shanenin Posted December 23, 2008 Report Share Posted December 23, 2008 I come across root kits quite often lately. I see it most often on machines infected with "antivirus 2009". This root kit will not allow installation of many programs, in particular, MBAM. My only solution to this problem is combofix. To this day, it has not let me down. I hate depending on one program to deal with rootkits. If that ever fails me, I would be lost. Could any of you experts help we with the general method of dealing with rootkits. Any suggestion would be appreciated. Quote Link to post Share on other sites
Besttechie Posted December 23, 2008 Report Share Posted December 23, 2008 Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.If you're still having issues even after renaming it, then I have had success with the following method:NOTE: You need a clean machine to preform the following task.Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"ren "%cd%\mbam-setup.exe" 12setup.exe3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.4. Create another batch file called install.bat and save it in the same folder:copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe"%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mscan.exe" /quickscanDO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary. This should work pretty flawlessly. Let me know how it goes. Good luck! B Quote Link to post Share on other sites
Rorschach112 Posted December 23, 2008 Report Share Posted December 23, 2008 If you have a rootkit you need to post on the HJT forums. You need to do a more in depth scan than ComboFix or MBAM Quote Link to post Share on other sites
shanenin Posted December 23, 2008 Author Report Share Posted December 23, 2008 If you have a rootkit you need to post on the HJT forums. You need to do a more in depth scan than ComboFix or MBAMI don't want you guys to clean a machine for me. I was hoping for some general knowledge on how to remove root kits. Quote Link to post Share on other sites
shanenin Posted December 23, 2008 Author Report Share Posted December 23, 2008 Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.If you're still having issues even after renaming it, then I have had success with the following method:NOTE: You need a clean machine to preform the following task.Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"ren "%cd%\mbam-setup.exe" 12setup.exe3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.4. Create another batch file called install.bat and save it in the same folder:copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe"%systemdrive%\Program Files\MSCANNER\mscan.exe" /quickscanDO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary. This should work pretty flawlessly. Let me know how it goes. Good luck! BMy normal routine is to rename both combofix and MBAM before running them. Thanks, I will try that in the future. MBAM is a great program, it is the best all around anti-malware program I have used. Quote Link to post Share on other sites
Rorschach112 Posted December 23, 2008 Report Share Posted December 23, 2008 Rootkits are way too complicated, having a "general knowledge" isn't going to help you remove them. They require you to use complicated tools and understand tough logs Quote Link to post Share on other sites
shanenin Posted December 23, 2008 Author Report Share Posted December 23, 2008 ANY extra knowledge will help. I understand if it is to complicated to get into in a post :-) Quote Link to post Share on other sites
Rorschach112 Posted December 23, 2008 Report Share Posted December 23, 2008 Some forums worth checkinghttp://www.rootkit.com/index.phphttp://forum.sysinternals.com/forum_topics.asp?FID=18http://www.antirootkit.com/ Quote Link to post Share on other sites
shanenin Posted December 23, 2008 Author Report Share Posted December 23, 2008 Thanks :-) Quote Link to post Share on other sites
shanenin Posted December 23, 2008 Author Report Share Posted December 23, 2008 They require you to use complicated tools and understand tough logsSince a root kit hides processes from the OS, how would these be shown in logs? Quote Link to post Share on other sites
Rorschach112 Posted December 24, 2008 Report Share Posted December 24, 2008 A scan with an anti-rootkit programThe purpose of ARKs is to show hidden processes, services, files, drivers, etcRootkits are going to be too complex to get a handle on I must admit, especially if you don't know in complete detail other pieces of malware and how to remove them Quote Link to post Share on other sites
exile360 Posted January 31, 2009 Report Share Posted January 31, 2009 Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.If you're still having issues even after renaming it, then I have had success with the following method:NOTE: You need a clean machine to preform the following task.Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%"ren "%cd%\mbam-setup.exe" 12setup.exe3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.4. Create another batch file called install.bat and save it in the same folder:copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe"%systemdrive%\Program Files\MSCANNER\mscan.exe" /quickscanDO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary. This should work pretty flawlessly. Let me know how it goes. Good luck! BI came up with this method and just wanted to clarify that it won't work as written (I goofed when I originally posted it). The folder can't be renamed, otherwise the program won't run because that's where MBAM looks for it's other files. The correct (and working) version can be found here: http://www.malwarebytes.org/forums/index.p...ost&p=41192I know this thread's kind of old, but I didn't want a non-working fix going around. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.