Ran into my first piece of "hiding" malware

28 03 2005

Anyone know of a tool that will delete files that are listed only in the MFT and not via the API?

Some nasty little app installed itself on one of the PC’s I look after.  It hid it’s process and filename from the Windows API.  I used the RootKitRevealer from http://www.sysinternals.com/ to find the files.  regmon from sysinternals.com let me know what process was continually fighting my teatimer (Spybot S&D) to put the HKLM/Run entry back in over and over.  I couldn’t get to the process, so I just used pskill (from the sysinternals.com pstools) to kill the process. The Entry stopped showing up!  Hah!

After a reboot, I could find the files via the windows explorer, and deleted them…what a PITA!

Anyone know of a tool that will delete files that are listed only in the MFT and not via the API?








%d bloggers like this: