Gizmo's Freeware Reviews: Best Free Rootkit Scanner/Remover

/Home/Internet Security: Reviews & Tests/Internet Security: Gizmos Freeware reviews/Gizmos Freeware reviews: Best Free

8 March 2012
by The_Original_Dudeman

Introduction

Hello Gizmo's Readers!

My co-worker John C. from our east coast office came across a page on Malwarebytes forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Below is the page.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in easier to understand language. We are all IT folk so I tend to write to them differently than I would write to you; Gizmo's readers. In what's below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my 'spare time' which there has been very little of. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers.

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below. I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please Check out Chameleon as it will be a good addition to any USB stick.

Until next time,
The_Original_Dudeman

Click the URL above to read the full article