Rootkit.Fileless.MTgen Detection

[abustraan]

I had a system today that Malwarebytes 1.75 (latest definition) stopped and detected Rootkit.Fileless.MTgen.

 

However, the system was still infected with the poweliks.rootkit which interfered with normal browser function.

 

This was determined by a scripting error that appeared on start up displaying a reference to javascript, powershell and the registry entry described below. After researching the scripting error, I determined that it was the poweliks.rootkit.

 

After running ESET's poweliks removal tool, and scanning with Hitman Pro, McAfee and Malware Bytes full scan, I ended up manually deleting the corrupted HKEY_USERS\<UserSID>\Software\Microsoft\Windows\CurrentVersion\Run then recreating the legitimate dword entries.

 

My question is, was this Rootkit.Fileless.MTgen Detection a different definition of poweliks, and how did it still infect the registry?

 

Furthermore, could this have been a precursor to a ransomware virus?

 

TIA,

 

Andy

 

If IT was ever easy, it wouldn't be us.

 

[celee]

Hi Andy,

 

Please contact our business support team at https://support.malwarebytes.org/customer/portal/emails/new?b_id=6401and they can assist you.

 

Thanks!

[mtcsltd]

One of my PC's is also detecting this rootkit. I've run the full scanner several times. There's nothing left of it other than the HKCU key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which appears to be corrupt, as when I use regedit and go to that key I get an error saying 'error reading the values contents'.

The key remains after multiple scans, so is there still a rootkit there putting it back? Is malwarebytes unable to remove the corrupt key?

[abustraan]

As an update to this thread... I believe this to be related to poweliks . And what I've done to fully resolve the detection is:

 

in regedit, browse to the corrupted key,

 

take a screen shot of the key values on the right side so you know if they are dwords, strings, etc.

double click on each entry and copy out the value to notepad

 

once that's done delete the run key. Windows will automagically re-create the run key.

 

recreate the entries and enter the values you pasted in notepad for each entry. I typically copy and paste the dword name and its value so they're correct.

 

Reboot the system and go back to the key and it should be intact and when running malware bytes it should be clean.

 

Also it you use the ESET powelikes cleaner it should also state there's no infection.

 

As always, suggestions are not facts use at you're own risk, and make your own backups and take precautions....

[mtcsltd]

Thank abustraan.

 

I've tried what you've suggested. Before I tried it, whenever I went to the RUN key I would get 2 of the messages saying 'error reading the values contents'. After deleting the key and letting Windows recreate it, it still says that error on that key, but says it only once. After rebooting and adding back the string values that were present before, I continue to get that error message, though just once.

 

So it seems like Windows is recreating the RUN key incorrectly.

[mtcsltd]

I was able to resolve the problem by running Malwarebytes Anti-rootkit. This identified another RUN key from HKLM (don't remember the full subkey) from which I assume Windows copies to HKCU\...\Run when Run is deleted.

After the reboot, Windows no longer recreates a corrupt Run key.

MBAR reported the infection was from Rootkit.Fileless.MTgen.

[abustraan]

Yuck, but great. Glad you found a tool to get rid of it.