How do I remedy an infected DLL file?

M

Merovaeus

Weaksauce
Joined
Nov 2, 2003
Messages
76
I have XP Home and my AVG Free Edition keeps spams me with an error message saying it has found the trojan horse

Downloader.Dyfica.2.AK

in a DLL file within C:\System Volume Information. However, when I do a complete scan with AVG it doesn't find it. Is there any way I can find out A) What this file is a part of and/or B) How to get rid of the virus?

Full path is
C:\System Volume Information\_restore{A1DCC7C2-DED9-484A-B7F9-3DA3BDDE37A3}\RP242\A0038629.dll
 
This infected file is in your system restore. I would disable system restore, reboot, and then defrag. This should get rid of all the info that was in your system restore, then just turn your system restore back on...
 
Glad you liked that :D,
a little more dll info in infection parlance

static and dynamic Trojan DLL loading by Wayne Langlois Executive Director, DiamondCS (TDS-3) as posted at Wilders Security Forum
People are probably wondering what static and dynamic DLL loading is ...

Lets say a program simply displays a messagebox "Hello World", so it uses the MessageBox function in user32.dll. If this is statically bound, a reference to user32.dll will appear in the "import table", which is a part of the file structure. If you try to run the program and user32.dll doesn't exist, Windows will stop loading the program and alert you that a required DLL wasnt found. If the DLL is found it's loaded into the process where it remains for the duration of the life of that process.

Dynamic loading occurs when the LoadLibrary system function is called, which loads a DLL in an "on-demand" manner. It can later be released with the FreeLibrary system function, and then again re-loaded if needed.

So as you can see they're very similar and each has its own subtle advantages and disadvantages.

What this anonymous guest is talking about is modifying an existing EXE so that it loads a DLL of his choosing. So for example, he could take mirc.exe, write a trojan DLL, and patch mirc.exe so that it automatically loaded the trojan DLL when mirc.exe was run. This is nothing new and it's been happening with EXE files for many years now using tools called 'binders' - mirc.exe was bound to trojan.exe to become one exe file, so that when mirc.exe was run, trojan.exe was dropped and executed.

The fact that there are now tools to automate the patching process doesn't change anything - it's still no bigger a deal than EXE binders, and it still requires the hacker to send a file to the victim (actually two files - a patched exe and a dll), and still requires the victim to execute the patched exe.
Click to expand...

typically most trojans will be two part as mentioned above, an exe and a dll
often the dll replacing a legitimate dll, of course as you mentioned, restore is a reinfection vector in and of itself, which is why you need to disable it

System Restore
Problems
One of the biggest pitfalls of using and relying on System Restore is when it comes to infection by a virus. Microsoft insists that this behaviour is by design, and that System Restore was always meant to work this way. In short, System Restore can be a wonderful safe haven for viruses.

When a virus infects your system, it often modifies or overwrites system files in the Windows folder to replicate itself later on. When your anti-virus software finds that these files are infected, it either cleans or deletes them, at which point Windows steps in first, backing up the infected copies to the System Restore directory. Once your anti-virus application has cleaned your system of infection, using any of those Restore Points will result in a new infection. And the cycle continues...

Some anti-virus software ignores the hidden _RESTORE directory when it scans for infection, so the compromised copies are never discovered. If you've ever had a mysteriously reappearing virus that won't seem to die, then it's probably coming from the System Restore folder. Others, however, will scan the contents of the hidden folder for infection, but can't do a thing about it other than warn you. No application other than Windows itself can delete the contents of the _RESTORE directory, and you certainly can't do it yourself.

When your System Restore directory becomes infected with a virus, there's usually nothing you can do but purge the entire directory.As you'll see from the walkthrough below, there's no way to do this in Me - all you can do is temporarily disable System Restore, reboot and switch it on again. This has the obvious side-effect of completely deleting all saved Restore Points, so make sure you leave your PC in a stable and bootable state before you do it, since there's no way back once the Restore Points are gone.
Click to expand...
 
You must log in or register to reply here.
Back
Top