Recently we discovered that Exterminate It! being detected by several antivirus / firewall products as Trojan-GameThief.Win32.Taworm.zt.

We received many complaints from our customers regarding this issue. Kaspersky, F-Secure and Zone Alarm are detecting us as trojan and blocking Exterminate It! execution.

We have contacted Kaspersky Virus Analyst Team and here is their response:

We would like to thank Kaspersky Analyst Team for fast reaction. Shortly Exterminate It! will be removed from their detection – stay updated.

False Positives happen very often in antimalware industry.
We inform companies that develop antimalware/antivirus software about these Exterminate It! False Detections.

If you found such False Positive Detection please let us know what antimalware/antivirus software you are using (specify the exact version and edition of the product).

Otherwise you can contact antimalware company by yourself. It would be great if you would describe your Exterminate It! – related experience in this message.

Some companies provide no-reaction to False Positives Inquiries. By this reaction you can understand the reasonability of using such antimalware products if their malware database actuality and cleanness are not maintained.

We would like to note that in Exterminate It! history our antimalware product erroneously being detected as “malware” (False Positive) by the following products under different names:

• Kaspersky (Trojan-GameThief.Win32.Taworm.zt)
• Avira (SPR/Fake.Exter.2)
• Jiangmin (TrojanDownloader.Delf.dwh)
• AntiVir (SPR/Fake.Exter.2)
• McAfee-GW-Edition (Riskware.Fake.Exter.2)
• CAT-QuickHeal (Trojan.Agent.ATV)
• AntiVir (SPR/Fake.Exter.2)
• eSafe (Win32.SPRFake.Exter)

Here are few examples of such detections on VirusTotal service:

link1 link2 link3

We guarantee that our software contains no malicious code. It is an entirely antimalware solution without any illegitimate functionality.

As a temporary solution, you can disable any other antimalware software installed on your computer and report the incorrect detection/removal to the developers of these applications.

Also, you can add the Exterminate It! installation folder to the Ignore list (if this is supported by your antimalware suite)

A rootkit is a program or a set of programs designed to provide priveleged access to the computer system and, at the same time, to hide itself or it’s associated files from detection.

Historically, root kit tools appeared on Unix-like operating systems as programs that provided intruder with most privileged (root) access to the system. Today, rootkits exist for all most popular operating systems from Windows to Linux. Windows rootkits allow the attacker to gain most privileged access to the system.

Rootkits can be divided on kernel-mode and user-mode:

1. Kernel-mode rootkits replace or modify parts of the operating system or add code to the operating system. Usually, rootkits of that type are implemented as device drivers (Windows) or loadable kernel modules (Linux). Kernel-level rootkits obtain unrestricted access to all system resources and, as a matter of fact, became a part of an operating system. That is why kernel-mode rootkits are invisible for most anti-spyware and anti-virus applications. This is most dangerous and hard to remove type of rootkits. When you are trying to remove kernel-mode rootkits, you need to operate at the lowest system level. This should be done very carefully, because every wrong action can lead to system crash. Exterminate It! successfully works on this level.
2. User-mode rootkits intercept and replace system calls in order to protect themselves from detection and hide information about intruder. Such rootkits are implemented as dynamic link libraries (DLLs) on Windows operating system.
   User-mode rootkit hooking can be performed in different ways:
• DLLs (libraries with executable code) can be loaded to different processes and could act on their behalf.
• File / process patching can be used on disk or directly in memory.

Such rootkits could change behavior of regular applications.

Rootkits differ from other malicious software in their function. The main function of the rootkit is to maintain control over the infected computer system, hide itself and associated malware files and to provide access for the intruder.

Rootkit do not infect other programs like virus and it do not spread over the local network like worm. It hides from detecting software and keeps “doors open” for a malefactor, who can use infected system for malicious actions such as sending SPAM, DDoS attacks, information stealing, etc. However, a worm spreading over local area network or trojan disguised as legitimate software, may install rootkit on infected computer. Most recent infection sometimes are using combined approach when trojan installs the rootkit and afterward rootkit protects other trojans installed from the Internet.

Technically rootkit software is very complex. It can be developed only by highly qualified specialists, because a bug in such software (especially kernel-mode rootkits) may cause total system crash and make crashed system useless for malefactor’s needs. Also rootkit should effectively resist modern anti-malware scanners.

Due to their nature, rootkits are very hard to detect and even harder to remove. Re-installation of operating system only may help in some complex cases. But all is not so bad. Fortunately, some anti-malware applications already implemented anti-rootkit functionality and Exterminate It! is one of them.

Exterminate It! provides rootkit unhooking, direct disk scanning and removal techniques which are working in most cases. Also custom solutions can be provided in case of difficult rootkit infections. So you won’t be left alone in face of rootkit infection.

Note that this functionality is in beta now, but you already can turn it on on Exterminate It! Options page. Anti-rootkit functionality is available in activated Exterminate It! copies only.

Activation system is improved in this release. Deactivation issues caused by enabling / disabling network devices were fixed.

Antirootkit functionality is still under development, but new Beta version is already available in Exterminate It! and can be used in activated copies. Rootkit unhooking and hidden files search features were improved.

Several stability issues were fixed

What’s new:

• Files Removal Functionality – implemented rootkit-proof file removal;
• Direct Disk Scan for Rootkit Hidden Files functionality (beta);
• Added detailed Rootkit Driver Options;
• Added automatic missed OS version info uploading in order to improve Rootkit Unhooking functionality;
• Kernel Files Database Updated;
• Minor User Interface bug-fix and various UI improvements.

Right now we are working on improving our activation system to prevent software de-activation.

Also we are working on improving our own Antirootkit functionality. First parts includes:

• hidden files scan
• rootkit unhooking functionality

The problem of malicious software (or just spyware) is very important today for each computer user regardless of technical skills level. Computer of a novice can be infected as well as computer of an advanced user. Malicious software technologies are constantly developing. No one can be protected with certainty.

Anti-spyware (or anti-malware) programs can help to remove known infection, but even the best of them are useless if infection is new or use system vulnerability, which was not known earlier. What if your preferable anti-spyware tool detects nothing, but you see constantly displaying advertisement pop-ups, or your computer become very slow, or you see unknown processes in the tasks list, or unknown toolbar appeared in your web browser? Most likely you will try other anti-spyware programs. If that will not help, you will post you problem to various security- and spyware- related forums. You will post system scans created by some third-party tools and wait. Because you have one choice only: to wait until some anti-spyware software developers will notice your posts, analyze your scans, and create update for their anti-spyware tool. The process may take from some days to some weeks.

Exterminate It! anti-spyware tool uses own unique approach that enables quick removal of an infection even if it was not known earlier. Submit State feature is specially implemented to solve various complex problems like unknown spyware infections. What you only need to do is to press the “Submit State” button. Exterminate It! will display text box where you can type description of your problem and any symptoms that you have noticed. After that you need to press “Submit” button. Exterminate It! will scan your system, create Submit State log¹, and send it to server. Exterminate It! development team will review obtained data in 24 hour and prepare fix that will be available through Update feature. So the process is quite fast, automatic, and does not require special knowledge.

Submit State feature even more powerful. You can use it even if malicious program blocks any access to the Internet. You need to create Submit State log file² as described above, copy it to some removable storage device, and submit through the http://www.exterminate-it.com/offline-submitstate page from any computer that is connected to the Internet.

So, as you can see, Exterminate It! anti-spyware tool provides simple in use, but powerful feature, which allows to remove quickly even most complex infections.

¹ Submit State log file does not include any personal information.

² Submit State log file (sstate.log) is located in the Exterminate It! application folder.