Jump to content

? servers

? players online

ernel32.dll trojan/backdoor

Recommended Posts


  • Content Count:  219
  • Joined:  07/23/09
  • Status:  Offline

Here's another virus im trying to remove but this one i cant seem to get rid of myself so far ive tracked it down to being ernel32.dll from what i can tell it started out being something called qrh.exe then i removed that but this part still remains. So far i haven't seen any change in my computer and everything seems normal since i removed the qrh.exe but this is still reading as a virus as a trojan and backdoor rootkit after checking around there doesn't seem to be much about this other then what it is. Got a few things saying its best just to reinstall and reformat but i was hoping for a different way other then that.

 

Anyone got any ideas on how to remove it, it seems like superantispywear isn't removing it or its just reinfecting itself somehow when i reboot. Im kinda lost now but im still going to be looking into it for a bit. I can post more information in a bit if someone needs it

Link to comment

  • Content Count:  1300
  • Joined:  06/24/07
  • Status:  Offline

try removing it while in safemode of windows.

 

(hold f8 when the pc is booting)

 

then choose safemode with networking.

 

before you do that grab mcafee stinger (google it)

its a stand alone scanner that will run in safemode where most scanners cannot.

 

should help clean up stuff. becareful though kernel32.dll is your main os kernel so if you arent sure do not delete it without having backedup your data.

 

and if you have backups recently scan them for the virus as well. they like to hide in the recovery data sections.

Link to comment

  • Content Count:  470
  • Joined:  04/04/10
  • Status:  Offline

You have to find out exactly what it is. Get your virus scanner running in safe mode as per Jager's suggestion, and hopefully your anti-virus should be able to take care of it there. Otherwise, tell us what your virus scanner reports (eg. what virus you have). If you do a google search on it, you should be able to find other ways of removing it if your anti-virus can't handle it (which happens on occasion).

Link to comment

  • Content Count:  219
  • Joined:  07/23/09
  • Status:  Offline

try removing it while in safemode of windows.

 

(hold f8 when the pc is booting)

 

then choose safemode with networking.

 

before you do that grab mcafee stinger (google it)

its a stand alone scanner that will run in safemode where most scanners cannot.

 

should help clean up stuff. becareful though kernel32.dll is your main os kernel so if you arent sure do not delete it without having backedup your data.

 

and if you have backups recently scan them for the virus as well. they like to hide in the recovery data sections.

 

I'll give that a try but i think i may have removed it and its called ernel32.dll the file seems to be stored in my system folders next to where kernel32.dll should be.

 

You have to find out exactly what it is. Get your virus scanner running in safe mode as per Jager's suggestion, and hopefully your anti-virus should be able to take care of it there. Otherwise, tell us what your virus scanner reports (eg. what virus you have). If you do a google search on it, you should be able to find other ways of removing it if your anti-virus can't handle it (which happens on occasion).

 

If you want to still see the logs but i knew most of this from before.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.163,93.188.166.194 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{85970873-2a37-482c-9a2b-9edf76476164}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.163,93.188.166.194 -> No action taken.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Documents and Settings\User\Application Data\6aecb3c2.exe (Trojan.Dropper.Gen) -> No action taken.

C:\Documents and Settings\User\My Documents\64kbmovie(http://www.albinoblacksheep.com).exe (Malware.Packer.Krunchy) -> No action taken.

C:\Documents and Settings\User\Local Settings\Temp\Qrf.exe (Trojan.Dropper.Gen) -> No action taken.

C:\System Volume Information\_restore{12FC219E-10C6-4A08-9A4B-55E8682B8E9B}\RP807\A0188164.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\ernel32.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\179oC7.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\317y3c7s.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\555q5.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\9317mY1cE.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\e79317.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\G3iQ93cE9.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\GM79317m.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\wSKUO7.dll (Trojan.Dropper.Gen) -> No action taken.

C:\WINDOWS\system32\spool\prtprocs\w32x86\yW7u31i9.dll (Trojan.Dropper.Gen) -> No action taken.

G:\Software\setupxv.exe (Rogue.Installer) -> No action taken.

G:\Documents and Settings\Compaq_Administrator\Software\MAX2010.FIX.INSTINCT\xf-a2010.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\Tasks\MSWD-6aecb3c2.job (Trojan.DNSChanger) -> No action taken.

Edited by cj18
Link to comment

  • Content Count:  2085
  • Joined:  04/19/10
  • Status:  Offline

Reformat and reinstall, in my opinion.

 

http://technet.microsoft.com/en-us/library/cc512587.aspx

 

You can't clean a compromised system by patching it.

 

You can't clean a compromised system by removing the back doors.

 

You can't clean a compromised system by using some "vulnerability remover."

 

You can't clean a compromised system by using a virus scanner.

 

You can't clean a compromised system by reinstalling the operating system over the existing installation.

 

You can't trust any data copied from a compromised system.

 

You can't trust the event logs on a compromised system.

 

You may not be able to trust your latest backup.

 

The only way to clean a compromised system is to flatten and rebuild.

 

Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I

 

Security Program Manager

Microsoft Corporation

Link to comment

  • Content Count:  470
  • Joined:  04/04/10
  • Status:  Offline

Not all viruses are that devastating Harry. Many simply reside in only a few files, or screw up a few things here and there. There's only 1 virus I experienced which screwed things up to the point of making me reformat the entire computer, out of the tens that I noticed causing a problem. (Hundreds which didn't manage to make it past the automatic anti-virus.)

 

This virus, as cj18 stated, isn't ruining his computing experience. A good anti-virus should be able to remove it without problem. I would, however, avoid sending sensitive information until you're sure it's removed.

Link to comment

Reply to Thread

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...