shanenin Report post Posted December 23, 2008 I come across root kits quite often lately. I see it most often on machines infected with "antivirus 2009". This root kit will not allow installation of many programs, in particular, MBAM. My only solution to this problem is combofix. To this day, it has not let me down. I hate depending on one program to deal with rootkits. If that ever fails me, I would be lost. Could any of you experts help we with the general method of dealing with rootkits. Any suggestion would be appreciated. Quote Share this post Link to post Share on other sites
Besttechie Report post Posted December 23, 2008 Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.If you're still having issues even after renaming it, then I have had success with the following method:NOTE: You need a clean machine to preform the following task.Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"ren "%cd%\mbam-setup.exe" 12setup.exe3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.4. Create another batch file called install.bat and save it in the same folder:copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe"%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mscan.exe" /quickscanDO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary. This should work pretty flawlessly. Let me know how it goes. Good luck! B Quote Share this post Link to post Share on other sites
Rorschach112 Report post Posted December 23, 2008 If you have a rootkit you need to post on the HJT forums. You need to do a more in depth scan than ComboFix or MBAM Quote Share this post Link to post Share on other sites
shanenin Report post Posted December 23, 2008 If you have a rootkit you need to post on the HJT forums. You need to do a more in depth scan than ComboFix or MBAMI don't want you guys to clean a machine for me. I was hoping for some general knowledge on how to remove root kits. Quote Share this post Link to post Share on other sites
shanenin Report post Posted December 23, 2008 Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.If you're still having issues even after renaming it, then I have had success with the following method:NOTE: You need a clean machine to preform the following task.Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"ren "%cd%\mbam-setup.exe" 12setup.exe3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.4. Create another batch file called install.bat and save it in the same folder:copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe"%systemdrive%\Program Files\MSCANNER\mscan.exe" /quickscanDO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary. This should work pretty flawlessly. Let me know how it goes. Good luck! BMy normal routine is to rename both combofix and MBAM before running them. Thanks, I will try that in the future. MBAM is a great program, it is the best all around anti-malware program I have used. Quote Share this post Link to post Share on other sites
Rorschach112 Report post Posted December 23, 2008 Rootkits are way too complicated, having a "general knowledge" isn't going to help you remove them. They require you to use complicated tools and understand tough logs Quote Share this post Link to post Share on other sites
shanenin Report post Posted December 23, 2008 ANY extra knowledge will help. I understand if it is to complicated to get into in a post :-) Quote Share this post Link to post Share on other sites
Rorschach112 Report post Posted December 23, 2008 Some forums worth checkinghttp://www.rootkit.com/index.phphttp://forum.sysinternals.com/forum_topics.asp?FID=18http://www.antirootkit.com/ Quote Share this post Link to post Share on other sites
shanenin Report post Posted December 23, 2008 Thanks :-) Quote Share this post Link to post Share on other sites
shanenin Report post Posted December 23, 2008 They require you to use complicated tools and understand tough logsSince a root kit hides processes from the OS, how would these be shown in logs? Quote Share this post Link to post Share on other sites
Rorschach112 Report post Posted December 24, 2008 A scan with an anti-rootkit programThe purpose of ARKs is to show hidden processes, services, files, drivers, etcRootkits are going to be too complex to get a handle on I must admit, especially if you don't know in complete detail other pieces of malware and how to remove them Quote Share this post Link to post Share on other sites
exile360 Report post Posted January 31, 2009 Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.If you're still having issues even after renaming it, then I have had success with the following method:NOTE: You need a clean machine to preform the following task.Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"ren "%cd%\mbam-setup.exe" 12setup.exe3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.4. Create another batch file called install.bat and save it in the same folder:copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe"%systemdrive%\Program Files\MSCANNER\mscan.exe" /quickscanDO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary. This should work pretty flawlessly. Let me know how it goes. Good luck! BI came up with this method and just wanted to clarify that it won't work as written (I goofed when I originally posted it). The folder can't be renamed, otherwise the program won't run because that's where MBAM looks for it's other files. The correct (and working) version can be found here: http://www.malwarebytes.org/forums/index.p...ost&p=41192I know this thread's kind of old, but I didn't want a non-working fix going around. Quote Share this post Link to post Share on other sites