Jump to content

Rootkit.Fileless.MTgen Detection

Recommended Posts

I had a system today that Malwarebytes 1.75 (latest definition) stopped and detected Rootkit.Fileless.MTgen.


However, the system was still infected with the poweliks.rootkit which interfered with normal browser function.


This was determined by a scripting error that appeared on start up displaying a reference to javascript, powershell and the registry entry described below. After researching the scripting error, I determined that it was the poweliks.rootkit.


After running ESET's poweliks removal tool, and scanning with Hitman Pro, McAfee and Malware Bytes full scan, I ended up manually deleting the corrupted HKEY_USERS\<UserSID>\Software\Microsoft\Windows\CurrentVersion\Run then recreating the legitimate dword entries.


My question is, was this Rootkit.Fileless.MTgen Detection a different definition of poweliks, and how did it still infect the registry?


Furthermore, could this have been a precursor to a ransomware virus?






If IT was ever easy, it wouldn't be us.


Link to post
Share on other sites

  • 3 weeks later...

One of my PC's is also detecting this rootkit. I've run the full scanner several times. There's nothing left of it other than the HKCU key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which appears to be corrupt, as when I use regedit and go to that key I get an error saying 'error reading the values contents'.

The key remains after multiple scans, so is there still a rootkit there putting it back? Is malwarebytes unable to remove the corrupt key?

Link to post
Share on other sites

As an update to this thread... I believe this to be related to poweliks . And what I've done to fully resolve the detection is:


in regedit, browse to the corrupted key,


take a screen shot of the key values on the right side so you know if they are dwords, strings, etc.

double click on each entry and copy out the value to notepad


once that's done delete the run key. Windows will automagically re-create the run key.


recreate the entries and enter the values you pasted in notepad for each entry. I typically copy and paste the dword name and its value so they're correct.


Reboot the system and go back to the key and it should be intact and when running malware bytes it should be clean.


Also it you use the ESET powelikes cleaner it should also state there's no infection.


As always, suggestions are not facts use at you're own risk, and make your own backups and take precautions....

Link to post
Share on other sites

Thank abustraan.


I've tried what you've suggested. Before I tried it, whenever I went to the RUN key I would get 2 of the messages saying 'error reading the values contents'. After deleting the key and letting Windows recreate it, it still says that error on that key, but says it only once. After rebooting and adding back the string values that were present before, I continue to get that error message, though just once.


So it seems like Windows is recreating the RUN key incorrectly.

Link to post
Share on other sites

I was able to resolve the problem by running Malwarebytes Anti-rootkit. This identified another RUN key from HKLM (don't remember the full subkey) from which I assume Windows copies to HKCU\...\Run when Run is deleted.

After the reboot, Windows no longer recreates a corrupt Run key.

MBAR reported the infection was from Rootkit.Fileless.MTgen.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.