home >> tools >> spy dll remover v1

SpyDLLRemover

TOP

SpyDLLRemover is the standalone tool to efficiently detect and delete spywares from the system. It uses multiple techniques such as direct syscall implementation, CSRSS process handle detection, PIDB method etc to find out the user land rootkit processes. But the main focus of the tool is to help in removing malicious DLLs quickly and easily by displaying all DLLs within the process with various threat levels and then using the DLL injection based technique to unload them completely. It employs low-level implementation that makes it effective against any userland rootkits.

Features of SpyDLLRemover

TOP

  • Detect hidden userland rootkit processes using multiple techniques such as

    • - Direct NT System Call Implementation
    - Process ID Bruteforce Method (PIDB) as first used by BlackLight
    - CSRSS Process Handle Enumeration Method

  • Detect the hidden DLL/module within process by using loaded list traversal technique.


  • It uses the direct system calls to perform process related operations which defeats any attempt to hide by userland rootkits.


  • Separate out the modules/DLLs based on the various threat levels such as hidden dll, BHO plugin dll, and system dll, AppInit DLL etc that makes it effective to detect malicious modules.


  • DLLs are marked with different color based on threat level, which makes it easy and quick to eliminate the spyware DLLs.


  • It presents state of art technique for Removing the DLL from Remote Process based on DLL Injection method to completely unload the DLL in just one click.


  • Terminate any suspicious or hidden process directly using NT system calls.


  • It has integrated online verification mechanism through ProcessLibrary.com to validate any suspcious DLLs.

    • This makes it easy to differentiate between the spyware & legitimate DLLs.

  • Displays detailed information about all running processes on the system

    • - Process name
    - Process Id
    - Company Name
    - Process Description
    - Memory Utilization
    - Process Binary Path
    - Process File Size
    - File Install Date

  • Shows detailed information about each loaded DLLs within process to make it easier for manual analysis.

    • - DLL Name
    - Company Name
    - Description
    - Comment about type of DLL (System, Hidden, Suspicious)
    - Load/reference count of DLL
    - Loading Type (static/dynamic)
    - DLL File Size
    - File Install Date
    - Base Address of DLL
    - Entry point of DLL
    - Full DLL File Path

  • It is standalone tool which can be executed directly as it does not require any installation.


SpyDLLRemover in Action

TOP

Here is couple of screenshots of SpyDLLRemover, which demonstrates its effectiveness in detecting spywares and eliminating them with ease.

Screenshot 1: SpyDLLRemover detecting the HackerDefender rootkit process.


*To zoom in - click the image*

Screenshot 2: SpyDLLRemover detecting the hidden modules/DLLs loaded by Vanquish Rootkit.


*To zoom in - click the image*

Screenshot 3: SpyDLLRemover showing DLLs within explorer.exe process with various threat levels. It has detected various category of DLLs such as AppInit DLL, BHO DLL etc.


*To zoom in - click the image*

Download SpyDLLRemover

TOP

Platform:
Windows 2000, XP, 2003, Vista, Longhorn (32 bit)
On 64 bit platform, only 32 bit processes are supported.

Integrity HASH:

SpyDLLRemover.rar
MD5:2b030b71987076f8558b91ed37ff8ff5
SHA-1:18abdbd65a03b1893ab66d0328e5f996eb378b3a
SHA-256:
54905e0d6757d7daaf6efd3b01ae75a8684cd919ba0e71b5ee90fde2fa03f513

SpyDLLRemover.exe
MD5:f21f633deba47dc651ad7581aa9d0df6
SHA-1:06215f0c2d3a0dc64354f78600dca875c8301f7a
SHA-256:
ea068f2d62893bb37cfc9e317dc12c0f1d10588d281861009846f50e94ae1c63

spydllremover1_hackerdefender.bmp
MD5:ffaa0ba350b4dd3c05f610237548c25f
SHA-1:7a3c28d5b4153d3dfcdb454e4bae1683a43e43d4
SHA-256:
980a02df3cd4dd0bc9b157e0727f588b8d70829de69d0a290fe8e0a03ae72c10

spydllremover2_vanquish.bmp
MD5:0c534c946d08c35c9c9ed1246032ebe0
SHA-1:f28d07911ed87e5bf0e802fbc2b73a0aa552e984
SHA-256:
783fdd524e806fdee5c2d67fcb7d24e83c97413794b75af95dfc0612bf3a8d22

spydllremover3_explorer_appinit_bho.bmp
MD5:60ea1c17e63757501793be03fdbbb6e1
SHA-1:31b43ee82f798bd1c76e91746e45c01b4cd92ae5
SHA-256:
3e080b3e0e93e4885399cc6f393531c94017010a80d4f270ac84195236153989
spydllremover.txt
MD5:d8d7a574fa4f4c48670e632e7c7d203b
SHA-1:b24a2b60b4065bdff14bc554799b5b3f7899455b
SHA-256:
d15ca9b852d4e9cbb82ebc54c4cb06285ac61fbcbe1da30b0bb22ede60a83d4d

Click the following to download:

Download Elfstat

Blogs

Testimonials: Rootkit Analytics Tools
Nagareshwar Talekar
Sun, 07 Mar 2010 23:19:04 +0000

Rootkit Analytics has come up with a “Testimonials” section. This can be seen in our web portal, www.RootkitAnalytics.com: [Click on the above image to enlarge view] We welcome all our users to submit testimonials, as this would increase your visibility in our community and we provide Extended FREE Support* to these users. Enterprise Users: If you are using our [...]


HiddenADSExplorer – Update from Research Center
Nagareshwar Talekar
Mon, 01 Mar 2010 20:29:23 +0000

As our next tool, HiddenADSExplorer is moving towards the final beta stage, we bring you the latest update straight from our research center. HiddenADSExplorer is the first ever tool to not only scan for hidden streams but to explore, analyze and quickly detect hidden malicious content within the streams using the advanced analysis technique.  It is [...]


Ridgewood Cable & Rootkit Analytics – Extends Support
Nagareshwar Talekar
Mon, 22 Feb 2010 01:16:54 +0000

Hello Folks, Thank you for helping us by reading our stuff & using our tools. We are proud to say that we are extending our support to our first ISP Customer – Ridgewood Cable. Thanks to Joshua A. Coody for making this happen. We provide free support: to upgrade our tools to what you would like, if it [...]


Openings for Rootkit Analysts
Nagareshwar Talekar
Wed, 10 Feb 2010 19:34:09 +0000

Rootkit Analytics is seeking for Rootkit Analysts [volunteering] with varying skill-sets and at different levels to join our team.  As a Rootkit Analyst, you will be involved with: Detection, analysis and documentation of rootkits. What would a Rootkit Analyst do? A rootkit analyst would work on collection, research and analysis of rootkit samples. The analyst would be categorizing [...]


New SpyDLLRemover to Remove DLL from System Process
Nagareshwar Talekar
Tue, 09 Feb 2010 04:28:20 +0000

The newer version of SpyDLLRemover v3.2 now support removal malicious DLL from system processes on Vista/Win7 platforms. Starting with Vista, Windows has introduced the session separation feature which prevents processes in one session interacting with process in another session. Normally all system processes including services live in session 0. All user session starts with session 1. [...]


SpyDLLRemover & Misconceptions
Nagareshwar Talekar
Sun, 07 Feb 2010 17:03:06 +0000

No software is perfect in this world and so is the SpyDllRemover. I am writing this post here to clear some of the misconceptions about SpyDllRemover. Many times people complain that SpyDllRemover is showing false positive or listing the legitimate DLL as malicious. SpyDLLRemover uses heuristic approach for deducing the type of threats unlike other anti-virus/anti-spy [...]


SpyDLLRemover on Facebook
Nagareshwar Talekar
Sat, 23 Jan 2010 06:30:38 +0000

SpyDLLRemover was published on Facebook’s ‘Tips, Trick & Tutorial’ section. This is Facebook’s additional section where it lists top tools on the web which make our day to day life easier. Its the proud moment for all of us at RootkitAnalytics to see the SpyDLLRemover being listed at Facebook. .


Coming Soon – HiddenADSExplorer
Nagareshwar Talekar
Sun, 10 Jan 2010 11:33:10 +0000

HiddenADSExplorer, another smart tool from the RootkitAnalytics will be hitting the market in early next month.  This is the GUI based application to detect and destroy hidden malicious alternate data streams (in short ADS) from the system.  Rootkits often hide their traces in the covers of ADS as they are lesser known and no sophisticated [...]


DWTF – DLL Watcher & Template Framework
Nagareshwar Talekar
Thu, 17 Dec 2009 18:33:40 +0000

DWTF (DLL Watcher & Template Framework) is the simple engine designed by Dreg to create duplicate or fake DLL from the original DLL. It creates separate export section in the new fake DLL with each entry pointing to export section of original DLL. In short this new fake DLL acts like interceptor and can be useful [...]


Blogs are now listed on the main page!
evilfingers
Fri, 11 Dec 2009 03:00:28 +0000

We are doing our best to keep you posted with up-to-date stuff on Rootkit Analytics world. For your convenience, the top 10 blogs are also listed on the main site: www.RootkitAnalytics.com. Soon, we would have posts on whats going on in the external world related to the science of rootkit analysis, comparison of rootkit analysis tools, [...]

Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Spy DLL Remover: Were you looking for a tool to detect userland rootkits in your Windows box?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0 dwtf is a DLL copying engine ... [read more]

Number of Installations

Spy DLL Remover32264
Elfstat1054
KsiD670
SHC504
dwtf415

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets


@EvilFingers yep. on 3. March 2010 19:15:10 CET :)

@EvilFingers np :) could it be that my mail from yesterday is lying in the spam folder again? :)

RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://bit.ly/8ZiI5o #zataz

@EvilFingers NP its also interesting to see various ways of detecting malware, another thing to add to my ToDo list.

RT @sucuri_security: RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: Signature Analytics Blog:Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: I am trying to find some really good vbulletin skins/themes/templates, paid & free versions. contact.fingers@gmail.com

@EvilFingers I'm more than a little biased, but I say neither. Both are expensive, have far more features than I need, and are heavy srvr.

@EvilFingers I look short in this way on google. http://bit.ly/9XrPeG

www.spywareanalytics.com has just been released in the wild. Thanks for the service @EvilFingers

@EvilFingers SpywareAnalytics.com looks good...nice job!