The Haphazard Blog

Tag: combofix

All Clear on the Malware Front

by on Sep.18, 2009, under Software, Technology

The Malware is all gone. It hooked in pretty deeply. It was actually pretty clever. It manages to load a library during boot-up before you even get to the Windows log in screen, and well before your anti-virus software is running. It does not stop there. It then attaches to any/multiple running processes as a thread so nothing looks out of sorts. So you look at the task manager and all the running processes appear legit. I assume that’s why the anti-virus software was clueless. In addition, it discretely disabled the Windows Security Center warnings when your anti-virus software is disabled and hid Windows Updates. (This is how I figured out the problem. I highly recommend Malwarebytes to everyone, it pointed me to the registry entries that were being changed.)

I first used RegMon to watch the registry entries to see what was changing the entries. It was odd that my mail program and explorer were doing it. So I used Process Explorer to see what those programs were up to. After that, Google led me to a program that took care of it once and for all, ComboFix. It’s straight forward to use if you follow the directions. I like that it installs the recovery console as a boot option.

Updated 9/29/2009: I just discovered that ComboFix resets the hosts file. For most, this won’t matter. I added some hosts for testing multiple web applications on different “domains”. It took me a little bit of time to realize why they would not work.

Leave a Comment :, , , more...