Re: Trojan.Lodear.B/Trojan.Lodav.A

[mjcarter () ihug co nz]

Hi Joe,

Firstly are you booting to safe mode without networking?

Due to the nature of Lodav I think it's best to format the
drive and start again but if that's not an option an offline
scan or manual cleanup from a live CD might work.

The following link is for detecting rootkits but the same
technique can be used to find other stealth malware.

http://research.microsoft.com/rootkit/

Regards
Mike

www.infosec.co.nz

> Hi all,
>
> I have a workstation that was compromised by the Trojan
> mentioned in the subject, after the end user opened an
> infected .ZIP file. I followed the instructions Symantec
> recommended.  I used their removal tool because I was not
> able to access the registry.  I also installed the
> UnHookExec.inf in an attempt to reset the
> shell/open/command reg keys, per the article.  I was still
> not able to access the registry.  I ran the removal tool
> several times in normal and in safe mode and each time it
> would detect and terminate the Trojan process running in
> explorer.exe.  Before one removal tool run, I ran
> Winternals Process Explorer, but nothing was found.  I ran
> two anti-virus scans but did not find anything after the
> initial detection.  Is there anything that I have not
> tried that someone can suggest? I'm about ready to run a
> repair on Windows, but not ready to rebuild, as I am
> concerned there maybe more workstations that have been
> just as compromised.
>
> Thanks in advance.
>
> --
> Joe George
> IT Janitor
> x349