{"id":132,"date":"2009-09-18T20:07:10","date_gmt":"2009-09-19T01:07:10","guid":{"rendered":"http:\/\/www.jitesh.com\/blog\/?p=132"},"modified":"2017-07-17T13:10:20","modified_gmt":"2017-07-17T18:10:20","slug":"all-clear-on-the-malware-front","status":"publish","type":"post","link":"http:\/\/www.jitesh.com\/blog\/2009\/09\/18\/all-clear-on-the-malware-front\/","title":{"rendered":"All Clear on the Malware Front"},"content":{"rendered":"

The Malware is all gone. It hooked in pretty deeply. It was actually pretty clever. It manages to load a library during boot-up before you even get to the Windows log in screen, and well before your anti-virus software is running. It does not stop there. It then attaches to any\/multiple running processes as a thread so nothing looks out of sorts. So you look at the task manager and all the running processes appear legit. I assume that’s why the anti-virus software was clueless. In addition, it discretely disabled the Windows Security Center warnings when your anti-virus software is disabled and hid Windows Updates. (This is how I figured out the problem. I highly recommend Malwarebytes<\/a> to everyone, it pointed me to the registry entries that were being changed.)<\/p>\n

I first used RegMon<\/a> to watch the registry entries to see what was changing the entries. It was odd that my mail program and explorer were doing it. So I used Process Explorer<\/a> to see what those programs were up to. After that, Google led me to a program that took care of it once and for all, ComboFix<\/a>. It’s straight forward to use if you follow the directions. I like that it installs the recovery console as a boot option.<\/p>\n

Updated 9\/29\/2009<\/strong>: I just discovered that ComboFix resets the hosts file. For most, this won’t matter. I added some hosts for testing multiple web applications on different “domains”. It took me a little bit of time to realize why they would not work.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Malware is all gone. It hooked in pretty deeply. It was actually pretty clever. It manages to load a library during boot-up before you even get to the Windows log in screen, and well before your anti-virus software is running. It does not stop there. It then attaches to any\/multiple running processes as a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[18,8],"tags":[245,244,242,243],"class_list":["post-132","post","type-post","status-publish","format-standard","hentry","category-software","category-technology","tag-combofix","tag-malware","tag-spyware","tag-worms"],"_links":{"self":[{"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/posts\/132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/comments?post=132"}],"version-history":[{"count":8,"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":890,"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/posts\/132\/revisions\/890"}],"wp:attachment":[{"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/media?parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/categories?post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.jitesh.com\/blog\/wp-json\/wp\/v2\/tags?post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}