All Clear on the Malware Front
by Jitesh Gandhi on September 18, 2009 8:07 PM, under Software, Technology
The Malware is all gone. It hooked in pretty deeply. It was actually pretty clever. It manages to load a library during boot-up before you even get to the Windows log in screen, and well before your anti-virus software is running. It does not stop there. It then attaches to any/multiple running processes as a thread so nothing looks out of sorts. So you look at the task manager and all the running processes appear legit. I assume that’s why the anti-virus software was clueless. In addition, it discretely disabled the Windows Security Center warnings when your anti-virus software is disabled and hid Windows Updates. (This is how I figured out the problem. I highly recommend Malwarebytes to everyone, it pointed me to the registry entries that were being changed.)
I first used RegMon to watch the registry entries to see what was changing the entries. It was odd that my mail program and explorer were doing it. So I used Process Explorer to see what those programs were up to. After that, Google led me to a program that took care of it once and for all, ComboFix. It’s straight forward to use if you follow the directions. I like that it installs the recovery console as a boot option.
Updated 9/29/2009: I just discovered that ComboFix resets the hosts file. For most, this won’t matter. I added some hosts for testing multiple web applications on different “domains”. It took me a little bit of time to realize why they would not work.