Security Basics mailing list archives
Re: Trojan.Lodear.B/Trojan.Lodav.A
From: mjcarter () ihug co nz
Date: Wed, 16 Nov 2005 11:51:03 +1300
Hi Joe, Firstly are you booting to safe mode without networking? Due to the nature of Lodav I think it's best to format the drive and start again but if that's not an option an offline scan or manual cleanup from a live CD might work. The following link is for detecting rootkits but the same technique can be used to find other stealth malware. http://research.microsoft.com/rootkit/ Regards Mike www.infosec.co.nz
Hi all, I have a workstation that was compromised by the Trojan mentioned in the subject, after the end user opened an infected .ZIP file. I followed the instructions Symantec recommended. I used their removal tool because I was not able to access the registry. I also installed the UnHookExec.inf in an attempt to reset the shell/open/command reg keys, per the article. I was still not able to access the registry. I ran the removal tool several times in normal and in safe mode and each time it would detect and terminate the Trojan process running in explorer.exe. Before one removal tool run, I ran Winternals Process Explorer, but nothing was found. I ran two anti-virus scans but did not find anything after the initial detection. Is there anything that I have not tried that someone can suggest? I'm about ready to run a repair on Windows, but not ready to rebuild, as I am concerned there maybe more workstations that have been just as compromised. Thanks in advance. -- Joe George IT Janitor x349
Current thread:
- Trojan.Lodear.B/Trojan.Lodav.A Joe George (Nov 15)
- RE: Trojan.Lodear.B/Trojan.Lodav.A dave kleiman (Nov 16)
- Re: Trojan.Lodear.B/Trojan.Lodav.A Brad Spangler (Nov 16)
- <Possible follow-ups>
- Re: Trojan.Lodear.B/Trojan.Lodav.A mjcarter (Nov 16)