A few key improvements were made in driver detection and disabling mechanisms, and hence here's the latest version of SysProt AntiRootkit :) The SysProt AntiRootkit v126.96.36.199
successfully detects and removes Zlob rootkits (TDSServ
Similar to the steps followed in the case of GMER (as mentioned in the previous post
), SysProt AntiRootkit requires two reboots to completely remove rootkit driver and its Registry entry. Following screenshots show SysProt AntiRootkit detecting Zlob rootkit driver and injected DLL:
Steps to remove Zlob rootkit driver:
- Run SysProt AntiRootkit v188.8.131.52 and click "Kernel Modules" tab.
- SysProt AntiRootkit shows rootkit/hidden drivers in red color. Click on the rootkit driver's entry and the click "Disable"
- Reboot the PC
- Repeat steps 1 to 3 (SysProt AntiRootkit will detect the same rootkit driver again)
Now, all the malicious files dropped by Zlob should be unrooted and hence "visible" to standard anti-malware scanners.
Labels: SysProt AntiRootkit, TDSServ rootkit removal, Zlob rootkit