Won a Battle with Some Malware!

the_Grinchthe_Grinch Posts: 4,123Member ■■■■■■■■■■
User at work (second time he's clicked on something and got infected) got a nice piece of ransomware on his machine on Friday. Only affected his account, but even in safe mode it was still running and not allowing me to do anything. Our standard procedure here is to just reimage the machine. That being said I still like to see if I can get the malware removed. Took a bit, but after using the following tools everything was cleared up:

RKill (this found a few reg keys not removed by Malwarebytes)
JRT (this actually removed the reg keys)
Emisoft Emergency Kit (really nice tool, nothing found, but just incase I ran it)

Still going to wipe the machine though, but nice if anything happens at home I know how to proceed.


  • paulgswansonpaulgswanson Posts: 311Member
    If it was only affecting his account and you wanted to see if you could just eliminate it why not try this?
    Restart the device and Log in as yourself and rename the affect profile to .old
    Have user generate new profile and restart device again. Force files over that must be saved and delete old profile. *assuming they don't using roaming profiles on your network*
    Use the JRT to kill reg keys of course then just Scan again, ans see what happens?
    WGU Progress: B.S. Network Management & Design <- I quit (got bored)
  • crrussell3crrussell3 Posts: 561Member
    I have found RogueKiller works nicely to get rid of some of the more stubborn malware. I had a rather pesky rootkit that TDSS Killer would detect but not remove.
    MCTS: Windows Vista, Configuration
    MCTS: Windows WS08 Active Directory, Configuration
  • the_Grinchthe_Grinch Posts: 4,123Member ■■■■■■■■■■
    pauls I hadn't thought to try that. I've found that things tend to linger without the wipe and reload, but on the next one I'll give that a try to see what happens.

    crrussell haven't tried RogueKiller, I'll put it on the list!

    What I would love to do is setup a server and boot the machines to the network (with DHCP from the server). From there load up an image with various malware tools installed and do a number of scans. Oh wishful thinking!
Sign In or Register to comment.