Bootkit removal with RogueKiller 3

Bootkit removal with RogueKiller   How to remove Bootkits with RogueKiller     Description   Bootkits are rootkits infecting the Master Boot Record (MBR) or sometimes the Volume Boot Record (VBR) of a partition. Those rootkits take advantage of super early loading in the system to bypass antiviruses and hide themselves with a kernel driver. […]

Boot process

Second stage payload in registry value

Gootkit/Xswkit removal with RogueKiller 1

Gootkit/Xswkit removal with RogueKiller   How to remove Gootkit variants (Xswkit) with RogueKiller     Little Analysis   Gootkit is a malware with trojan/backdoor features, and fileless behavior. The payload (malware file) is injected into several legit processes, and loaded at boot time by a RUN key calling the injector.   That run value is […]


Zeus removal with RogueKiller 11

Zeus removal with RogueKiller   How to remove Zeus variants (Citadel) with RogueKiller     EDIT October,4th 2014   If the only process detected is your Antivirus, please ignore the detection.   We are working on this issue, which is not really a bug, but a problem of signature scanner definition VS Antivirus definition.   […]

rk1

Userland rootkits: Part 1, IAT hooks 35

Userland rootkits: Part 1, IAT hooks   This is the first part of this series about Userland rootkits, I wanted to write on it and demonstrate how some rootkits do to hide files by using IAT hooks.   This post is about a classic trick, known for decades. Malware specialists may know this already, so […]

iattable

Capture

RogueKiller V10 is here! 6

RogueKiller V10 is here   …With a brand new UI and a Premium version (beta)   No worries, user experience is still the same (fortunately, or unfortunately, it’s up to you :)) Here’s what it looks like:       What’s new?   New UI, based on Qt Framework. All the forms have been redesigned, […]


Poweliks removal with RogueKiller 70

Poweliks removal with RogueKiller   How to remove Poweliks with RogueKiller   EDIT 11/21/2014:   This new variant disallows file downloads on Internet Explorer. To re-enable them (and download RogueKiller), you need to go in “Tools”, “Internet Settings”, then in the “Security” tab.   Click on “Reset all areas to the default level” et validate. […]

RogueKillerCMD can read the full content

filesystem filter

KernelMode rootkits: Part 3, kernel filters 25

KernelMode rootkits: Part 3, kernel filters   This is the third part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: Keyloggers) do to intercept keystrokes by using kernel filters.   To understand the basics of kernelmode, drivers, please refer to the first part.   […]