1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stumped by qonnoo.dll

Discussion in 'Windows - Virus and spyware problems' started by Nephilim, Mar 22, 2007.

  1. Nephilim

    Nephilim Moderator Staff Member

    Joined:
    Feb 13, 2003
    Messages:
    14,942
    Likes Received:
    0
    Trophy Points:
    116
    Last night I did some work on a friend's PC and ended up removing 75 various trojans. The removal went fine but immediately afterwards upon reboot and every reboot henceforth I get a 'rundll access denied' error for C:\windows\qonnoo.dll. I've searched google, a couple of the large dll repositories and symatec's site and can't find any mention of this file. Has anyone encountered this one before?
     
  2. Indochine

    Indochine Regular member

    Joined:
    Dec 21, 2006
    Messages:
    1,485
    Likes Received:
    0
    Trophy Points:
    46
    What OS? Sound suspicious, "gonnoo" being street slang for gonorrhea, (which is not caused by a virus, it's a bacterium, but would a script kiddie know that?)

    Is the file actually present? Are there any registry entries pointing to it? Can it be deleted? (in safe mode if necessary?)

    Have you tried reinstalling a known good rundll32.exe off an install disk?

    (Sorry if I'm teaching granny to suck eggs!)
     
    Last edited: Mar 22, 2007
  3. Nephilim

    Nephilim Moderator Staff Member

    Joined:
    Feb 13, 2003
    Messages:
    14,942
    Likes Received:
    0
    Trophy Points:
    116
    You're just fine chief. I keep a real tight pucker as far as security on my PC and have (knock on wood) never had a virus, trojan or any other type of nasty bug so my experience dealing with these things is minimal.

    The file actually starts with a 'Q" not "G", I made extra sure that's what it was before leaving. I came up with plenty of google hits for "gonnoo" but only five for qonnoo and those were all in Japanese and had something to do with sewing as best I could figure.

    Its a Dell with XP Home they're using. Basically the PC has run for god only knows how long with no antivirus, firewall or spyware cleanings. It was running slow as all get out and couldn't connect to the internet. In the short time I had I installed and ran AVG, set up Zone Alarm then ran Ccleaner for them. It still couldn't connect when I left.

    I ran out of time last night to dig into it more but I'll give your ideas a shot when I go back there Saturday. Thanks :)
     
  4. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,528
    Likes Received:
    0
    Trophy Points:
    116
    @Nephilim, I just did an "Australian" google for it....guess we're lucky..no results.

    These guys in this forum do a wonderful job..and to think I took my comp to the Tech and PAID for a Virus Removal before I discovered AD had this forum

    BTW: What's happened to your sig.
     
  5. Nephilim

    Nephilim Moderator Staff Member

    Joined:
    Feb 13, 2003
    Messages:
    14,942
    Likes Received:
    0
    Trophy Points:
    116
    Thanks for that Gwendolin :)

    We certainly have some sharp folks, I've already got some great pointers. I'm anxious to get back over there and figure this out!

    What do you mean about my sig? Is it not showing up for you? bbmayo whipped up this sweet new one for me. He figured I could use a new one after keeping my old one for a dog's age. I'm glad he did - I love my new one! "D

    Take care all :)
     
    Last edited: Mar 22, 2007
  6. scorpNZ

    scorpNZ Active member

    Joined:
    Mar 23, 2005
    Messages:
    3,988
    Likes Received:
    40
    Trophy Points:
    78
    It's good maintenance to reformatt after a year or so and in your case it's long past due for your mates computer,being a dell i assume it has it's own system recovery,there'll most probably be 3 choices,
    1= system restore,
    2= non destructive file restore [put's it back to factory shipped condition but will leave 3rd party software folders there and the 3rd party software will need to be reinstalled]
    3= the option i recommend is a destructive recovery,basiclly a full reformatt and start with a clean slate,it would also be a good time to get another hdd and make an image as it will only take a couple of minutes to be up & running with a fully operational system by either swapping disks or less time if dual booting. To image a disk with 3 partitions and around 130GB's of data will take around an hour it's a lot faster than having to reformatt and update all over again.


    If you need help or advice in imaging go here,they sepecialise in it whether you use ghost or acronis etc
    http://radified.com/cgi-bin/YaBB/YaBB.cgi
     
    Last edited: Mar 22, 2007
  7. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,528
    Likes Received:
    0
    Trophy Points:
    116
    @Nephilim, Nope, you're sig is NOT appearing for me, I have however seen it before and it's pretty schmicko!!
     
  8. Indochine

    Indochine Regular member

    Joined:
    Dec 21, 2006
    Messages:
    1,485
    Likes Received:
    0
    Trophy Points:
    46
    It sounds like multiple (!) careless game / downloaded software installations could have taken place... I once had to deal with a machine that had been running XP Home for 4 years without even a defrag. They only notice when it gets slow.

    Some viruses cloak themselves by creating randomly named dll files and using Rundll32.exe to load them. So first thing I personally would want to do is remove that qonoo.dll from C:\windows. If you're afraid of breaking something legitimate, just rename it slightly to see what happens. If it makes a fuss, reboot to safe mode & try again.

    Next, I would want to know just why it is loading at startup (or trying to) and for that reason I would search the Registry for all references to it.

    Next, I would want to know whether there are any rogue copies of Rundll32.exe on the system. The rundll32.exe file should be located in the folder C:\Windows\System32. In other cases, (eg C:\windows) rundll32.exe is a virus, spyware, trojan or worm. It should be 31.5 to 33 K in size.

    Virus infected versions can be larger. Viewed in Notepad (better, a hex viewer) they often contain "padding" and "1337 artwork". In any case, to be certain, you could try booting in save mode, closing the process "RUNDLL32.EXE" and deleting the file, (deleting any RUNDLL32.EXE-nnnnnnnn.pf Prefetch files from c:\windows\prefetch as well! nnnnnnnn is an 8 digit hex number) then copying a real rundll32.exe from a Win XP -CD to C:\Windows\System32.

    If Rundll32.exe is absent all sorts of stuff won't work, including the Control Panel. If it corrupted (which can happen) likewise.

    I would also wonder about using an XP install disk to do a repair install (not a re-install), followed by applying all SPs and security updates.

    Failing that, a complete - new - install of XP plus SPs plus antivirus etc. This last might be the most realistic option, actually, especially on other people's machines. Depends how well you know them, who they are, how attractive they are, whatever. Just my 2 cents worth.
     
  9. KotaGuy

    KotaGuy Regular member

    Joined:
    Feb 14, 2007
    Messages:
    485
    Likes Received:
    0
    Trophy Points:
    26
    The way the file is named it looks like it may be a Vundo/ConHook file.

    Would need to see a HJT log to be sure.
     
  10. Nephilim

    Nephilim Moderator Staff Member

    Joined:
    Feb 13, 2003
    Messages:
    14,942
    Likes Received:
    0
    Trophy Points:
    116
    Just got back from spending all morning and some of the afternoon there. Ccleaner took care of those missing dll issues when it cleaned the registry. The PC is sailing smooth and they now have AVG, Zone Alarm, AdAware, Spybot and instructions on how to use them!

    I really appreciate all the tips everyone :D
     
  11. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,528
    Likes Received:
    0
    Trophy Points:
    116
    Hey Neph, NOW your sig appears!!

     
    Last edited: Mar 24, 2007
  12. Nephilim

    Nephilim Moderator Staff Member

    Joined:
    Feb 13, 2003
    Messages:
    14,942
    Likes Received:
    0
    Trophy Points:
    116
    Right on! :)
     

Share This Page