Rootkit.Win64.FAKEVM.A
Windows
Threat Type: Rootkit
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It hides files, processes, and/or registry entries.
TECHNICAL DETAILS
Arrival Details
This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This Rootkit registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
DisplayName = "{random string}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
ErrorControl = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
Group = "Boot Bus Extender"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
ImagePath = %System%\drivers\{random string}.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
Start = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
Tag = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
Type = 1
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random string}
Rootkit Capabilities
This Rootkit hides files, processes, and/or registry entries.
Other Details
This Rootkit does the following:
- Queries the following registry entries that contains its configuration for the blacklisting of files, drivers and applications:
- Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random string}
Value: {S01 - S08}
Data: {Hex Bytes} - Key: HKEY_LOCAL_MACHINE\SYSTEM\{Thread ID}
- Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random string}
- It disables loaded and new drivers with the following Vendor Information:
- Process Monitor Driver
- Atool
- Antiy Labs
- AVZ
- TDSS
- cmcark.exe
- EP_X0FF
- CsrWalker
- DrWeb
- Igor Daniloff
- Rootkit
- DarkSpy
- CardMagic
- FilterMon
- Daniel Pistelli
- flister.exe
- Gmer
- HookAnalyser
- HookShark.exe
- IceSword
- System Analyzing
- kX-Ray
- Brock Williams
- NIAP XRay
- NIAP
- RootkitDetect
- Process Walker
- USEC Radix
- RegReveal.exe
- Unhooker
- Detector For Windows
- Andres Tarasco
- RootQuest
- ComSentry
- RootRepeal
- AD 2007
- SafetyCheck
- SUYI Studio
- SysProt
- TrueX64
- By diyhack
- Tuluka kernel
- Libertad. All
- Yas Anti
- mbr.exe
- Find_Hidden
- F-Secure BlackLight
- (C) Orkbluit
- catchme.exe
- Avast! Antirootkit
- ALWIL Software
- aswmbr.exe
- SysInspector
- ESET, spol.
- DiamondCS
- Symantec
- Norton Power Eraser
- Safe'nSec
- S.N.Safe
- SanityCheck
- Detects and Delete
- X-Wiretechnology
- Sophos Limited
- Pavark.exe
- Malwarebytes Anti-Rootkit
- RootkitBuster
- Trend Micro
- Mcafee Labs Rootkit
- RootkitRemover
- RootRpeal
- Epoolsoft Windows Information
- Anti~mal~ware tool
- API Monitor Installer
- Telerik Fiddler Web Debugger
- Tachyon
- Driver load order priotization of itself via its registry entry.
- Denies access to its registry entries if not itself or its components.
- It disables loaded and new drivers with the following Signatures/Publisher:
- Wen Jia Liu
- Check Point Software Technologies Ltd
- GRISOFT, s.r.o.
- Avira GmbH
- Avira Operations GmbH & Co. KG
- BITDEFENDER LLC
- BitDefender SRL
- Doctor Web Ltd
- ESET, spol. s r.o.
- FRISK Software International Ltd
- Kaspersky Lab
- Panda Software International
- Check Point Software Technologies
- BullGuard Ltd
- antimalware
- NovaShield Inc
- CJSC Returnil Software
- Anti-Virus
- Sophos Plc
- Comodo Security Solutions
- Quick Heal Technologies
- G DATA Software
- Beijing Rising
- Immunet Corporation
- K7 Computing
- Sunbelt Software
- Beijing Jiangmin
- VirusBuster Ltd
- KProcessHacker
- Microsoft Malware Protection
- KSLDriver.sys
- STOPzilla
- Essentware
- Filseclab
- Lavasoft
- IKARUS
- VirusBlokAda
- Immunet
- FortiClient
- Quick Heal
- VIPRE
- AhnLab
- Malwarebytes
- Malwarebytes Corporation
- Sophos
- BullGuard
- F-Secure
- TrustPort
- Trend Micro
- McAfee
- G Data
- Kaspersky
- AVAST
- Emsisoft
- Qihoo 360
- Webroot
- Bitdefender
- Trend Micro, Inc.
- McAfee, Inc.
- X-Wire Technology
- Sophos Ltd
- Protection Technology, Ltd.
- Daniel Terhell
- F-Secure Corporation
- ALWIL Software
- Antiy Technology Co. Ltd
- Antiy Labs
- Kernel Detective
- Safe'nSec
- S.N.Safe
- HookAnalyser
- IceSword
- Brock Williams
- Unhooker
- Process Walker
- RootkitDetect
- CsrWalker
- F-Secure BlackLight
- Avast! Antirootkit
- SysInspector
- DiamondCS
- Norton Power Eraser
- Detects and Delete
- SanityCheck
- Sophos Limited
- X-Wiretechnology
- Malwarebytes Anti-Rootkit
- RootkitBuster
- RootkitRemover
- Mcafee Labs Rootkit
- RootRpeal
- Epoolsoft Windows Information
- FilterMon
- RootQuest
- Andres Tarasco
- kX-Ray
- NIAP XRay
- DarkSpy
- CardMagic
- SUYI Studio
- Yas Anti
- Tuluka kernel
- (C) Orkbluit
- Orkblutt
- Find_Hidden
- ESTsecurity Corp.
- SGA Co.,LTD
- ESTsoft Corp
- www.sgacorp.kr
- AhnLab, Inc.
- Hauri, Inc
- QIHU 360 SOFTWARE CO. LIMITED
- AVAST Software s.r.o.
- AVG Technologies USA, Inc.
- Panda Security S.L.
- VIPRE Security (ThreatTrack Security, Inc.)
- NANO Security Ltd
- Webroot Inc.
- Emsisoft Ltd
- G DATA Software AG
- BullGuard Ltd.
- Check Point Software Technologies Ltd.
- Quick Heal Technologies Limited
- TrustPort, a.s.
- IS3, Inc.
- MicroWorld Technologies Inc.
- Total Defense Inc
- Adaware Software
- FRISK Software International
- K7 Computing Pvt Ltd
- Doctor Web Ltd.
- SPAMMfighter ApS
- Security Softvare Limeted
- VIRUSBLOKADA ODO
- Fortinet Technologies (Canada) inc.
- ALLIT Service LLC
- Adlice
- Rohitab Batra
- INCA Internet Co., Ltd.
- It disables the execution of the following applications and drivers:
- processhacker-2.39-setup.exe
- flister.exe
- cmcark.exe
- HookShark.exe
- RegReveal.exe
- mbr.exe
- catchme.exe
- aswmbr.exe
- Pavark.exe
- PCKAVService.exe
- STOPzilla.exe
- SZServer.exe
- RsMgrSvc.exe
- RsTray.exe
- QQPCTray.exe
- QQPCRTP.exe
- EEYEEVNT.exe
- Blink.exe
- blinksvc.exe
- twssrv.exe
- twister.exe
- mskrn.exe
- msgui.exe
- grizzlysvc.exe
- grizzlyav.exe
- AdAwareService.exe
- AdAwareTray.exe
- AVScanningService.exe
- AVWatchService.exe
- AAV_Service_Vista.exe
- AAV_Guard.exe
- AutoCare.exe
- ASCService.exe
- AdvancedSystemProtector.exe
- guardxkickoff.exe
- guardxkickoff_64.exe
- guardxservice.exe
- guardxservice_x64.exe
- vba32ldr.exe
- vba32ldrgui.exe
- sfc.exe
- iptray.exe
- FortiSettings.exe
- FortiTray.exe
- FortiESNAC.exe
- nanoav.exe
- nanoav64.exe
- nanosvc.exe
- msseces.exe
- MsMpEng.exe
- ARWSRVC.exe
- BDSSVC.exe
- qhpisvr.exe
- REPRSVC.exe
- ASDSvc.exe
- ASDUp.exe
- VipreAAPSvc.exe
- SBAMSvc.exe
- SBAMTray.exe
- ALMon.exe
- ALsvc.exe
- McsAgent.exe
- MBAMService.exe
- mbamtray.exe
- MFEConsole.exe
- nortonsecurity.exe
- ccSvcHst.exe
- SISIPSService.exe
- ZIS.exe
- ZISCore.exe
- avguard.exe
- Avira.ServiceHost.exe
- avgnt.exe
- econser.exe
- avpmapp.exe
- ZAPrivacyService.exe
- vsmon.exe
- K7CrvSvc.exe
- K7FWSrvc.exe
- K7PSSrvc.exe
- K7TSecurity.exe
- BullGuard.exe
- BullGuardCore.exe
- fsulprothoster.exe
- fshoster64.exe
- fshoster.exe
- AgentSvc.exe
- PSANHost.exe
- PSUAService.exe
- avss.exe
- axengine.exe
- avcom.exe
- coreServiceShell.exe
- coreFrameworkHost.exe
- uiWatchDog.exe
- McCSPServiceHost.exe
- McUICnt.exe
- ModuleCoreService.exe
- GDFwSvcx.exe
- ekrn.exe
- avp.exe
- bdservicehost.exe
- dwservice.exe
- spideragent.exe
- AVGSvc.exe
- afwServ.exe
- AvastSvc.exe
- a2service.exe
- QHWatchdog.exe
- QHActiveDefense.exe
- WRSA.exe
- cis.exe
- ccavsrv.exe
- eeCtrl.sys
- eraser.sys
- SRTSP.sys
- SRTSPIT.sys
- SRTSP64.SYS
- a2gffx86.sys
- a2gffx64.sys
- a2gffi64.sys
- a2acc.sys
- a2acc64.sys
- mbam.sys
- eamonm.sys
- MaxProtector.sys
- SDActMon.sys
- tmevtmgr.sys
- tmpreflt.sys
- vcMFilter.sys
- drivesentryfilterdriver2lite.sys
- mpFilter.sys
- PSINPROC.SYS
- PSINFILE.SYS
- amfsm.sys
- amm8660.sys
- amm6460.sys
- caavFltr.sys
- ino_fltr.sys
- avmf.sys
- PLGFltr.sys
- AshAvScan.sys
- csaav.sys
- SegF.sys
- eeyehv.sys
- eeyehv64.sys
- NovaShield.sys
- BdFileSpy.sys
- tkfsft.sys
- tkfsft64.sys
- tkfsavxp.sys
- tkfsavxp64.sys
- SMDrvNt.sys
- ATamptNt.sys
- V3Flt2k.sys
- V3MifiNt.sys
- V3Ift2k.sys
- V3IftmNt.sys
- ArfMonNt.sys
- AhnRghLh.sys
- AszFltNt.sys
- OMFltLh.sys
- V3Flu2k.sys
- vcdriv.sys
- vcreg.sys
- vchle.sys
- NxFsMon.sys
- AntiLeakFilter.sys
- NanoAVMF.sys
- shldflt.sys
- nprosec.sys
- nregsec.sys
- issregistry.sys
- THFilter.sys
- pervac.sys
- avgmfx86.sys
- avgmfx64.sys
- avgmfi64.sys
- avgmfrs.sys
- fortimon2.sys
- fortirmon.sys
- fortishield.sys
- savonaccess.sys
- OADevice.sys
- pwipf6.sys
- EstRkmon.sys
- EstRkr.sys
- dwprot.sys
- Spiderg3.sys
- STKrnl64.sys
- UFDFilter.sys
- SCFltr.sys
- fildds.sys
- fsfilter.sys
- fpav_rtp.sys
- cwdriver.sys
- Rtw.sys
- HookSys.sys
- snscore.sys
- ssvhook.sys
- strapvista.sys
- strapvista64.sys
- sascan.sys
- savant.sys
- vradfil2.sys
- fsgk.sys
- PCTCore64.sys
- PCTCore.sys
- ikfilesec.sys
- ZxFsFilt.sys
- antispyfilter.sys
- PZDrvXP.sys
- ggc.sys
- catflt.sys
- kmkuflt.sys
- mfencoas.sys
- mfehidk.sys
- cmdguard.sys
- K7Sentry.sys
- nvcmflt.sys
- issfltr.sys
- AVCKF.SYS
- bdfsfltr.sys
- bdfm.sys
- AVC3.SYS
- aswmonflt.sys
- HookCentre.sys
- PktIcpt.sys
- MiniIcpt.sys
- avgntflt.sys
- klbg.sys
- kldback.sys
- kldlinf.sys
- kldtool.sys
- klif.sys
- lbd.sys
- rvsmon.sys
- ssfmonm.sys
- KmxAgent.sys
- KmxAMRT.sys
- KmxAMVet.sys
- KmxStart.sys
- ahnflt2k.sys
- AhnRec2k.sys
- AntiyFW.sys
- v3engine.sys
- Vba32dNT.sys
- kprocesshacker.sys
- gdbehave2.sys
- gdkbb32.sys
- gdwfpcd32.sys
- grd.sys
- avgidsdrivera.sys
- avgidsha.sys
- avgldx64.sys
- avgloga.sys
- avgrkx64.sys
- avgtdia.sys
- avgdiska.sys
- avguniva.sys
- avgidsdriverx.sys
- avgidshx.sys
- avgidsshimx.sys
- avgldx86.sys
- avglogx.sys
- avgrkx86.sys
- avgtdix.sys
- bhdrvx64.sys
- ccsetx64.sys
- eectrl64.sys
- idsvia64.sys
- eng64.sys
- ex64.sys
- smr510.sys
- symefasi.sys
- eraserutilrebootdrv.sys
- bhdrvx86.sys
- ccsetx86.sys
- idsvix86.sys
- srtspx.sys
- symevent.sys
- ironx86.sys
- symnets.sys
- gfiark.sys
- gfiutil.sys
- sbwtis.sys
- sbapifs.sys
- webexaminer64.sys
- tmactmon.sys
- tmcomm.sys
- tmebc64.sys
- tmeevw.sys
- tmel.sys
- tmxpflt.sys
- tmnciesc.sys
- tmusa.sys
- vsapint.sys
- tmtdi.sys
- kl1.sys
- klflt.sys
- klfltdev.sys
- klhk.sys
- klim6.sys
- klpd.sys
- kltdi.sys
- klwtp.sys
- kneps.sys
- sdcfilter.sys
- sntp.sys
- sophosed.sys
- mfeapfk.sys
- mfeavfk.sys
- mferkdet.sys
- mfewfpk.sys
- mfebopk.sys
- mfeaack.sys
- mfeclftk.sys
- mfedisk.sys
- mfefirek.sys
- mfehck.sys
- mfenlfk.sys
- mfeplk.sys
- mfeepmpk.sys
- mfeepnfcp.sys
- mfencbdc.sys
- mfencrk.sys
- mpnwmon.sys
- WdBoot.sys
- WdFilter.sys
- WdNisDrv.sys
- aswfsblk.sys
- aswrdr.sys
- aswsp.sys
- aswtdi.sys
- srtspx64.sys
- symds64.sys
- symefa64.sys
- symevent64x86.sys
- ironx64.sys
- avipbb.sys
- ssmdrv.sys
- avkmgr.sys
- avnetflt.sys
- mbamchameleon.sys
- mbamswissarmy.sys
- mwac.sys
- edevmon.sys
- ehdrv.sys
- epfwwfpr.sys
- epfw.sys
- epfwndis.sys
- epfwwfp.sys
- epfwlwf.sys
- eamon.sys
- immunetnetworkmonitor.sys
- immunetprotect.sys
- immunetselfprotect.sys
- 360AntiHacker64.sys
- 360AvFlt.sys
- 360Box64.sys
- 360Camera64.sys
- 360FsFlt.sys
- 360netmon.sys
- bapidrv64.sys
- fsvista.sys
- fshs.sys
- fsbts.sys
- fses.sys
- fsdfw.sys
- fsni64.sys
- bddevflt.sys
- bdfwfpf.sys
- gzflt.sys
- bdupflt.sys
- ignis.sys
- atc.sys
- bdfndisf.sys
- bdftdif.sys
- bdselfpr.sys
- trufos.sys
- avdisk.sys
- econceal.sys
- mwfsmflt.sys
- procobsrvesx.sys
- nnsalpc.sys
- nnshttp.sys
- nnshttps.sys
- nnsids.sys
- nnspicc.sys
- nnspop3.sys
- nnsprot.sys
- nnsprv.sys
- nnssmtp.sys
- nnsstrm.sys
- nnstlsc.sys
- psinaflt.sys
- psinknc.sys
- psinprot.sys
- psinreg.sys
- pskmad.sys
- dvctprov.sys
- nnsnahsl.sys
- nnspihsw.sys
- psindvct.sys
- wrkrn.sys
- wrurlflt.sys
- ahnactnt.sys
- ahnrghnt.sys
- amonlwlh.sys
- amontdlh.sys
- ahawkent.sys
- tffregnt.sys
- ascrts.sys
- cdm2drnt.sys
- medcored.sys
- medvpdrv.sys
- tnfwnt.sys
- tnhipsnt.sys
- tnnipsnt.sys
- tsfltdrv.sys
- tmebc32.sys
- aswarpot.sys
- aswbidsdrivera.sys
- aswbidsha.sys
- aswbloga.sys
- aswbuniva.sys
- aswhdske.sys
- aswhwid.sys
- aswrdr2.sys
- aswrvrt.sys
- aswsnx.sys
- aswstm.sys
- aswvmm.sys
- k7fwhlpr.sys
- avasdmft.sys
- tpsec.sys
- dsio.sys
- tdifw.sys
- tdimapper.sys
- tppfhook.sys
- kldisk.sys
- klbackupflt.sys
- klbackupdisk.sys
- aswbidsdriverx.sys
- aswbidshx.sys
- aswblogx.sys
- aswbunivx.sys
- avgarpot.sys
- avgbidsdrivera.sys
- avgbidsha.sys
- avgbloga.sys
- avgmonflt.sys
- avgnetsec.sys
- avgrdr2.sys
- avgsp.sys
- avgsnx.sys
- avgstm.sys
- avgvmm.sys
- cfwids.sys
- mcpvdrv.sys
- mfesapsn.sys
- avdevprot.sys
- avusbflt.sys
- EraserUtilDrvI32.sys
- SYMEFASI64.sys
- avchv.sys
- tmlwf.sys
- tmwfp.sys
- axflt.sys
- sbwfw.sys
- panda_url_filteringd.sys
- gdwfpcd64.sys
- TS4nt.sys
- SISIPSDriver.sys
- SysPlant.sys
- Teefer.sys
- avgbuniva.sys
- avgNetNd6.sys
- mbae64.sys
- cm_km.sys
- epp.sys
- eppwfp.sys
- 360FsFlt_win10.sys
- BAPIDRV.sys
- BAPIDRV_win10.sys
- BAPIDRV64_win10.sys
- DsArk.sys
- DsArk_win10.sys
- dsark64.sys
- DsArk64_win10.sys
- qutmdrv.sys
- qutmdrv_win10.sys
- EfiMon.sys
- 360AvFlt_win10.sys
- 360avflt64.sys
- 360AvFlt64_win10.sys
- 360AntiHacker.sys
- 360AntiHacker_win10.sys
- 360AntiHacker64_win10.sys
- 360Box.sys
- 360Box_win10.sys
- 360Box64_win10.sys
- 360Camera.sys
- 360Camera_win10.sys
- 360Camera64_win10.sys
- qutmipc.sys
- qutmipc_win10.sys
- 360netmon_50.sys
- 360netmon_60.sys
- 360netmon_wfp.sys
- 360netmon_x64_wfp.sys
- 360netmon_x64.sys
- 360SelfProtection.sys
- 360SelfProtection_win10.sys
- hookport.sys
- hookport_win10.sys
- MorphiDriver.sys
- aswbdiska.sys
- aswNetNd6.sys
- aswNetSec.sys
- BdAgent.sys
- BdSpy.sys
- BdNet.sys
- BdSentry.sys
- CdmDrvNt.sys
- ISPrxEnt.sys
- ISFWEnt.sys
- ISIPSEnt.sys
- ISPIBEnt.sys
- AhnSZE.sys
- cmderd.sys
- cmdhlp.sys
- inspect.sys
- isedrv.sys
- CiscoAMPCEFWDriver.sys
- CiscoAMPHeurDriver.sys
- FortiFilter.sys
- fortiapd.sys
- ftvnic.sys
- ftsvnic.sys
- pppop64.sys
- DrWebLwf.sys
- dwdg.sys
- dw_wfp.sys
- NTGUARD_X64.sys
- Vba32d64.sys
- Vba32m64.sys
- atkldrvr.sys
- wsnf.sys
- WSFILTER.sys
- webssx.sys
- bdsflt.sys
- bdsnm.sys
- arwflt.sys
- emltdi.sys
- ISWKL.sys
- vsdatant.sys
- zef.sys
- zsc.sys
- znf.sys
- aswTap.sys
- avgbdiska.sys
- avgHwid.sys
- avgRvrt.sys
- cmdboot.sys
- cmdcss_vista.sys
- cmdcss_win7.sys
- cmdcss_win8.sys
- cmdcss_xp.sys
- isedrv_vista.sys
- isedrv_win7.sys
- isedrv_win8.sys
- isedrv_xp.sys
- klbackupdisk.sys
- klelam.sys
- klkbdflt2.sys
- klpnpflt.sys
- klwfp.sys
- kltap.sys
- bddci.sys
- bdelam.sys
- bdprivmon.sys
- bdsyslogphysicalmemorydumper.sys
- bdvedisk.sys
- trufosalt.sys
- eelam.sys
- ekbdflt.sys
- epfwtdi.sys
- EpfwTdiR.sys
- mfeclnrk.sys
- HipShieldK.sys
- tmumh.sys
- BdBoot.sys
- fwndislwf32.sys
- fwndislwf64.sys
- fwwfp732.sys
- fwwfp764.sys
- fselms.sys
- fsulgk.sys
- fsbts_x64.sys
- aftap0901.sys
- PSBoot.sys
- K7FWFilt.sys
- K7RKScan.sys
- K7TdiHlp.sys
- avdisk64.sys
- econceal.lwf.Vista64.sys
- econceal.lwf.Win7_64.sys
- econceal.lwf.Win8_64.sys
- econceal.vista64.sys
- ESWfp64.sys
- mwfsmfltx.sys
- MWRM64.sys
- PROCOBSRVES.sys
- icsak.sys
- kl2.sys
- klim5.sys
- kltdf.sys
- farflt.sys
- eraser64.sys
- symevnt.sys
- SyDvCtrl64.sys
- WGX64.sys
- SISIDSRegDrv32_post-vista.sys
- SISIDSRegDrv64_post-vista.sys
- SISIPSDeviceFilter32_post-vista.sys
- SISIPSDeviceFilter64_post-vista.sys
- SISIPSDriver32_post-vista.sys
- SISIPSDriver64_post-vista.sys
- SISIPSFileFilter32_post-vista.sys
- SISIPSFileFilter64_post-vista.sys
- SISIPSNetFilter32_post-vista.sys
- SISIPSNetFilter64_post-vista.sys
- NisDrvWFP.sys
- BSFS.sys
- CONIO.sys
- ELAMDRV.sys
- ELRKTRM.sys
- EMLSSX.sys
- KBFLTR.sys
- llio.sys
- mscank.sys
- WEBSSX8.sys
- wstif.sys
- athpexnt.sys
- MeDVpHkD.sys
- gfiark32.sys
- gfiark64.sys
- gfiutl32.sys
- gfiutl64.sys
- VipreELAM.sys
- sbfw.sys
- sbhips.sys
- SBTIS.sys
- sbfwht.sys
- SbFwIm.sys
- SBTISHT.sys
- sbaphd.sys
- sbapifsl.sys
- ALYac40.exe
- EstPdc.sys
- EstRtw.sys
- EstFwt.sys
- VC90Setup_P_DESKTOP_All_x64.exe
- sga_ntf_x64.sys
- sga_ntf_x86.sys
- eps_sys_x64.sys
- eps_sys_10_x64.sys
- eps_min_xp64.sys
- eps_min_x64.sys
- eps_min_10_x64.sys
- V3Lite_Setup.exe
- hsbdrvnt.sys
- mkd2bthf.sys
- mkd2nadr.sys
- ViRobot7x64_Trial.exe
- ViRobot7x86_Trial.exe
- ViRobotAPTShieldSetup_Free.exe
- tewebproect.sys
- tkctrl2k.sys
- tkfsav.sys
- tkfsft.sys
- tkfwfv.sys
- tkfwvt.sys
- tkidsvt.sys
- tkpcfthk.sys
- tkrgac2k.sys
- tkrgftxp.sys
SOLUTION
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as Rootkit.Win64.FAKEVM.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Step 3
Restart in Safe Mode
Step 4
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- {random string}
- {random string}
Step 6
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- In HKEY_LOCAL_MACHINE\SYSTEM
- {Thread ID}
- {Thread ID}
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as Rootkit.Win64.FAKEVM.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.