Remove Injected Dll

GovernmentSecurity.org > System Security > Windows Systems

c°h°

Nov 7 2004, 01:31 PM

Hi all, on one of my workstations ethernity backdoor is installed fport shows winlogon bind on a port. I grabed the banner using telnet witch shows eternity backdoor private version (i wonder that he did not edit the banner lol ) using pv.exe i could determine the dll (winlogon.dll ) the backdoor is using. My prob: I cant delete the dll cause its used. If i kill winlogon ( there is only one winlogon pid ) the pc reboots so fast that i cant delete the dll. I also cant find the servicename propably it hides itself.

PlZ help

tia

mfg ch

Jumpi

Nov 7 2004, 03:00 PM

what you need is a tool to unhook the dll. i didn't find one in 2 minutes google but i'm sure such tools are available, i've seen a delphi-sourcecode somewhere in the past.

alibaba

Nov 7 2004, 03:21 PM

www.diamondcs.com.au/index.php?page=dellater

QUOTE

DelLater is the ideal program to use when you can't delete a file, no matter how hard you try. This is usually because an active process has an open handle to the file which prevents it from being deleted. Normally if you close down all running programs you'll find that most files will then be free to delete, but that's not always the case, and in some cases it may even be a trojan that's preventing itself from being deleted.

I hope this would solve your problem.

strasharo

Nov 7 2004, 04:12 PM

You can use r3l4x`s dll Loader/Unloader to unload the dll.

QUOTE

Command Line dll Loader/Unloader 2.0

Also inspect your services for new additions because eternity loads from it`s own system service.

That`s all, have a nice day!

cranky

Nov 7 2004, 04:15 PM

write a dll to inject into winlogon that will use freelibrary with getmodeulehandle to unload the winlogon.dll

or from a command prompt do pskill winlogon && del winlogon.dll

machine will restart *almost* immediately, the file will usually get deleted tho

c°h°

Nov 7 2004, 07:42 PM

thx 4 all the help

For some reason i could not unload the dll, propably ethernity defends himself while running. anyway its a very usefull tool.

By the dellater tool i could delete the pain

- thx

prunie

Nov 8 2004, 01:52 PM

what i do is :
type ctrl alt delete , stop the right process that runs this dl, then i hide the dl with attrib, restart , unhide , and delete ?
greetz ....

Fletcher

Nov 8 2004, 04:25 PM

just del the loader , reboot , and del the dll.

G777

Nov 9 2004, 05:23 PM

CODE

regsvr32 /u winlogon.dll

should unload the dll and allow you to delete it

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Remove Injected Dll GovernmentSecurity.org > System Security > Windows Systems c°h° Nov 7 2004, 01:31 PM Hi all, on one of my workstations ethernity backdoor is installed fport shows winlogon bind on a port. I grabed the banner using telnet witch shows eternity backdoor private version (i wonder that he did not edit the banner lol ) using pv.exe i could determine the dll (winlogon.dll ) the backdoor is using. My prob: I cant delete the dll cause its used. If i kill winlogon ( there is only one winlogon pid ) the pc reboots so fast that i cant delete the dll. I also cant find the servicename propably it hides itself. PlZ help tia mfg ch Jumpi Nov 7 2004, 03:00 PM what you need is a tool to unhook the dll. i didn't find one in 2 minutes google but i'm sure such tools are available, i've seen a delphi-sourcecode somewhere in the past. alibaba Nov 7 2004, 03:21 PM www.diamondcs.com.au/index.php?page=dellater QUOTE DelLater is the ideal program to use when you can't delete a file, no matter how hard you try. This is usually because an active process has an open handle to the file which prevents it from being deleted. Normally if you close down all running programs you'll find that most files will then be free to delete, but that's not always the case, and in some cases it may even be a trojan that's preventing itself from being deleted. I hope this would solve your problem. strasharo Nov 7 2004, 04:12 PM You can use r3l4x`s dll Loader/Unloader to unload the dll. QUOTE Command Line dll Loader/Unloader 2.0 Also inspect your services for new additions because eternity loads from it`s own system service. That`s all, have a nice day! cranky Nov 7 2004, 04:15 PM write a dll to inject into winlogon that will use freelibrary with getmodeulehandle to unload the winlogon.dll or from a command prompt do pskill winlogon && del winlogon.dll machine will restart almost immediately, the file will usually get deleted tho c°h° Nov 7 2004, 07:42 PM thx 4 all the help For some reason i could not unload the dll, propably ethernity defends himself while running. anyway its a very usefull tool. By the dellater tool i could delete the pain - thx prunie Nov 8 2004, 01:52 PM what i do is : type ctrl alt delete , stop the right process that runs this dl, then i hide the dl with attrib, restart , unhide , and delete ? greetz .... Fletcher Nov 8 2004, 04:25 PM just del the loader , reboot , and del the dll. G777 Nov 9 2004, 05:23 PM CODE regsvr32 /u winlogon.dll should unload the dll and allow you to delete it This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.