Super backdoor Hackerdefender should be said to be well-known, and it is also a headache to scan and kill. Recently I found that www.sysinternals.com has a good tool that I don't dare to exclusive to write this article. The latest version of RootkitRevealer1.4 can be used to detect whether Rootkit is running in Windows. By analyzing the differences between the Registry and system API files, it can detect all rootkits released by www.rootkit.com, including AFX, Vanquish, and HackerDefender (Note: RootkitRevealer cannot detect rootkits without hidden files and registries, such as FU_Rootkit ).
RootkitRevealer contains two versions: GUI and command line. The command line version can be used with javasxec to perform remote scanning. Next let's take a look at how to use it. The first thing to note is that the Administrator permission is required to run RootkitRevealer. RootkitRevealer supports manual and automatic scanning.
Rootkit is generally considered to be a collection of system spyware, viruses, and trojan software. It is highly concealed and can be used by hackers to obtain unauthorized remote access permissions of computers, other attacks can pose serious security threats to users.
Use of RootkitRevealer:
(1) manual Scanning
The RootkitRevealer interface is simple. You can click scan to scan the system. RootkitRevealer provides the following two options:
Hide Metadata in NTFS (Hide standard NTFS Metadata files): This option is selected by default. By default, RootkitRevealer does not display Metadata in NTFS (Metadata is stored on a volume and supports File System Format management. It cannot be accessed by applications and can only provide services for the system ).
Scan Registry: This option is selected by default. If not selected, RootkitRevealer skips Registry Scan.
(2) automatic scanning
The command line RootkitRevealer supports automatic scanning with multiple options as follows:
Rootkitrevealer [-a [-c] [-m] [-r] outputfile]
-A: automatic scanning. After scanning, the program ends.
-C output in CSV format
-M: displays the metadata in NTFS.
-R skipped registry scan
RootkitRevealer supports remote host scanning. However, it must be used with javasxec, another Sysinternals tool. The command line is as follows:
Export xec \ remote-c rootkitrealer.exe-a c: windowssystem32ootkit. log
RootkitRevealer
This is a screenshot of RootkitRevealer's detection of HackerDefender rootkit. With RootkitRevealer, we can easily find the driver and service sub-keys and file storage addresses of HackerDefender stored in the registry.
By using the information scanned by RootkitRevealer, you can determine which Rootkit your machine is patronizing. However, RootkitRevealer cannot clear these rootkits. To clear rootkits, we also need to use other tools.
RootkitRevealer can help us easily find Rootkit, and free others from selling it! Before using RootkitRevealer, you 'd better clear the Registry with the optimizer. If you find that there are many rootkits on the machine, formatting the hard disk and reinstalling the system or returning the GHOST is the best choice.