Posted 22 January 2008 - 03:46 PM
Reposted as requested:
I've just killed off a bolenjx / kus109.dat infection manually, and here's some additional information that might be of help:
Bolenjx is reported to have appeared just last week (Jan 18th, 2008), but curiously it turned up on a donated PC that had been dormant for around a year, appearing within minutes of the machine's connection to the net to obtain windows updates (XP Pro). The PC was thoroughly compromised with prior malware (maybe why the donation) and my gut feel is some of this stuff 'upgraded' itself to bolenjx. File datestamps suggest 9-March-2006 as the likely date of the earlier infection.
Couldn't launch any of the typical tools, although I didn't try too hard as the machine seemed so thoroughly compromised - eventually killed off by booting Ultimate Win Boot CD and manually inspecting the filesystem. Various attempts at scanning from the UWBCD boot didn't find anything, but I may have chosen some lame tools. I've generally had success with a boot-time scan from Avast to kill-off any difficult nasties, and Avast appeared to install OK on the compromised Windows installation, but detected nothing in the boot-time scan - clearly one of these vectors was active before Avast kicked in. Didn't try HJT - maybe this would have been smarter.
Had the same two files (bolenjx.exe and kus109.dat), but also:
c:\windows\system32\drivers\beep.sys - clearly the widget suppressing launch of AntiVirus tools - it contained a surprisingly thorough list of AV exe's.
c:\windows\system32\multikz.exe - (6kb) something related to bolenjx, always turned up with the same create/modification date as bolenjx.exe
There was also a tmp.reg or temp.reg, and a 0.log with exactly same timestamps as bolenjx in system32.
C:\WINNT\system32\wuauclt.exe deleted as suggested (no version info in header, so clearly suspect)
Other suspect files killed off - not totally certain they're all guilty, but appear likely related to the original infection:
c:\windows\system32\26179 - 393kb, and no file extension but clearly executable. mod date of 11-Jan-1999 and create date of 9-Mar-2006.
c:\windows\system32\grwinsthlp.exe - 17kb and from a google search possibly the nasty that installed bolenjx.
c:\windows\system32\csuninst.exe - 4kb - looks like an uninstaller, but has comet reg keys embedded and no version header. Create/mod date 9-Mar-2006.
c:\windows\system32\waitwnd.exe - 85kb - could be a legit installation widget, but it looked like a compressed exe, no version info in the header.
All of this stuff (including waitwnd.exe) had same creation date of 9-Mar-2006, and this date didn't appear across other system32 files.
Finally, not having any idea how early this thing was getting active, I did a FIXMBR off a Win boot/install disk. FIXMBR reported the MBR as damaged - I haven't used FIXMBR enough times to know if that's a reliable indicator.
Once this lot was cleared out I finally got Avast to launch along with Windows, and it's now doing a thorough scan with a current db. Can report results tomorrow if that's useful. Some of these files I've renamed rather than deleted (eg 26179 to 26179.vir) so may get more info.
I'm new to this site, so just ping me if this form of info isn't useful or posted in the wrong spot.