HINWEIS:
Nicht alle von mir hier gezeigten Programme sind getestet. Ich kann daher nur empfehlen das Programm mit vorsicht zu geniessen oder nur auf Anweisung zu verwenden. Mods kann ich nur empfehlen derartige Programme vorher zu testen um Usern besser zu helfen.

copied from http://forums.mcafeehelp.com/viewtopic.php?t=57078


WinKRootkit Removal Tool v1.0
used by variants of:
- AdWare-CommonName
- Wareout and its downloaders
- Navipromo
- Hotoffers



I have created an automatic tool to remove Trojan WinKRootKit which is currently set up to protect Adware-CommonName (Adware-CommonName.dll).

What does this tool do?

* Creates a log on the All Users Profile Desktop, "WinKRootKit.txt"
* Detect the presense of the WinKRootkit service.
* Locate the protected program file(s) that are running and kills them.
* Disables the rootkit protection
* Deletes the protected files
* Removes registry data added by the protected programs.
* Restarts the computer
* Removes WinKRootKit Service and kernel file.
* Removes anything left over from the first session (before reboot)
* Restarts the computer

Download Link -> http://secured2k.home.comcast.net/to...KitRemover.exe [116 KB]
MD5 Sum: d37ebc5381fc84bf03d67c1bbea09fbd

More information about the rootkit
The trojan hooks into some low level service points. Here are the values this root kit monitors:

* NTDeleteKey
* NTDeleteValueKey
* NTEnumerateKey
* NTEnumerateValueKey
* NTSetValueKey


What this means is as long as this kernel driver is running, it can intercept, change, protect, or hide registry keys and values. This is why tools like KillBox do not work. The Registry keys to delete this trojan on reboot are automatically undone. Also, any attempt to remove protected files will be denied. The kernel driver is loaded as a File System Driver (Can't be unloaded once loaded) and starts at BOOT. This means it is loaded VERY early in the boot process, before the Windows 2000/XP logo startup sequence.