus vendors for analysis some don't.
I would also use the SSL option as well.
Then if you don't come up with anything from them, try finding the source of the file. Which is probably a rogue parent application that was installed on your system.
It might also be nothing to worry to much about, as many of these types of files do little harm to the structure of your system itself.
I would then suggest disconnecting the infected machine from any and all networks (Remember folks the internet is A network) until you have "something to go on" (some more information so that you can better characterize the files whereabouts/origins)
Good luck
~X
Permalink | Report
Reply
December 24, 2008 06:41 PM
I've went ahead and ran the file through VirusTotal, here's the URL:
https://www.virustotal.com/analisis/e8f646a27cef9879e5354798905637f1
It looks like the .DLL file is infected, but only a few virus scanners actually detected it as infected. At this point, I'm not really sure what it is. It could be a virus, but then again it may not be.
Thanks for your help!
Report
https://www.virustotal.com/analisis/e8f646a27cef9879e5354798905637f1
It looks like the .DLL file is infected, but only a few virus scanners actually detected it as infected. At this point, I'm not really sure what it is. It could be a virus, but then again it may not be.
Thanks for your help!
December 24, 2008 07:25 PM
You might want to try running a general anti-malware application. Antivirus is good at detecting some malware besides viruses, but generally you need to run a specific application that specializes in this type of removal. I recommend one of the following: http://www.superantispyware.com/
http://www.malwarebytes.org/mbam.php
Both of those programs are free and should get rid of the malware that is causing that specific dll to regenerate. The fact that it regenerates makes me think there is something more than that one dll file.
Source(s):
Years of experience in removing malware
http://en.wikipedia.org/wiki/Computer_virus
Various anti-malware websites
Permalink | Report
Reply
December 24, 2008 10:42 PM
You've already done a lot of the research I would have recommended. Looking at the IDs from VirusTotal (at least, the ones that are not generic), this looks pretty new. Here's something I would try (and it's saved me a few times). Install Comodo BOClean (it's free). It used to be BOClean, but then was purchased by Comodo.
http://www.comodo.com/boclean/boclean.html
The name comes from the old Trojan Back Orifice (BO). This works differently. It does NOT scan, but instead looks for Malware to begin executing. If it sees such a process start it will kill the process and give you more options.
Most likely, you would need to reboot to see if BOClean will spot the malware when it starts.
No guarantees that it will, but I have had BOClean save me a few times.
Personally, if I had the PC in front of me I would also go poking around in the registry, but I hesitate to give you any instructions along that line remotely.
Source(s):
I am editor-in-chief of RealTechNews, an award-winning tech blog. I also write on my own and have been published in the NY Times.
Permalink | Report
Reply
Answer this Question
Related Questions
No questions found.
Ask a Question
Buy Mahalo Dollars with Credit Card or PayPal
Top Members
Most Popular Tags
Categories
- Anonymous
-
Arts & Design
-
Beauty & Style
-
Books & Authors
-
Business
-
Cars & Transportation
-
Consumer Electronics
- Coupons Deals
-
Education
-
Entertainment
-
Environment
-
Fitness
-
Food & Drink
- From Email
- From Iphone
- From Twitter
-
Health
-
History
-
Hobbies
-
Home & Garden
-
How Tos
-
Humor
-
Jobs
-
Legal
-
Local
-
Love & Relationships
-
Mahalo Answers Community
-
Money
-
Music
-
News
-
NSFW
-
Parenting
-
Pets
-
Science & Mathematics
-
Services
-
Shopping
-
Social Science
-
Society & Culture
-
Sports
-
Technology & Internet
-
Travel
-
Video Games
Welcome New Members
- triner7, December 11, 2009 08:54 AM
- katekanoksookda..., December 11, 2009 08:47 AM
- jdhicks361, December 11, 2009 08:43 AM
- venusdelariva, December 11, 2009 08:37 AM
- kickassblogger, December 11, 2009 08:26 AM
Mahalo Dollars are the currency of Mahalo Answers.
Each Mahalo Dollar costs $1.
Once you earn more than 40 Mahalo Dollars, you can request to be paid via PayPal. Each Mahalo Dollar is currently worth $0.75 when paid out via PayPal. Learn More
I've then ran HijackThis!. Here's the logfile URL:
http://paste2.org/p/120452
Also, in addition to that, I moused over the .DLL file(C:\WINDOWS) and this appeared:
http://content.screencast.com/users/Myst3r1o/folders/Jing/media/642b998e-bcc8-46ea-96f8-f7819f091753/dll%20file%20info.png
Not sure if that would help much, but may help with finding out what the .DLL is. Last thing, for some reason, when I mouse over it again, nothing appears. Just the date and size.
Thanks for everyones help so far!
O4 - HKLM\..\Run: [Lnipujumu] rundll32.exe "C:\WINDOWS\Iletoxuf.dll",e
You should do a complete scan of the system with kaspersky, setting all options to "high detection". Enable heuristics scanning.
Be sure to update the signatures.
Be sure to enable the memory protection in Kaspersky, and leave-it open at all times.
In Kaspersky, I've set everything to the highest possible setting. I'm doing a full scan now, hopefully all is clear.
Last thing, in that HijackThis! report, two rundll32.exe files showed up:
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
Do you know what that might mean? One is a virus and the other isn't? That would be my best guess.
Thanks for the help!
"I would then suggest disconnecting the infected machine from any and all networks (Remember folks the internet is A network) until you have "something to go on" (some more information so that you can better characterize the files whereabouts/origins)"
EDIT: I
Sorry I couldn't really get into it this morning with you i woke up with a splitting migraine.
I'm a consultant for Counterpane IS, i can tell you first hand and I think it's pretty obvious that this file is not from the Microsoft Corporation.
I don't put to much faith in HJT either, and while i'm not trying to take anything away from bugsy i really would suggest temporarily disconnecting the machine from the net until you have a clearer understanding of the files origins.
Use removable read/only media (your best bet it cd-r's with there tocs written) to transfer files back and forth from the machine. While this might seem like a very paranoid approach it is the safest route.
EDIT: II
The problem is.
Most commercial current virus scanners cannot detect clone stream and MD5 collision type virus's which are the most dangerous.
These type virus's can attach themselves to other files on your machine and make it look as if they do not even exist. The only way of detecting them or knowing if they are really there is to decompile files threw a de-compiler such as hexedit32 or using a certain type of echo console on the child files.
And They rarely can detect stuff over a network.
This is why i frequently tell my clients to run programs they use threw a sandbox such as threatexpert or nubis.
And only run programs with a limited reach in user or power user mode inside windows. Giving programs administrative access on your machine is the absolute worst thing you can do.
This will dramatically decrease your chances of installing a rogue program.
PS: Lavasoft found a way to detect vx/vs stream virus's a while back but it wasn't to reliable.