Removal Noskrnl.exe and Noskrnl.sys rootkits

How to remove Noskrnl.exe and Noskrnl.sys rootkits using RegRun Reanimator - free removal tool

Noskrnl is not a new rootkit. It is a new version of Spooldr rootkit.

Noskrnl rootkit is spread by e-mail. Often attachment has the file name: "SuperLaugh.exe" or the similar name.

RegRun detects the working driver (not hidden) during the "Scan for Viruses" process:

Also it detects the open process immediately after reboot:

But the noskrnl.exe file is hidden by rootkit technology.

New version of Spooldr "Noskrnl" doesn′t change standard Windows tcpip.sys driver.

Noskrnl uses "noskrnl" subkeys in the HKLM\System\CurrentControlSet\Services and under all other "ControlSet" keys.

How rootkit works?

The Windows starts the loading "noskrnl.sys" driver.

"Noskrnl.exe" starts from registry Run key. Driver is used for hiding the rootkit files.

Noskrnl.exe is used for propagation.

Noskrnl.config is located in the Windows folder. It sets the used port and some other settings.


Suggest you to use
RegRun Platinum Edition to be sure that you are clear!
Good luck!
Dmitry Sokolov
Add or See Comments (>10)