Last night I did some work on a friend's PC and ended up removing 75 various trojans. The removal went fine but immediately afterwards upon reboot and every reboot henceforth I get a 'rundll access denied' error for C:\windows\qonnoo.dll. I've searched google, a couple of the large dll repositories and symatec's site and can't find any mention of this file. Has anyone encountered this one before?
What OS? Sound suspicious, "gonnoo" being street slang for gonorrhea, (which is not caused by a virus, it's a bacterium, but would a script kiddie know that?) Is the file actually present? Are there any registry entries pointing to it? Can it be deleted? (in safe mode if necessary?) Have you tried reinstalling a known good rundll32.exe off an install disk? (Sorry if I'm teaching granny to suck eggs!)
You're just fine chief. I keep a real tight pucker as far as security on my PC and have (knock on wood) never had a virus, trojan or any other type of nasty bug so my experience dealing with these things is minimal. The file actually starts with a 'Q" not "G", I made extra sure that's what it was before leaving. I came up with plenty of google hits for "gonnoo" but only five for qonnoo and those were all in Japanese and had something to do with sewing as best I could figure. Its a Dell with XP Home they're using. Basically the PC has run for god only knows how long with no antivirus, firewall or spyware cleanings. It was running slow as all get out and couldn't connect to the internet. In the short time I had I installed and ran AVG, set up Zone Alarm then ran Ccleaner for them. It still couldn't connect when I left. I ran out of time last night to dig into it more but I'll give your ideas a shot when I go back there Saturday. Thanks
@Nephilim, I just did an "Australian" google for it....guess we're lucky..no results. These guys in this forum do a wonderful job..and to think I took my comp to the Tech and PAID for a Virus Removal before I discovered AD had this forum BTW: What's happened to your sig.
Thanks for that Gwendolin We certainly have some sharp folks, I've already got some great pointers. I'm anxious to get back over there and figure this out! What do you mean about my sig? Is it not showing up for you? bbmayo whipped up this sweet new one for me. He figured I could use a new one after keeping my old one for a dog's age. I'm glad he did - I love my new one! "D Take care all
It's good maintenance to reformatt after a year or so and in your case it's long past due for your mates computer,being a dell i assume it has it's own system recovery,there'll most probably be 3 choices, 1= system restore, 2= non destructive file restore [put's it back to factory shipped condition but will leave 3rd party software folders there and the 3rd party software will need to be reinstalled] 3= the option i recommend is a destructive recovery,basiclly a full reformatt and start with a clean slate,it would also be a good time to get another hdd and make an image as it will only take a couple of minutes to be up & running with a fully operational system by either swapping disks or less time if dual booting. To image a disk with 3 partitions and around 130GB's of data will take around an hour it's a lot faster than having to reformatt and update all over again. If you need help or advice in imaging go here,they sepecialise in it whether you use ghost or acronis etc http://radified.com/cgi-bin/YaBB/YaBB.cgi
@Nephilim, Nope, you're sig is NOT appearing for me, I have however seen it before and it's pretty schmicko!!
It sounds like multiple (!) careless game / downloaded software installations could have taken place... I once had to deal with a machine that had been running XP Home for 4 years without even a defrag. They only notice when it gets slow. Some viruses cloak themselves by creating randomly named dll files and using Rundll32.exe to load them. So first thing I personally would want to do is remove that qonoo.dll from C:\windows. If you're afraid of breaking something legitimate, just rename it slightly to see what happens. If it makes a fuss, reboot to safe mode & try again. Next, I would want to know just why it is loading at startup (or trying to) and for that reason I would search the Registry for all references to it. Next, I would want to know whether there are any rogue copies of Rundll32.exe on the system. The rundll32.exe file should be located in the folder C:\Windows\System32. In other cases, (eg C:\windows) rundll32.exe is a virus, spyware, trojan or worm. It should be 31.5 to 33 K in size. Virus infected versions can be larger. Viewed in Notepad (better, a hex viewer) they often contain "padding" and "1337 artwork". In any case, to be certain, you could try booting in save mode, closing the process "RUNDLL32.EXE" and deleting the file, (deleting any RUNDLL32.EXE-nnnnnnnn.pf Prefetch files from c:\windows\prefetch as well! nnnnnnnn is an 8 digit hex number) then copying a real rundll32.exe from a Win XP -CD to C:\Windows\System32. If Rundll32.exe is absent all sorts of stuff won't work, including the Control Panel. If it corrupted (which can happen) likewise. I would also wonder about using an XP install disk to do a repair install (not a re-install), followed by applying all SPs and security updates. Failing that, a complete - new - install of XP plus SPs plus antivirus etc. This last might be the most realistic option, actually, especially on other people's machines. Depends how well you know them, who they are, how attractive they are, whatever. Just my 2 cents worth.
The way the file is named it looks like it may be a Vundo/ConHook file. Would need to see a HJT log to be sure.
Just got back from spending all morning and some of the afternoon there. Ccleaner took care of those missing dll issues when it cleaned the registry. The PC is sailing smooth and they now have AVG, Zone Alarm, AdAware, Spybot and instructions on how to use them! I really appreciate all the tips everyone
