Jump to content
Herman_Salim

Scriptable Tool Like Malwrebytes Anti Rootkit

Recommended Posts

Hello.. I have a idea about Script Removal Tools or Drag Down Tool for remove any stubborn Services/Drivers, File, Folder, or maybe Registry. This tool of course also powerful like Malwarebytes Anti Rootkit.

 

So, with this tool, w don't need to scan anymore. We already know what to do dan we just want to delete it. This tool can compensate MBAR if MBAR can't detect any newest Rootkit.

Another tool like this: BlitzBlank or The Avenger. The Avenger is discontinued (also Not support 64 bit) and Blitblank cannot produce a accurate (we don't know success or fail) log after doing it's job.

So, I hope Malwarebyte can create a tool like this. Can create a complete log like The Avenger and can support 32 and 64 bit and compatible start to Windows XP to Windows 10.

 

Thank you..

Share this post


Link to post
Share on other sites

Hello @AdvancedSetup, yes you're right. FRST is very popular tool. But sometimes, FRST can't delete any Stubborn Drivers/Services Entry and files. Example:
 

Quote

"C:\Windows\System32\DRIVERS\MPCKpt.sys" => Could not move
"C:\Windows\System32\drivers\MPCBase.sys" => Could not move
"C:\Program Files\MPC Cleaner" => Could not move

 

In this case, we need Another Tools that Not Depend on their Scanning Ability, we just need their 'Deleting' or 'Removing' Ability. Simple we just choose and Delete after Reboot (use kernel-level Windows driver) without need to Scan before.

I know we can use powerful like Combofix but this tool is not for us (not an graduate in malware training class). And Combofix do scanning and deleting some files automatically which are dangerous to use without supervision. So, I think we need another tool can do this without Scanning and Deleting Automatically. And of course we do this at our own risk.

 

Thank you for your Reply.

Share this post


Link to post
Share on other sites
7 minutes ago, AdvancedSetup said:

That is because FRST was run in Normal Mode if run in Safe Mode it should be able to remove that driver.

 

 

I already try it but not work. But finally solved with FRST fix in Recovery Environment. So, i think we need a portable tool that work with kernel Driver windows like Blitzblank and The avenger.

Since The Avenger has discontinued and BlitzBlank has some bug and can't produce a realible log. In my opinion, this is the right moment for Malwarebytes to Create a tool like this.

 

Regards,

Herman

Share this post


Link to post
Share on other sites
21 minutes ago, Herman_Salim said:

I already try it but not work. But finally solved with FRST fix in Recovery Environment. So, i think we need a portable tool that work with kernel Driver windows like Blitzblank and The avenger.

Since The Avenger has discontinued and BlitzBlank has some bug and can't produce a realible log. In my opinion, this is the right moment for Malwarebytes to Create a tool like this.

 

Regards,

Herman

Actually from what I know, BlitzBlank removes files, folders and Registry entries on boot, so before anything have time to get started. It doesn't remove these while the system is running. So it wouldn't change the fact that you have to restart your computer for these tools to work. Also, FRST can remove the MPC Cleaner folder in the RE (even though I use BlitzBlank to take care of it), it can remove the driver normally under a normal and/or safe boot.

BlitzBlank doesn't produce any logs, true, but it's easy to see if it really did it's job after.

Share this post


Link to post
Share on other sites
17 minutes ago, Aura said:

Actually from what I know, BlitzBlank removes files, folders and Registry entries on boot, so before anything have time to get started. It doesn't remove these while the system is running. So it wouldn't change the fact that you have to restart your computer for these tools to work. Also, FRST can remove the MPC Cleaner folder in the RE (even though I use BlitzBlank to take care of it), it can remove the driver normally under a normal and/or safe boot.

BlitzBlank doesn't produce any logs, true, but it's easy to see if it really did it's job after.

Thank you Aura for respond me.. ^_^

I really Admire on your ability in use SFCFix.. :D

 

In my experience (Sorry, not mean to teaching.. I just share, maybe I'm Wrong). FRST and Blitzblank try to remove file on reboot, but FRST don't use kernel Driver windows, so it almost fail on Stubborn Driver/Service like Rootkit although it had reboot.

I already try in normal mode and Safe mode (windows XP). I try to delete manually on safe mode too, but it says the file are protected.

Blitzblank do Produce log in: E:\blitzblank.log. But it not Report very well. We don't know from the report if a file or Driver not found, Success or not. In my opinion, the Avenger's log is more detail. Blitzblank have a lot of bugs and can't remove a Registry when i Tried it.

So, if Malwarebytes can combine the 'plus' of this 2 tools, Malware Fighter can use this tool on many forum. Don't have to use Combofix anymore.

 

Sorry for my grammar..

Share this post


Link to post
Share on other sites

Sorry, I can't edit my older Reply..

I mean C:\blitzblank.log

 

FRST fix work very well in Recovery Enviroment in remove Stubbon Malware and even detect/remove rootkit, because in RE, Kernel Windows doesn't start/work. So, they can't use self protection here.

Share this post


Link to post
Share on other sites

BlitzBlank isn't developped anymore, though it still works up to Windows 10 64-bit, since part of it is included in the cleaning engine of Emsisoft products.

And as for FRST, I don't know if it's possible to do that in AutoIT. Anyhow, I would rather see Malwarebytes spend their time improving their current products, rather than create another Reporting and Scripting tools like, FRST, ZOEK, etc. The ones we have currently do the job very well if you know how to use them.

Share this post


Link to post
Share on other sites
1 hour ago, Aura said:

BlitzBlank isn't developped anymore, though it still works up to Windows 10 64-bit, since part of it is included in the cleaning engine of Emsisoft products.

And as for FRST, I don't know if it's possible to do that in AutoIT. Anyhow, I would rather see Malwarebytes spend their time improving their current products, rather than create another Reporting and Scripting tools like, FRST, ZOEK, etc. The ones we have currently do the job very well if you know how to use them.

It's okay.. Thank you..

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.