Alright, so I have a computer here with a deeply embedded rootkit.
first I tried to run malwarebytes, nope no go.
so to try and get this virus removed, I rebooted to safe mode, and tried again.
and got the expected result. the rootkit, blocks the executable from running.
well, then I navigate to the install folder of malwarebytes, and copy and rename it to mbam.com
why is the copy important. well, if malwarebytes, needs to run on reboot, it doesn't know I've renamed it to mbam.com, so it still needs the original mbam.exe to finish cleaning the infection.
right, so now.. here goes.. scanning..
fix 2 other computers come back....
yup.. just what I thought. nasty little rootkit.
even worse because, it has a neat little trick.
it doesn't have a real path it uses a \\global system path\
formed like this to hide itself.
however it detected the registry entries, and associated files that weren't hidden, also
so I rebooted, came back up in safe mode.. ran it again, malwarebytes successfully removed the non-rootkit entries, and detected the \\global$ entries, this time, when I rebooted, they were gone.
good ol' malwarebytes, truly sticks to the adage, try, try again..
Michael Reid
Computer Medic Services, LLC
No comments:
Post a Comment