Anti-Spyware tip: Killing DLLs hooked into Winlogon or Explorer process - TechRepublic
General discussion
April 25, 2008 at 08:04 AM
robo_dev

Anti-Spyware tip: Killing DLLs hooked into Winlogon or Explorer process

by robo_dev . Updated 18 years, 2 months ago

Recently I had a bout of the ‘VUNDO’ virus which is a nasty and stealthy spyware trojan. Despite having (what I thought was) a reasonably good Anti-Virus package (TrendMicro 2007) and a very well-patched XP Pro box, a user of the PC clicked on one of those popups that said ‘your PC is infected!’ and that was all she wrote.

Vundo works by adding a random dll to your system, then locking on to your winlogon and explorer processes (these are two basic ‘central nervous system’ parts of Windows).

It also adds several other dat files and registry entries…these all vary depending on the exact variant.

Some variants of Vundo are easy to remove, and some are very stealthy and nasty.

The way it works, it monitors changes to the registry, by setting up a monitoring process performed by the DLL in memory.

What this all means is that you cannot delete the DLL when you find it, when you clean the registry it ‘uncleans’ itself, and suspending or stopping winlogon will crash your system. So it’s very tricky to remove.

The Trend AV software would detect this virus and quarantine the DLL, but within about ten minutes it would regenerate a new DLL and reinfect the PC. PC Tools ‘Spyware Doctor’ would detect it and remove it as well, but reinfection would occur fairly quickly.

With some diligent searching, you can find the DLL, but Windows won’t let you delete it, because it’s in memory. Safe mode? Nope, that will not work.

Systernals Process Explorer?

You can ALMOST get it this way, by suspending winlogon/explorer and attempting to unhook the dll, but nope.

Could it be removed with Spyware Doctor, Spybot S&D, HijackThis,Adaware, TrendMicro, Panda, etc, etc,? Nope, Nope, Nope, Nope.

Other utilities that could not get it: PendMove, MoveFile, Unlocker, etc.

The fix?

Boot into XP recovery console, track down the last DLL that was added to the system, and delete it. (Make sure you understand what DLL you are deleting). You could also do this with BART PE, since it gives you access to the filesystem with an alternate OS.

Once the offending DLL has been deleted and is no longer in memory, clean up the registry entries, and make sure the temporary internet files directories are cleaned out. Done.

Now that was easy, wasn’t it?

This discussion is locked

All Comments