Romain Ciemniewski

31/05/07

Random DLL Virus

Filed under: General — romainciemniewski @ 12:05:02 pm

Image Hosted by ImageShack.us

Yesterday was a bad day for me in an IT point of view. I've been infected by a virus opening IE web browser with links to random advertising websites for suspicious antivirus,spy,malware protection. After many hours and a huge help from CJ (Thank you !!!) we discovered the virus created random hidden system dll in the Windows/System32 directory. Every dll was linked with main process such as eplorer and ... winlogon :( You think it's impossible to close winlogon because it closes windows as well. CJ Did proved it is possible !!! In fact you have approximatively half a second after closing winlogon to delete the dll...
All the eradication was processed manually. Indeed no antivirus, antispyware, anti malicius were able to clean my computer. We found a free interesting software called Process Explorer. It displays every running process and the dll linked.

I suspect CJ of having been an operator in the Nebuchadnezzar ... never seen someone typing that fast before, my french keyboard is still hot and will remember that forever !

Thanks CJ and also John and Kelvin for their help !

Comments, Trackbacks, Pingbacks

The URI to TrackBack this entry is: http://blogs.vislab.usyd.edu.au/htsrv/trackback.php/3334

  1. Haha!!! Don't forget AVG was able to get one of the trojan though ;)

    Comment from: Choon Jin Ng [Member] — 31/05/07 @ 23:11

  2. You need NOD32, the only anti-virus software to get the Advanced+ rating in the latest AV-Comparatives test! :P

    Comment from: michaelbui [Member] — 01/06/07 @ 14:20

  3. Never used it (going to try it though) but you may also want to try Comodo Firewall Pro (it's free)

    http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php#firewalls-ratings

    Comment from: michaelbui [Member] — 01/06/07 @ 14:28

  4. And thank goodness i had both installed. Seems like Christine may have caught a trojan as she suddenly sent a file transfer request and it was reported to be a variant of Win32/IRCBot WO. While it's been caught, i'm kinda paranoid so i think i'll just format my computer and it might need it now too since it's getting bogged down.

    Comment from: Michael [Visitor] — 01/06/07 @ 23:44

  5. Oh forgot to add that this was over MSN. You have been warned people!

    Comment from: Michael [Visitor] — 01/06/07 @ 23:47

  6. hmm, so this image is what your desk looks like eh? Lets see, nothing unusual...good god man! you haven't finished your beer!

    Comment from: John [Member] — 02/06/07 @ 12:10

  7. The trouble is most antivirus programs don't consider adware/spyware as viruses so they don't clean them. Safe mode might be easier than trying to close winlogon and delete the file.

    Another useful program is "unlocker", http://ccollomb.free.fr/unlocker/ which allows you to delete files that are "in use". Never tried it with adware/spyware though.

    Did you really click "download" on the file without asking what it was? Were you running the most up to date version of messenger?

    Comment from: Cameron Walsh [Member] — 12/06/07 @ 20:12

  8. I used Superantispyware to get rid of a similar virus (Vundo/Internet Speed Monitor), but it must not have got it completely because now everytime I boot up I get a REGSVR32 error looking for qzkjcrqz.dll.

    I don't know what to do! Any ideas?

    Comment from: Mangy [Visitor] — 20/11/07 @ 13:43

Leave a comment

Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>
URLs, email, AIM and ICQs will be converted automatically.


authimage

Options:
(Line breaks become <br />)
(Set cookies for name, email & url)

powered by  b2evolution
This skin features a CSS file originally designed for WordPress (See design credits in style.css).
In order to ensure maximum compatibility with WP CSS files, most b2evolution features that do not exist in WP are hidden from this generic wpc_* skin.