Ran into my first piece of "hiding" malware

28 03 2005

Anyone know of a tool that will delete files that are listed only in the MFT and not via the API?

Some nasty little app installed itself on one of the PC’s I look after.  It hid it’s process and filename from the Windows API.  I used the RootKitRevealer from http://www.sysinternals.com/ to find the files.  regmon from sysinternals.com let me know what process was continually fighting my teatimer (Spybot S&D) to put the HKLM/Run entry back in over and over.  I couldn’t get to the process, so I just used pskill (from the sysinternals.com pstools) to kill the process. The Entry stopped showing up!  Hah!

After a reboot, I could find the files via the windows explorer, and deleted them…what a PITA!

Anyone know of a tool that will delete files that are listed only in the MFT and not via the API?

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: