Re: what the hell is KB7218151.LOG?



"Feng Li" <fengli@xxxxxxxxx> wrote:

Hi guys,

I found that every process running in my winxp system contains a
strange module with the name "KB7218151.LOG". the file is located
under "c:\windows" folder,

Why do you work with administrative privileges all the time?
Create an unprivileged account for your everyday work and malware running
under your account won't infect the machine.

instead of being a plain text file as the
name suggested, it's actually an executable module (start with the "MZ"
header). after some further investigation, i found that it's is loaded
by the following registry entry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
"AppInit_DLLs"="KB7218151.LOG"

Same as above: only Administrators have write access to HKLM!

that's why every process in the system is injected with this dll
module.

I dont think it's a patch released by MS as MS wouldnt use these kind
of misleading filename to hide their actual intention. i have searched
through the internet but cannot find anything about this
"KB7218151.LOG".

is there any guru here know what it is? i will mail the "KB7218151.LOG"
file to you if you need to examine it.

Your machine is infected by a trojan which most probably has loaded
other malware.
You can't trust your system any more, any "tools" run from this system
might give tampered results.
Go ahead and reinstall your system from scratch, with current service
pack and all security hotfixes, BEFORE going online. Then setup an
unprivileged account for your daily work. Consider using software
restriction policies to enable execution only from %SystemRoot%\ and
below and %ProgramFiles%\ and below, or at least disable execution from
%UserProfile%\ and below, %HomeDrive%%HomePath%\ and below, %TEMP%\ and
below, ?:\RECYCLE?\ and below.

<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>
| "Cleaning a Compromised System ...
| 2) You can't clean a compromised system by removing the back doors. You
| can never guarantee that you found all the back doors the attacker put
| in.
| 4) You can't clean a compromised system by using a virus scanner....
....
| The only way to clean a compromised system is to flatten and rebuild.
| That's right.

Stefan

.