23 September 2008

In Memoriam

The qxcrhf family of files (qxcrhf.dll, qxcrhf32.dll, and the qxcrhf registry entries) appear to have been a unique creation of a common viral infection on a client's computer.

After hour after fruitless hour of battle, using every tool at my disposal, I finally found the chink in its armor. And no, that is not a racial slur. Shame on you for such thoughts!

Anyway, FileASSASSIN gets my heartfelt endorsement!

Goodbye qxcrhf, you will not be missed. May you rot in the infernal regions with all of the other random character strings created by various forms of malware. I wish I could say what trojan this was exactly, but there were at least three separate ones infecting this computer and I have a feeling that qxcrhf was a different one.


Matt said...

Hey, wanna beat your head against the wall fixing my old broken down laptop?

Haha...maybe I'll give that program a try. Does it take out general malware/bad stuff, or just the program you were targeting?

The Irascible Neufonzola said...

No, that was a specific purpose program...basically after 5 hours narrowing it down to the exact hidden file that remained and was propogating the virus, I could not coerce the operating system to delete it, even in the comically named Safe Mode. This program is basically designed to twist the operating system's arm around its back, say, "you're going to delete that file! Say UNCLE!"

あじ said...

The solution to coercing the operating system is to use your powers as Administrator - something Microsoft makes anything but straightforward. You need to take ownership of the file, then set permissions to Deny Full Control for SYSTEM, and Allow Full Control for Administrator. That may require a reboot in order to prevent the program from starting up.

For tracking down files that are part of malware, there was an old program called FileMon that is now published for free by Microsoft as Process Monitor. It should make it pretty easy to figure out what files are being touched, as you can show only files being touched by a specific process.

The Irascible Neufonzola said...

Sweet! That makes perfect sense. Denying that file to SYSTEM would prevent it from being automatically launched. The DLL was nested under lsass so I didn't want to do something stupid and kill that process to get at the file.

I used sysinternals Process Monitor (I think that's what its called) to actually find the file and the issue.

Ahhh, what fun.