CastleCops® - The Gromozon Rootkit - Detection and Removal

The Gromozon Rootkit is a user mode rootkit that installs a variant of LinkOptimizer adware and occasionally the rogue antispyware program called Brave Sentry, a desktop hijacker. It is named after the site which distributes the threat. This threat pulls out all the tricks including random file naming, file morphing, file encryption (EFS), hiding in the AppInit_DLLs value of the Windows Registry key, using Windows reserved file names, using Alternate Data Streams (ADS) to hide in the system32 folder on NTFS file systems, and disabling rootkit and system analysis tools. The good thing is that Prevx came out with a removal tool for this beast, which you can find a link to after you read the following symptoms discussion.

From an operational point of view, one of the biggest symptoms is an inability to run most security programs. The Gromozon coders have done this to seriously curtail your chances of removing the threat. The following are symptoms of the Gromozon Rootkit in a HijackThis Log, but please be aware that they are not always present:

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page =

R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {1A06B098-0011-88C0-89F1-281F7413084A} - C:/WINDOWS/krctv1.dll (file missing)

Negster22, one of our own CastleCops staff who has also co-authored a book on "Rootkits for Dummies" out on Amazon has authored the bulk of our Wiki article highlight: "The Gromozon Rootkit - Detection and Removal". This article has also been maintained by other Wiki participants -- Thank you!

To read the detection and removal of the Gromozon Rootkit in full detail, visit the wiki page.


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 113ppm 0.152s (0.009s) Making cybercriminals unhappy since 2002*