Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes Antimalware found Rootkit.Fileless.MTGen...now what?


  • Please log in to reply
6 replies to this topic

#1 mikey9

mikey9

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 19 May 2017 - 04:19 PM

Hi I am a complete newbie to Bleeping Computer!  I am trying to help a family member recover from a malware infection, possibly a rootkit.  Initially I was approached to see if the computer was safe from the WannaCry ransomware.  Much to my dismay, I determined that the computer had not received Windows 7 updates since July 2016, and that the first update present was around July 2015. The system is an Acer Aspire 5742Z-4685 running Windows 7 Home.

 

Internet access was fine.

 

The first priority for me was getting Windows 7 to update itself again.  I followed the instructions here:  http://plugable.com/2016/06/08/windows-7-wont-update-what-to-do/ which worked flawlessly.  Note: At the time I followed the instructions, in step 12 (optional) and applied the KB4015549 (Monthly Rollup)” (alternate link to KB4015549 files).  The optional update for May 2017 had not been posted at the time.

 

With Windows Update restored, I applied ran and re ran Windows Update all updates until there were no more to apply, with the exception of Optional updates for Skype and Silverlight. (Neither Skype nor Silverlight was installed.)

 

I ran Malwarebytes' Anti-Malware, but with the rootkit detection option unchecked.  I have this log, but will not post it unless requested to do so.  Since I am new here, please tell me which forum you want the log posted in and I will happily comply.

 

Then I proceeded to (try to) run McAfee Total Protection.  This failed (could not get the product to update and did not have access to her serial number at the time to reinstall), so I uninstalled it and installed ESET Internet Security.  On initial scan it found 6 items, one was a Trojan.Downloader and three "coupon" apps.  All were quarantined, but I saved the scan log instead of the detection log by mistake, so no notes on the actual files quarantined are available.

 

I ran ESET again.  No malicious files found using "Smart Scan" option in Windows normal mode.

 

I ran Malwarebytes' Anti-Rootkit.  No suspicious files were found.  

 

 

The system is exhibiting an odd system behavior, though.  When a USB stick is placed in the USB port, the system keeps making the "ba-bing" and "bing-ba" noises, as if a new USB device is is continuously inserted and removed, even though it remains inserted.  While I realize this could be a separate hardware issue, how can I make sure the rootkit is totally gone and I have no more issues related to it?

 

For what it's worth, there are no obvious signs of USB trouble (yellow or red marks in Device Manager), but the device manager screen keeps  refreshing.

 

To her original question on WannaCry, applying Windows updates through May should fix the problem of WannaCrypt by addressing MS17-010, right?

 

 

Thank you in advance for your help.  It is much appreciated!


Edited by mikey9, 19 May 2017 - 05:21 PM.


BC AdBot (Login to Remove)

 


#2 mikey9

mikey9
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 22 May 2017 - 06:51 PM

Hi...

 

I have a minor update to my own post...as for the problem with USB port continuously connecting/disconnecting, I downloaded and installed chipset drivers for the Acer 5742Z, it seems to have stopped the problem with the USB ports.   She had installed a new Samsung SSD a few years ago, but apparently no chipset, video, audio or network drivers.  But I still wonder about the potential for a possible rootkit leftover despite this.


Edited by mikey9, 22 May 2017 - 07:09 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 23 May 2017 - 03:01 PM

If you let Malwarebytes and ESET remove whatever it founds...then you are probably good to go.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

If you want to get another opinion, you can always perform a scan with Emsisoft Emergency Kit.And or Kaspersky Virus Removal Tool.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 mikey9

mikey9
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 May 2017 - 04:33 PM

Hi quietman7,

 

Thank you for the suggestions.  Unfortunately, I don't think that there is much more I can do.  I am actually quite technically savvy, and even have a copy of Rootkits for Dummies by Larry Stevenson and Nancy Altholz.  But that book is getting dusty and old (it was published in 2007 in the Windows XP era) and needs an update.  I have to say this the first time I have ever heard the term "fileless rootkit."  I have her HijackThis log; I gave it a cursory glance, and do not see anything that's glaringly out of order.  I suppose I could safely remove the (missing file) entries from the HJT log, but don't feel comfortable doing much more than that without additional training or guidance.  I was able to scan her system with Webroot Secure Anywhere and also to do an "out-of-box" scan  (scanning from a bootable USB key) using ESET SysRescue Live, both those scans were also clean.

 

So I guess I will let the issue go, but if you should happen to have any information on combating fileless rootkits, that might be helpful.  Or for that matter, anything regarding a systematic algorithm for malware removal.  Right now, my technique has been "throw the kitchen sink at it with as much AV as you can" but if there is a path to a more refined way to approach this, I'd be interested.

 

Thank you kindly for your help.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 24 May 2017 - 05:30 PM

"File missing" entries in the log is a known issue when running HijackThis on 64-bit machines when that is NOT always the case so I would leave them alone.

Further, malware removal experts no longer ask for HijackThis logs. Why? HijackThis only scans certain areas of a computer's system/registry to help diagnose the presence of undetected malware in known hiding places. Given the sophistication of malware hiding techniques used by attackers in today's environment, HijackThis is limited in its ability to detect infection and generate a report outside these known hiding places. This limitation has made its usefulness nearly obsolete since a HijackThis log cannot reveal all the malware residing on a computer. As such, HijackThis has been replaced by other preferred tools like FRST, DDS, Zoek, RSIT and OTL that provide comprehensive logs with specific details about more areas of a computer's system, files, folders and registry keys which may have been modified by malware infection.

If you need individual assistance with a malware infection, you're welcome to follow the instructions in the Malware Removal and Log Section Preparation Guide and post your FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum for assistance by the Malware Response Team.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 mikey9

mikey9
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 May 2017 - 06:48 PM

quietman7,

 

Whoa!  I guess that book is outdated and I grant that I'm not up to date on the latest.  My family member has already taken possession of the laptop, but is afraid to post logs on public forums due to privacy concerns.  From my perspective, instead of worrying about posting logs publicly, I would be much more worried if my AV software identified *anything* as a rootkit, but on the other hand, bottom line it isn't *my* computer, so I have to respect her concerns.  (I think a great deal of the privacy worries comes from the fact that the user account is actually named "Surname Family" (just replace "Surname" with the actual last name.)

 

On the other hand, there doesn't *seem* to be an actual infection, at least as far as I can tell.

 

Personally, if it were me, given all that has happened, I probably would be changing passwords from a non-infected computer right now.  If I can convince her to run Farbar, I'll post a log.  If she's still worried about privacy, I suppose I can replace the family name with X's or something...

 

I'm not liking this very much, but again, thank you for your help.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 24 May 2017 - 06:52 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users