Removing Poison Ivy Rat
Printed From: Sysinternals
Category: Windows Discussions
Forum Name: Malware
Forum Discription: Discussions and news on identifying, cleaning, and preventing malware
URL: http://forum.sysinternals.com/forum_posts.asp?TID=13030
Printed Date: 02 September 2010 at 3:33pm
Topic: Removing Poison Ivy Rat
Posted By: Nv-LOL GFX
Subject: Removing Poison Ivy Rat
Date Posted: 12 December 2007 at 1:10pm
|
Some people say that the Start up Entry Exists 1. Kill explorer.exe 2. Kill all running instances of your browser (just to be sure). 3. Remove the runkey (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components), look for a key with only a stubpath item. 4. Remove the exe the runkey is pointing to. I cannot find anything in HKLM This rat is hard to find because i accidentally executed the server and it runs in processes No files, No Processes, Nothing. Now I have no option except a reformat.... Someone shed light please - As there is no file on my computer It runs in other processes HENCE...No anti virus can detect anything suspicious And many never did. I notice some of my desktop shortcuts have had their names changed. ------------- I use Windows Xp Pro sp2 - It R0xx0rs My b0xxorz?!1!one!!one |
Replies:
Posted By: fcukdat
Date Posted: 12 December 2007 at 1:18pm
Can you PM me alink to a dropper for this RAT ------------- ___________ Ade Gill Malwarebytes Researcher |
Posted By: Elite
Date Posted: 12 December 2007 at 1:18pm
|
If I remember correctly, PoisionIvy has some weak rootkit capabilities. I believe it was something like firewall bypasser (SSDT unhooking), and process hiding. Dunno about files though. Forgot how the startup/file system works on this rat though... Chances are, if there are no processes (and no hidden processes), then it's using DLL injection. You can try posting an autoruns log, and we can try yanking it. This rat is actually fairly easy to remove. Btw, if you scanned with KAV, you'd find it. Up to you, KAV or Autoruns log. Fire up RkU as well. |
Posted By: fcukdat
Date Posted: 12 December 2007 at 1:34pm
|
Damn this thing is well known
 File Poison_Ivy_2.3.0.exe received on 12.12.2007 22:26:35 (CET)
Result: 27/32 (84.38%)
------------- ___________ Ade Gill Malwarebytes Researcher |
Google is your freind
Posted By: MEGA
Date Posted: 13 December 2007 at 2:29pm
|
hi, The last version uses ADS to hide itself. BTW that PI doesn't use DLL injection, it use process injection. -Kill all browsers instances, then kill explorer.exe, then restart explorer.exe. -Scan with IceSword, you will find something like, C:\Windows\:server.exe -Delete the ADS file -And do a full scan with an up to date AV. Hope it will help, and sorry for my english, i know that you will be able to remove it, Not that hard, good luck :) |