A rootkit is a program or a suite of programs designed to obscure the fact that a system has been compromised.
For operating systems MS Windows, the term rootkit stands for a program that infiltrates the system and hooks system functions (Windows API). By hooking and modifying low-level API functions, such malware can effectively hide its presence in a system. Moreover, rootkits as a rule are able to conceal any processes, folders and files on discs as well as registry keys described in its configuration. Many rootkits install own drivers and services (hidden as well) into the system.
The utility PMaxKiller.exe serves for disinfection of systems infected with malware family Rootkit.Win32.PMax.
The utility is compatible with x86 versions of MS Windows: 2000, XP, 2003, Vista, 2008, 7.
While MS Windows x64 versions cannot be infected with malware family Rootkit.Win32.PMax.
Disinfection of an infected system
- Download the archive PMaxKiller.zip and extract it into a folder on an infected (or potentially infected) computer using an archiver program (WinZip for example).
- Execute the file PMaxKiller.exe.
- Wait until the scan process is over. If an infection is detected, it is necessary to reboot the computer.
If run without any arguments, the utility will do the following:
- Runs a memory scan for a malicious driver, and disinfects it if detected in order to prevent termination of legal processes (and setting of blocking DACLs) attempting to access the registry.
- Runs a scan of system library files which may be infected with the malicious program. If detected, the utility will carry out disinfection upon reboot.
Command line arguments for the utility PMaxKiller.exe:
-c <file_name> - reset DACL on the indicated file (in order to eliminate blocking of execution of legal processes by the malware).
-d <file_name> - dump malicious driver into the file.
-l <file_name> - write utility runtime log into the file.
-v - output a detailed log (of used with key -l).
Signs of infection by malware family Rootkit.Win32.PMax:
- Antivirus processes randomly stop during antivirus scan. Moreover, a prohibiting DACL (Discretionary Access Control List) set for executable files is blocking restart of such processes. An attempt of execution will display a message warning about insufficient privileges.
- GMER detects hidden modules with paths containing "__max++>".