DLL Injected into explorer.exe and winlogon.exe

Post by **ayu** » 04 Apr 2007, 08:07

Ok, so i was at a LAN-party last Saturday, and one of my friends was complaining about a weird icon in his traybar. So i checked his computer deeply and found a lot of crap that i removed. But the weird icon was still there, so i clicked it and it took me to a site called "anti vermin anti virus" or something along those lines. Then it kept spamming the site.

Anyway i found the a DLL that was related to the icon and i tried to delete it, but it was attached to winlogon.exe and explorer.exe. I could of course kill the explorer process but i still could not delete the DLL since it was also attached to winlogon.exe. And if i tried to kill that process the computer would restart.

So...how do i delete such a file?

(the computer was formated later that night because we couldn't play with that irritating icon minimizing the games. But i want to know this for future problems.)

Thanks in advance

Post by **bad_brain** » 04 Apr 2007, 08:53

if you know the location of the file it's no problem...simply boot a Linux live distro and erase the file (Puppy Linux would be good for this job because it able to write to NFTS). you just have to browse to the Windows partition in /mnt (most likely hda or hda1).....

Post by **ayu** » 04 Apr 2007, 08:55

Hmmm ok, because i tried to do it with Backtrack but i couldn't find the drive.

Post by **bad_brain** » 04 Apr 2007, 09:07

hehe...that happens to many users because they still think in the windows syntax...you find all drives in /mnt , but of course they don't have the windows partition names, the first partition on the first drive is usually hda or hda1 (can be a little different, depends on the distro). but be aware that not all distros support write access to NTFS files systems....

Post by **ayu** » 04 Apr 2007, 09:16

Ok, thanks b_b ^^

hij-h-acker · Post by **hij-h-acker** » 05 May 2007, 23:47

very similar to "Protection Toolbar"...an adware...every now n den it gives pop ups like your pc's 49% slow..etc...etc..shits.
...not even detected by norton n most of the other AVs.

whitegabber · Post by **whitegabber** » 06 May 2007, 03:29

pretty weird ..
coz if the dll was injected you should be able to delete the file
coz an injection is actually uploading executable .exe or .dll
code to another process memory ..

(1) open file ..
(2) read file ..
(3) store file code in writable part of other process memory
(4) create remote thread
(5) close process
(6) close file

and thats why i think it's rather weird

Post by **ayu** » 06 May 2007, 04:29

whitegabber wrote: pretty weird ..
coz if the dll was injected you should be able to delete the file
coz an injection is actually uploading executable .exe or .dll
code to another process memory ..

(1) open file ..
(2) read file ..
(3) store file code in writable part of other process memory
(4) create remote thread
(5) close process
(6) close file

and thats why i think it's rather weird

yeah well the DLL was used as a module as far as i know, so the process was using, therefore rendering it impossible to delete just like that.

whitegabber · Post by **whitegabber** » 06 May 2007, 09:32

then they probably injected another dll which injects with the other dll

Post by **ayu** » 06 May 2007, 15:19

whitegabber wrote:then they probably injected another dll which injects with the other dll

lol... why inject a DLL to call another DLL when you can make the first one do what you want? =/