Help with rootkit.fileless.mtgen

[MOSERG]

I need help removing rootkit.fileless.mtgen. Malwarebytes detects and attempts to delete, but it does not remove the rootkit.

FBAR and MBAM logs attached.

I appreciate any guidance you can provide.

Addition.txt

FRST.txt

MBAM log.txt

[AdvancedSetup]

Please wait while I check with Research on this one

 

 

[AdvancedSetup]

Hi @MOSERG

If you can we'd like to try to get some files back from the computer if you're willing. Want to examine the files further.

Thanks

Ron

 

[AdvancedSetup]

It looks like Rootkit scanning was not enabled. Please do the following.

 

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Thanks

 

[MOSERG]

Here is the updated log.  Note that it detected and quarantined rootkit.fileless.mtgen during the scan even though it shows no malicious items in the log.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/4/2016
Scan Time: 11:58 AM
Logfile:
Administrator: Yes

Version: 0.0.0.0000
Malware Database: v2016.05.04.05
Rootkit Database: v2016.04.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: garym

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 575546
Time Elapsed: 55 min, 31 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

[AdvancedSetup]

Okay let me have you restart the computer then. If it's really gone it should not show up again. After the restart please run another scan with MBAM and then also run FRST and make sure you place a check mark in the Additions check box and attach all new logs on your next reply.

Thanks

 

[MOSERG]

I deleted the item from quarantine, rebooted, and re-scanned.  Here are the updated logs:

FRST 05052016.txt

Addition 05052016.txt

MBAM Log 050516.txt

[AdvancedSetup]

Can you please zip the following file and upload it.

C:\Users\garym\AppData\Local\5dde0\2a6c0.bat

Do you see other files in this folder besides the bat file ?

C:\Users\garym\AppData\Local\5dde0

 

The antivirus software is missing it too for some reason.

Thanks

 

[MOSERG]

In addition to the .bat, there is a shortcut and a file with.0cc512 as the format type.

Included all 3 files in the zip:  2a6c0.zip

[AdvancedSetup]

Thanks. I've asked Research to review this. Hopefully we can get this fixed ASAP

 

 

[blender]

Hello,

I am one of the researchers that has been looking at this case with Ron. (Hope you don't mind me asking for additional info Ron )

I have another file request from you if you don't mind please.

Please re-run FRST again & this time, checkmark the option for "shortcut.txt" & hit "scan"
Once scan is complete, a shortcut.txt will be in the same folder you have FRST (in your downloads folder). Please attach shortcut.txt to your next reply. Depending on this log result, I may have more file requests but this is good for now.

Question..

When you have MBAM fix the Fileless infection, are either Avast or Spybot notifying you afterward about registry changes?

Thank you for your continued patience!

[MOSERG]

Here are the updated FRST logs

FRST 05062016.txt

Shortcut 05062016.txt

I have not been notified of registry changes by Avast or Spybot.  Thanks for your help.

[blender]

Interesting.

 

The files you sent so far, the shortcut starts the bat file which in turn tries to open the file with the .0cc512 extension. This just results in an error message since that file is not an actual executable so windows doesn't know what to do with it.

Unless I just can't see it.. the shortcut log didn't show me what I wanted to see.

More digging. 

Can you find this file?
C:\Users\garym\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8012b.lnk
If so, zip a copy & attach it here? (if you zip it right in your startup folder, please delete the zip once you attach it here - otherwise next time you boot the zip will try opening as well)

Also: What is in here?
C:\Users\garym\AppData\Roaming\979b9

Zip & attach if anything in it? 

Thanks!

[MOSERG]

Requested files:

8012b.zip

979b9.zip

[AdvancedSetup]

Thanks for the file @MOSERG

Tammy will review them as soon as she returns. Thank you for your patience

 

[AdvancedSetup]

Let's have you run the following fix please.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Then restart the computer and run a new MBAM Threat Scan and let me know if you're still seeing or having any issues.

 

 

[MOSERG]

Looks like one of the registry entries could not be removed:  Fixlog.txt

But I got a clean scan after reboot:  MBAM 05092016.txt

 

[AdvancedSetup]

Please fully disable your  antivirus and Spybot and MBAE and MBAM and run the FIXLIST.TXT file again and see if that works.

Make sure to re-enable your security once FRST is done.

Edited May 8, 2016 by AdvancedSetup

[MOSERG]

Updated log, let me know what you think.  Key not found this time -- because it was removed or because of invalid character?  Rerunning MBAM scan now.

Fixlog 05092016 - 1.txt

[MOSERG]

Clean scan...nothing detected.

[AdvancedSetup]

Great. Okay looks like you should be all set now then. If you need anything else please let us know.

 

 

[MOSERG]

Thanks so much for your help!

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!