shanenin

Root Kit Removal

Recommended Posts

I come across root kits quite often lately. I see it most often on machines infected with "antivirus 2009". This root kit will not allow installation of many programs, in particular, MBAM. My only solution to this problem is combofix. To this day, it has not let me down. I hate depending on one program to deal with rootkits. If that ever fails me, I would be lost.

Could any of you experts help we with the general method of dealing with rootkits. Any suggestion would be appreciated.

Share this post


Link to post
Share on other sites

Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.

If you're still having issues even after renaming it, then I have had success with the following method:

NOTE: You need a clean machine to preform the following task.

Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe

1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there

2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):

copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"
ren "%cd%\mbam-setup.exe" 12setup.exe

3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.

4. Create another batch file called install.bat and save it in the same folder:

copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"
ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe
"%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mscan.exe" /quickscan

DO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER

5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary.

This should work pretty flawlessly. Let me know how it goes. Good luck! :)

B

Share this post


Link to post
Share on other sites
If you have a rootkit you need to post on the HJT forums. You need to do a more in depth scan than ComboFix or MBAM

I don't want you guys to clean a machine for me. I was hoping for some general knowledge on how to remove root kits.

Share this post


Link to post
Share on other sites
Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.

If you're still having issues even after renaming it, then I have had success with the following method:

NOTE: You need a clean machine to preform the following task.

Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe

1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there

2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):

copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"
ren "%cd%\mbam-setup.exe" 12setup.exe

3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.

4. Create another batch file called install.bat and save it in the same folder:

copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"
ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe
"%systemdrive%\Program Files\MSCANNER\mscan.exe" /quickscan

DO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER

5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary.

This should work pretty flawlessly. Let me know how it goes. Good luck! :)

B

My normal routine is to rename both combofix and MBAM before running them. Thanks, I will try that in the future. MBAM is a great program, it is the best all around anti-malware program I have used.

Share this post


Link to post
Share on other sites
They require you to use complicated tools and understand tough logs

Since a root kit hides processes from the OS, how would these be shown in logs?

Share this post


Link to post
Share on other sites

A scan with an anti-rootkit program

The purpose of ARKs is to show hidden processes, services, files, drivers, etc

Rootkits are going to be too complex to get a handle on I must admit, especially if you don't know in complete detail other pieces of malware and how to remove them

Share this post


Link to post
Share on other sites
Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.

If you're still having issues even after renaming it, then I have had success with the following method:

NOTE: You need a clean machine to preform the following task.

Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe

1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there

2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):

copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"
ren "%cd%\mbam-setup.exe" 12setup.exe

3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.

4. Create another batch file called install.bat and save it in the same folder:

copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"
ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe
"%systemdrive%\Program Files\MSCANNER\mscan.exe" /quickscan

DO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER

5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary.

This should work pretty flawlessly. Let me know how it goes. Good luck! :)

B

I came up with this method and just wanted to clarify that it won't work as written (I goofed when I originally posted it). The folder can't be renamed, otherwise the program won't run because that's where MBAM looks for it's other files. The correct (and working) version can be found here: http://www.malwarebytes.org/forums/index.p...ost&p=41192

I know this thread's kind of old, but I didn't want a non-working fix going around.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...