Tell you what, I was infected (not with a virus) recently from the internet (and I promise I was visiting all "legitimate" sites). Suddenly things start popping up on the screen for me. It was a spyware/adware program asking me to download it from the internet. It was suspicious so i quickly closed my browser (I was using IE 8 by the way) and then started the browser again. This time i was not able to connect to the internet yet i could however see the globe in the bottom right of the screen.. so i knew i was connected...
I tried opening couple of word documents but it wouldnt and poped an error saying "
Luckily I had firefox on my machine.. so once in safe mode i installed firefox and viola, I was able to connect to the internet through firefox but IE8 still wasnt connecting to the internet. I was able to open all files in safe mode which i was not able to do so earlier....
Being from information security background, i got curious.. i knew my machine was compromised but wanted to know what was happening...
So i started the machine in normal mode and again the dll corruption error popped up... I started my machine couple of times to observer what the symtoms were. What i found was quiet astonishing - there was something happening when the machine booted and that started to show me the dll corrupted error without doing ablsoutely anything....
For one thing, i knew that the programs were all working correctly in safe mode so the dll was not corrupted.... I reckoned something was happening at start-up causing the dll to get corrupted or writing a part the memory which would get invoked everytime you tried opening a program giving a "fake" dll corrupted error...
Since I was not able to open control panel or anything, I went back ot safe mode. Since I assumed something was happening at boot-time, i decided to check msconfig file.... And yes, I was correct! There were some programs registered there to start at boot-time which was responsible for the "fake" corruption error. I unchecked those 2 programs and started in normal mode and Viola! everything worked fine - I was able to open all programs..
IE8 still gave me a prob though... When i started IE8, it said diagnose connection while on the firefox, i was able to connect ot the internet. In IE8, i went into Internet options > Advanced tab and resetted and restored the settings... and (again) Viola! it worked! It was a real "aha" moment....
SO this is what i thing happened: There seems to be a vulnerability which was exploited in IE8 resetting the security settings.. It provided an easy entry into the machine. Once in, it tampered registry settings for some of the files and wrote memory locations which caused the fake "corrupted dll" error message to pop up when ever I tried opening any program... It also registered itself in the msconfig thus when ever u restart, u face the same problem (my guess is that the memory location changed every time which is why the program had to find and rewrite the memory location every time but this is just a hypothesis)...
It is NEVER a good idea to have an infected machine.. I wrote this as
1) I was not able to find anything on the net about it
2) In case of an emergency eg: an exam the next day.. This would more of a quick fix but again AVOID it if u can...
:)
No comments:
Post a Comment