Kazy.4297 Infecting Version.dll, no cleaning routine available -- neverending cycle of rebooting Options

[whoKnew?]

BitDefender Total Security 2010 has found a virus on my system [Windows XP SP3]. It was unable to disinfect the file, delete it, or quarantine it. After each cycle the only remaining option is a no-possible-actions choice. The final screen indicates that a reboot is required, but rescanning after reboot continues the same routine.

After several reboots to "complete the cleaning process" I decided to post this cry for help. When I went back into the program to pull a log file, I got the following error:

"The file storing BitDefender event-related information has been corrupted. BitDefender will reinitialize the file and all previous event-related information will be erased."

Fortunately, I still had a scan result window open, so I was able to pull the log directly from there. Also during the reboots, the Windows security center claims the BitDefender AV & firewall are not running. After a few moments, they start up automatically and I close out the warning box. At first I didn't think anything of it, but I thought I would mention it. Basically, I was hoping someone may know off hand what I'm doing wrong in trying to evict this bug from my computer. At least I still have all my data, so I'm lucky not to have more serious issues. But surely if BitDefender can find it, someone will know how to remove it.

Here's hoping!


My most recent log file:


BitDefender Log File


Product: BitDefender Total Security 2010
Version: BitDefender Antivirus Scanner
Scanning task: System Folders
Log date: 11/29/2010 10:55:33 PM
Log path: C:\Documents and Settings\Owner\Application Data\BitDefender\Desktop\Profiles\Logs\user_0001\1291089333_1_02.xml

Scan paths:
Path 0000: C:\WINDOWS\system
Path 0001: C:\WINDOWS\system32

Scan Level:
Scan for viruses: Yes
Scan for adware: Yes
Scan for spyware: Yes
Scan for applications: Yes
Scan for dialers: Yes
Scan for rootkits: Yes
Scan for keyloggers: Yes

Virus Scanning Options:
Scan registry keys: Yes
Scan cookies: Yes
Scan boot sectors: Yes
Scan memory processes: Yes
Scan archives: Yes
Scan runtime packers: Yes
Scan e-mails: Yes
Scan all files: Yes
Heuristic Scan: Yes
Scanned extensions: not configured
Excluded extensions: not configured

Target Processing:
Default first action for infected objects: Disinfect
Default second action for infected objects: None
Default first action for suspect objects : None
Default second action for suspicious objects: None
Default action for hidden objects: None
Default first action for encrypted infected objects: Disinfect
Default second action for encrypted infected objects: None
Default first action for encrypted suspicious objects: None
Default second action for encrypted suspicious objects: None
Default action for password-protected objects: Log only

Scan Engines Summary
Virus signatures: 6331546
Archive plugins: 44
E-mail plugins: 6
Scan plugins: 14
System plugins: 5
Unpack plugins: 10

Basic
Scanned items: 203610
Infected items: 21
Suspect items: 0 (no suspected items have been detected)
Hidden items: 0 (no hidden items have been detected during this scan)
Resolved items: 14
Unresolved items: 7

Advanced
Scan time: 00:16:17
Files per second: 208
Skipped items: 0
Password-protected items: 0
Over-compressed items: 0
Individual viruses found: 6
Scanned folders: 349
Scanned boot sectors: 5
Scanned archives: 195
Input-output errors: 0
Scanned processes: 78
Infected processes: 14
Scanned registry keys: 3483
Infected registry keys: 1
Scanned cookies: 552
Infected cookies: 5

Remaining issues:Object Path Threat Name Final Status
<System>=>c:\windows\system32\version.dll [1076] (disk) Gen:Variant.Kazy.4297 Disinfect failed (object was not found)
<System>=>c:\windows\system32\version.dll [1480] (disk) Gen:Variant.Kazy.4297 Disinfect failed (object was not found)
<System>=>c:\windows\system32\version.dll [1512] (disk) Gen:Variant.Kazy.4297 Disinfect failed (object was not found)
<System>=>c:\windows\system32\version.dll [1888] (disk) Gen:Variant.Kazy.4297 Disinfect failed (object was not found)
<System>=>c:\windows\system32\version.dll [2792] (disk) Gen:Variant.Kazy.4297 Disinfect failed (object was not found)
<System>=>c:\windows\system32\version.dll [2800] (disk) Gen:Variant.Kazy.4297 Disinfect failed (object was not found)
<System>=>c:\windows\system32\version.dll [2868] (disk) Gen:Variant.Kazy.4297 Disinfect failed (object was not found)


Resolved issues:Object Path Threat Name Final Status
<System>=>C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt Cookie.Apmebf Deleted
<System>=>C:\Documents and Settings\Owner\Cookies\owner@data.coremetrics[1].txt Cookie.CoreMetrics Deleted
<System>=>C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt Cookie.DoubleClick Deleted
<System>=>C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt Cookie.Mediaplex Deleted
<System>=>C:\Documents and Settings\Owner\Cookies\owner@ru4[2].txt Cookie.Ru4 Deleted
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\KNOWNDLLS\version=>C:\WINDOWS\SYSTEM32\VERSION.DLL Gen:Variant.Kazy.4297 Deleted
<System>=>c:\windows\system32\version.dll [1076] (memory dump) Gen:Variant.Kazy.4297 Deleted
<System>=>c:\windows\system32\version.dll [1480] (memory dump) Gen:Variant.Kazy.4297 Deleted
<System>=>c:\windows\system32\version.dll [1512] (memory dump) Gen:Variant.Kazy.4297 Deleted
<System>=>c:\windows\system32\version.dll [1888] (memory dump) Gen:Variant.Kazy.4297 Deleted
<System>=>c:\windows\system32\version.dll [2792] (memory dump) Gen:Variant.Kazy.4297 Deleted
<System>=>c:\windows\system32\version.dll [2800] (memory dump) Gen:Variant.Kazy.4297 Deleted
<System>=>c:\windows\system32\version.dll [2868] (memory dump) Gen:Variant.Kazy.4297 Deleted
C:\WINDOWS\system32\version.dll Gen:Variant.Kazy.4297 Moved to Quarantine after reboot

[Cristi Raducu]

Hi there,

Please send me by PM a BDSI and a GMER log as described in this article.

http://kb.bitdefender.com/site/article/490/

Note that you cannot attach samples on this forum but you can go to www.sendspace.com,upload the logs there and send back only the download links.

[Cristi Raducu]

I've created an email ticket 201012031009148 to further investigate this situation and I'm waiting for your reply.

Thank you !

[Cristi Raducu]

After analysing the sent files,version.dll is indeed infected but it doesn't need to be removed but disinfected as the file is a Windows file.
A disinfection routine for this type of infection will be available by Friday or sooner.
Meanwhile you should keep the real time protection ON to block the file whenever it tries to act.
Also try to run a search on the system for a file called odqu.dll (it's exact location is unknown),possibly located in C:\Windows or C:\Windows\System32 or C:\Windows\System32\Drivers and send it back.

Thank you.

[PlzHelpMee]

I have this same infection, however my file is not quarantined because it is needed for the computer to run.

I would like to know if this disinfection routine was finalized.

I could not find odqu.dll

Simply searching over google results in a myriad of disinformation pages designed to get my money and not offer any help.

Please, keep this thread posted on the disinfection routine.
Thanks!
-PlzHelpMee



This post has been edited by PlzHelpMee: Dec 22 2010, 11:34 AM

[whoKnew?]

I have this same infection, however my file is not quarantined because it is needed for the computer to run.

I would like to know if this disinfection routine was finalized.

I could not find odqu.dll

Simply searching over google results in a myriad of disinformation pages designed to get my money and not offer any help.

Please, keep this thread posted on the disinfection routine.
Thanks!
-PlzHelpMee

PlzHelpMee,

BD Support said the odqu.dll file I had was signed Trojan.Patcher.T. Apparently version.dll was corrupted to point to odqu.dll. BD Support recommended I delete odqu.dll. I started getting "missing component" errors so I tried to restart. At this point my computer wouldn't boot up because version.dll referenced the deleted file and crashed when it couldn't find it. From a different machine, I had to download a ubuntu trial distribution (5 times to get the checksums right) and burn a boot disc (3 times to get the verify to succeed). When I finally got back into the system, I replaced the version.dll with a clean copy provided by BD Support. I can get Windows to boot again (whew!), but I'm being blasted with "Unable to locate component" errors:

"winlogon.exe - Unable to locate component
This application has failed to start because odqu.dll was not found. Re-installing the application may fix this problem."

And I get this for each program that tries to load, windows-related or otherwise (ex. winlogon, services, lsass, explorer, rundll, notepad, chrome, etc.). The system seems to load after clicking through the error messages. IE and notepad open up after clicking through the errors. But Firefox, Chrome and Office all close out after clicking through the errors.

I updated the BitDefender virus definitions and ran a deep system scan. It found 2 cookies and 4 instances of Trojan.Patcher.T (some of them were copies I had made for BD Support), but claimed to resolve/delete everything. After a reboot, I still get blasted with the odqu.dll errors though.

It seems like we are getting closer, but I can't get rid of these annoying and crippling error messages. I have another PM in to BD Support, and I'm waiting for a response. However, in the meantime, my monitor has stopped working. At first, it was just a slightly shaky and snowy screen that went away after a few minutes. It was mostly annoying and difficult to focus. Then the problem progressed and it seemed like the refresh rate went ADD on me. The lines were so garbled, I couldn't find the mouse or any icons if I wanted to. Then it would start fading in and out of a flat dull gray screen. Fortunately it's still under warranty, but who knows how long it will take Acer to service it after I ship it off...? I don't have a backup monitor to troubleshoot the trojan issue either, so I'm at a stalemate at the moment.

I hope you have better luck than I did. You might try searching your system32 folder for files that were created recently. I'm not really sure what you would be looking for, but I think odqu.dll was a randomly generated name to confuse the AV writers. Let me know if you get anything to work.

Much luck!
WhoKnew?