The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.

Usually a kernel mode rootkit has a service key created under the registry key : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, and a .sys file created in %SystemRoot%\System32\drivers, "%SystemRoot" is a variant, it is the folder where Windows is installed, in most case, it is the folder "C:\Windows".

Currently most anti-malware programs can detect the presence of a rootkit-based malware but cannot delete it, because the rootkit-based malware is started at the very early time during Windows startup, it then protects its file from being deleted. Some anti-malware programs then set the rootkit's .sys file to a registry value "PendingFileRenameOperations", this registry value asks Windows to delete the rootkit file at next Windows reboot. But most rootkit-based malware also know this trick, so they start monitoring this registry value, once the value matches the rootkit's file, the rootkit will delete the value "PendingFileRenameOperations" then the deletion will fail.

TheStubware uses a different method to delete kernel mode rootkit-based malware.

Currently TheStubware can detect many kernel mode rootkit-based malware, if the rootkit is found by TheStubware, just click "Fix Selected" button, then TheStubware will delete it automatically.

If the rootkit is found by other anti-malware programs but failed to delete, you can try to use TheStubware to delete it, please follow the steps below :

• Open "notepad.exe" from "Start -> Run", for Windows Vista, you can type "notepad" in the "Start search" edit box
• Copy and paste the following text into notepad:
  
  <RSF>
  <SERVICE>%Rootkit Service Key%</SERVICE>
  <FILE>%Rootkit file%</FILE>
  </RSF>
  


• Replace the "%Rootkit Service Key%" with the key found by other anti-malware programs, Replace the "%Rootkit file%" with the file fould by other anti-malware programs
• Click "File -> Save" in notepad, save it in any name and to a place where you can find it easily
• Run TheStubware, drag and drop the file you saved just now into TheStubware window, then TheStubware will do the deletion, in most situation, you need to reboot Windows to complete the deletion.

Download TheStubware

In the past few weeks, many user's computer were infected by a search engine redirect malware, this malware use rootkit technique to hide its .sys file from being detected. Some other anti-malware programs can detect its service key "TDSSserv.sys", but when you open the service key using regedit to find its .sys file, you will find the regedit displays nothing, just an empty key, actually the key information is hidden by the rootkit. When you try to delete the service key in regedit, you get an error message saying the key can't be deleted.

Using TheStubware to scan, an item is checked as follow :
rootkit : TDSSserv.sys=\SystemRoot\system32\drivers\TDSSmhxt.sys

Click "Fix Selected" button, then restart Windows, the rootkit is gone.

TheStubware is a FREE malware removal tool with a real time protection. It can help you remove those stubborn malware and protect you from being infected again. Download TheStubware