Removal of Virus/Trojan DLLs ? (more decom tips)

K

Klaatu01

I pulled a laptop in with what appears to be the "Polynomial.Code"
exploit identified by Prevx and found the system was infected on
November 14th or 15th, and a couple of the things I did to remediate
this "issue" were:

Moving multiple "suspect" .EXE files from the following directory:
C:\Documents and Settings\%username%\Local Settings\Temp

camg-77798.exe
218253.exe - Created 11/15 @ 7:20 PM
260584.exe - Created 11/15 @ 7:13 PM
171977.exe - Created 11/15 @ 6:47 PM

laofpmpo.exe
fxatuuqs.exe
ngihrzmh.exe

To a quarantine location, attempted to rename the files ".OLD" and
also mark all file Properties as "Deny" this was in order to show the
client what actions were accomplished.

The other seemingly obvious signs this system had been compromised
were "C:\Program Files" subdirectories of:

\Lhutrpyu
\Toirtrwg
\Wnmdungf

The following additional directories appeared to have contamination as
well:

C:\Program Files\Microsoft.NET - by "qukebil77798.exe'
C:\WINDOWS - by "mrofina27.exe {and_a_long_string_of_stuff_here}$"
C:\WINDOWS\system32 - by "kernelwind32.exe"
C:\WINDOWS\system32 - by "newmaxxsv234.exe"
C:\WINDOWS\Temp - by "startdev.exe" - http://www.startdev.com/index.htm


Finally I booted the system using Winternals' ERD Commander 2005 and
removed known (or obvious) HKLM\SOFTWARE\MICROSOFT\WINDOWS
\CURRENTVERSION\RUN entries including:

qukebil
qukebil77798.exe
ctfmona
ctfomona.exe
mrofina27
mrofina27.exe


However, the system remains contaminated and when I attemped to use
the "System Restore" utility from the local "Administrator" account, I
got:

"System Restore points will not protect your computer. Please reboot
your computer and try using System Restore again."

I could almost hear someone saying, "Mmwuhaaahaaahaaa" creepily in the
background when this popped up.

A poorly worded (suspect) pop-up that seems to indicate removing this
malware or virus from the system will be more complicted than is worth
the effort. I have placed this job on stand-by until I get
confirmation from the client no files are needed from the system.

I remain of the opinion that a NEXT GENERATION system integrity
checker and built-in 'Registry Defender' would be SO VERY HELPFUL in
preventing unauthorized programs from making entries in msconfig's
"Startup" group and things such as that! Beyond using a "firewall" to
prevent unwanted programs from getting into the system, there should
be a fully integrated (and easily demonstrated) method preventing ANY
executable (.EXE) file from being copied from removable media or
downloaded through Internet Explorer.

If we can put a man on the moon, we should be able to (at least) block
most types of system hijacking methods! It is not rocket science
people!
 
K

Klaatu01

Ahh, I forgot to mention the presence of:

C:\WINDOWS\system32 - by "dllh8jkd1q1.exe"
C:\WINDOWS\system32 - by "dllh8jkd1q2.exe"
C:\WINDOWS\system32 - by "dllh8jkd1q5.exe"
C:\WINDOWS\system32 - by "dllh8jkd1q6.exe"
C:\WINDOWS\system32 - by "dllh8jkd1q7.exe"

And the post-remediation attempt symptom of "qlupmdeh.dll" not
loading. A file that I also found suspicious, moved to a quarantine
location and renamed ".OLD" without being 100% certain that would
actually help the situation.

I am just posting these observations in the event other people are
also trying to deal with this issue or identify the source of their
problems.
 
Back
Top Bottom