Poaapieax.dll?



  • A co workers Antivirus (Symantec Antivirus client) keeps popping up a message saying its a trojan horse.  It can't delete or quarentine the file however (Access Denied).  I've looked in the specifiedfolder (windows\system32) and it won't show up in the folder in windows.  I can however find it in dos.  I attrib'd the file to take off read only, system, and hidden attributes but still can not delete it.  I've tried booting into safe mode and that failed as well.  Any one have any ideas on how to get rid of this damn thing short of a complete wipe? I will probably end up wiping if there is no easier solution.



  • Tried a Linux boot CD (like Knoppix)?



  • @upsidedowncreature said:

    Tried a Linux boot CD (like Knoppix)?
    Last I checked, Knoppix couldn't manipulate n NTFS partition, though that was several years ago.  The new Debian LiveCDs claim to be able to manipulate an NTFS partition, though I haven't tried one of them in a couple years either.

    Am I the only one who read this as "poopiex.dll?"



  • unfortunately I don't have one.  can you point me in the right direction to get one? I must admit though my knowledge of linux and the last time I used a linux distro was way back in the 90's.


  • :belt_onion:

    @galgorah said:

    I can however find it in dos.  I attrib'd the file to take off read only, system, and hidden attributes but still can not delete it.  I've tried booting into safe mode and that failed as well.  Any one have any ideas on how to get rid of this damn thing short of a complete wipe? I will probably end up wiping if there is no easier solution.

    Use Sysinternals' Process Explorer to find out which process has loaded the dll, kill that process and delete "poaapieax.dll".

    I recently cleaned up a friend's PC where a trojan was loaded by Explorer.exe. So I killed of Explorer.exe and used the command prompt to delete the trojan.



  • @bjolling said:

    @galgorah said:

    I can however find it in dos.  I attrib'd the file to take off read only, system, and hidden attributes but still can not delete it.  I've tried booting into safe mode and that failed as well.  Any one have any ideas on how to get rid of this damn thing short of a complete wipe? I will probably end up wiping if there is no easier solution.

    Use Sysinternals' Process Explorer to find out which process has loaded the dll, kill that process and delete "poaapieax.dll".

    I recently cleaned up a friend's PC where a trojan was loaded by Explorer.exe. So I killed of Explorer.exe and used the command prompt to delete the trojan.

    I'm unable to locate the file using that program.  also I can only see that the file actually exists from by opeing up the command prompt and browsing to the system32 directory and using the dir command.  the file won't show up if I use windows to browse the folder. 


  • @galgorah said:

    can you point me in the right direction to get one?

    Yeah, here: www.knoppix.net, you need to download the ISO image and burn a bootable CD.  I think recent versions can manipulate NTFS but wouldn't swear to it.  Good luck!

     


  • :belt_onion:

    @galgorah said:

    I'm unable to locate the file using that program. 
    I admit I wasn't clear on how to do it:

    In the menu, choose Find -> Find Handle or DLL. Type poaapieax.dll in the search box en click "search". This should show the list of processes that have loaded the DLL. If no process shows up here, you have a different issue and a Linux live CD would probably be the better solution.

    http://1.bp.blogspot.com/_oymlMPJmD08/STQFyYmx9fI/AAAAAAAAAA0/WXac6VVxaRU/s1600-h/procexp.PNG

     



  • @bjolling said:

    @galgorah said:

    I'm unable to locate the file using that program. 
    I admit I wasn't clear on how to do it:

    In the menu, choose Find -> Find Handle or DLL. Type poaapieax.dll in the search box en click "search". This should show the list of processes that have loaded the DLL. If no process shows up here, you have a different issue and a Linux live CD would probably be the better solution.

    http://1.bp.blogspot.com/_oymlMPJmD08/STQFyYmx9fI/AAAAAAAAAA0/WXac6VVxaRU/s1600-h/procexp.PNG

     

    Nothing showed up. I guess the its off to burn the iso.  I'll let you know how that goes. 



  • The other option I've used in the past is to do the following

    1. Take ownership of the file (you need to be an admin and can do this from the command line with takeown.exe from Windows Server 2003 Resource Kit Tools).
    2. Change the permissions of the file and remove all permissions to it (can be done via the command line with cacls filename /S:"D:PAI")
    3. Reboot, since nothing can access the file it shouldn't load.
    4. Delete the file.
    Of course this assumes it doesn't do something tricky like file renames, permission resets, or have another process recreate the file on boot.


  • @upsidedowncreature said:

    @galgorah said:

    can you point me in the right direction to get one?

    Yeah, here: www.knoppix.net, you need to download the ISO image and burn a bootable CD.  I think recent versions can manipulate NTFS but wouldn't swear to it.  Good luck!

     

    RIP: http://www.tux.org/pub/people/kent-robotti/looplinux/rip/
    Has the NTFS-3G driver. Which has no trouble with NTFS at all. It's a useful boot CD to have in your bag. And it can also boot from USB.


  • Have you tried to mark the file for deletion upon reboot?

    MoveFileEx(file, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);



  •  No... The best way to go is just to buy a new computer! It is the only way to make things right!!!!!11!



  •  What you have is a rootkit. You can try running RootKitRevealer(www.sysinternals.com) to see if there are anymore instances/files involved with this trojan (much malware targets this application tho, to prevent detection of the rootkit). Normally loading windows in Safe Mode is enough to prevent these kinds of malware from loading, allowing you to delete the file. However, if the malware is being loaded as a driver it will still get loaded by windows so the only alternative is to load a different OS to make sure the file isnt being accessed. If all the linux distros specified above do not work you can create a windows PreInstall environment using BartPE Builder ( http://www.nu2.nu/pebuilder/ ) and an installtion disk of XP Sp1 or later OR server 2k3 web/standard/enterprise edition.

     


  • :belt_onion:

    @galgorah said:

    Any one have any ideas on how to get rid of this damn thing short of a complete wipe?
    I was wondering if any of the above proposed solutions has finally resolved your issue? It's been 10 days now since the OP...



  • @Hitsuji said:

     What you have is a rootkit.

     

    I may be wrong, but I think with a real rootkit, he wouldn't be able to see it via command prompt either. Sounds more like a "wannabe rootkit" shell extension to me.

    Proposals for remedy stay the same of course.


Log in to reply