Post by matt on May 1, 2010 19:35:58 GMT -5
All,
I recently had the pleasure of catching an ugly virus on my laptop. I was looking for info on cisco router simulators while in class. A drive by on a hacked website offered me up a nice dish of trojan.
Malware Bytes was rendered inoperable by the virus.
I kept the laptop offline and took a chance infecting my usb stick. I loaded spybot 1.6.
It successfully found and eradicated the offending files. But, the rootkit and various processes remained.
I noticed this because even in safe-mode there was an entry in the
hklm.\software\windows\microsoft\run and runonce. for guzaladem bogogife.dll
I deleted this entry while in safe-mode and off the net. I performed a refresh of regedit and it appeared right away even though I deleted it while in safe-mode.
A long story short. I found this article.
forum.kaspersky.com/index.php?showtopic=97496
I used combofix which snagged off the rootkit, .dat, .dll files which hijacked processes even in safemode.
Remember, in order to fix such a virus, you must be offline as it uses a combination of BHO's (browser helper objects), in process .dll's, and root kits.
Good luck.
Matt
I recently had the pleasure of catching an ugly virus on my laptop. I was looking for info on cisco router simulators while in class. A drive by on a hacked website offered me up a nice dish of trojan.
Malware Bytes was rendered inoperable by the virus.
I kept the laptop offline and took a chance infecting my usb stick. I loaded spybot 1.6.
It successfully found and eradicated the offending files. But, the rootkit and various processes remained.
I noticed this because even in safe-mode there was an entry in the
hklm.\software\windows\microsoft\run and runonce. for guzaladem bogogife.dll
I deleted this entry while in safe-mode and off the net. I performed a refresh of regedit and it appeared right away even though I deleted it while in safe-mode.
A long story short. I found this article.
forum.kaspersky.com/index.php?showtopic=97496
I used combofix which snagged off the rootkit, .dat, .dll files which hijacked processes even in safemode.
Remember, in order to fix such a virus, you must be offline as it uses a combination of BHO's (browser helper objects), in process .dll's, and root kits.
Good luck.
Matt
