TROJ_AGENT.J virus attached to res.dll file in WINDOWS\SYSTEM32

Discussion in 'malware problems & news' started by Ninjoid, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Ninjoid

    Ninjoid Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    4
    Hi,
    I'm running XP (Home Edition) and somehow I've contracted the TROJ_AGENT.J virus which has attached itself to res.dll file in WINDOWS\SYSTEM32.

    The problem I've got is how do I remove res.dll? I'm unable to copy/delete it as it is in use...when I boot up in safe mode the file isn't there. Will it cause problems if I do?

    I've followed the instructions from my virus protection vendor without success, and the software can't quarantine the file as it is in use.

    Has anybody got any ideas on what to do? All appreciated as I'm stumped.
    Thanks
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    visit this page and do exactly what they say.
     
  3. Ninjoid

    Ninjoid Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    4
    Thanks - but I've already done that as they're my AV software....the key in the regedit keeps returning when I re-boot even though I've switched off system backup in XP...It returns into the registry when the system starts up even thought I've previously deleted it.

    Anybody?
     
  4. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    have you tried the rescue disks? contact their technical support. download Process Explorer from here and enable the DLL mode. checkout which process is using the RES.DLL and try to kill that process. probably you'll be able to unload the RES.DLL manually. try that first before killing that process.
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Ninjoid :)

    U could follow these instructions,

    https://www.wilderssecurity.com/showthread.php?t=15913

    then post your HijackThis log in the hijack cleaning forums with a full description of your problem and one of the experts will give u recommendations on any Malware found.


    snowbound
     
  6. Ninjoid

    Ninjoid Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    4
    Thanks for your help..tried all of this and res.dll isn't listed anywhere...I'm lost totally now....
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas

    Ninjoid

    Here is a something you can look at in the meantime.

    http://tinyurl.com/2brjg
     
  8. Ninjoid

    Ninjoid Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    4
    Guys, I seem to have it sussed now....thanks to AMRX's suggestion of the process explorer I managed to find that res.dll was indeed a handle...I managed to close it within the process explorer and then somehow with windows explorer I've been able to rename the file, dunno how, to res1.dll...after that my AV s/w took over and quarantined the file for me..so it's now gone from system32 and I'm not getting AV messages regarding it now...!!! great....the regedit for winNT those is still looking to load the res.dll - but it now can't find it, and the bonus is no error messages either...so fingers crossed I think I'm sorted.

    Thanks to everyone who offerend an opinion and help
    Cheers
     
  9. Peyres

    Peyres Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    3
    Thanks for that Process Explorer thingy. I had the exact same problem after updating to a new trend micro pattern update, and it was getting seriously annoying. But thankfully I have been able to kill it off now :cool:

    So I'll bookmark this forum for whenever I get a security related problem that my PC Cillin can't deal with.
     
  10. Peyres

    Peyres Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    3
    well, I say exact. But it was a 'D3D.dll' file causing the problems.
     
  11. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    glad to hear those. always remember, if you take the malware off your PC memory half the battle is won. if you can't take it off for some reason boot your system with rescue disks or from another clean hard drive. now run a scan and everything will be easily quaratined or cleaned. take care.
     
  12. JACQ

    JACQ Guest

    Thanks a lot. I had the same problem. My infected file was loghnoe.dll Now it is solved.
     
  13. penguino

    penguino Guest

    hey im sorry to keep this going but i have the same problem yet mine isnt getting deleted im not sure how to use that process explorer thing somebody please help:(
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Anybody with this problem please post a hijackthis log in the cleaning forum

    It's a variant of the CWS hiijacker that needs careful removal
    follow instructions here please
    https://www.wilderssecurity.com/showthread.php?t=15913

    for these ones just go directly to step 2 and don't use adaware/spybot on it YET
     
Loading...
Thread Status:
Not open for further replies.