Adware Reports malware removal guides and threat research Updated security instructions for Windows users
Home/Rootkit
Threat report

Rootkit.Gen.2 removal

Published Jul 28, 2022 Rootkit category 3 min read
Report context

What to verify before removal

This report keeps Rootkit.Gen.2 removal in the active library because the detection has enough technical context to support a careful second-opinion scan and cleanup decision.

Start by comparing the local file name with CDF1BF212408A4253E05.mlw, then review the behavior notes for persistence entries, dropped files, unusual processes, and browser or network changes. This helps separate a matching detection from a different file that only shares a similar alert name.

Observed file
CDF1BF212408A4253E05.mlw
  • Compare the suspicious file name with CDF1BF212408A4253E05.mlw.
  • Confirm the detection name matches Rootkit.Gen.2 removal before removing related files.
  • Review the report for persistence entries, dropped files, unusual processes, and browser or network changes so the cleanup is based on observed behavior, not only the label.
  • Run a full scan, quarantine confirmed detections, and restart before signing back in to sensitive accounts.

The Rootkit.Gen.2 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Rootkit.Gen.2 virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Loads a driver
  • Dynamic (imported) function loading detected
  • At least one IP Address, Domain, or File Name was found in a crypto call
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • Authenticode signature is invalid
  • Attempts to stop active services
  • Installs itself for autorun at Windows startup

How to determine Rootkit.Gen.2?



File Info:

name: CDF1BF212408A4253E05.mlw
path: /opt/CAPEv2/storage/binaries/4faa0be469733c851f1d93e5608197c4278f7d340a615b420ca09fa9ec5256d6
crc32: 536B7A1E
md5: cdf1bf212408a4253e05c8eb5c21d7d8
sha1: c12dd0205fdc784f0a6a1fdb03f2f333f6f35821
sha256: 4faa0be469733c851f1d93e5608197c4278f7d340a615b420ca09fa9ec5256d6
sha512: 93baa8ad14746f02a1515285df381d42d55a144e3c5bc6c07b881857a37ddb0f7f0449c33ecca9ca574f75aed8942c26bd769a8c3fac61f1b5b537de00a5ba9c
ssdeep: 24576:y/PAujQVPoPFtEkdLOg5zHW3qmmWzHW3qmmZ:yXAzkAQvzHW3qmmWzHW3qmmZ
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1FE058D02F5B340B2D51A1A3141A77735AE78CE5A0A109F8BA3E4ED7D7D723A09D3713A
sha3_384: df955fdda5ba5610a71324192e395cf9281fea3f87c2f0141f917512861157558b45de4a8e5976b3c115682e001909d9
ep_bytes: 558bec6aff68301a4b00681c2c460064
timestamp: 2012-08-03 02:03:05


Version Info:

FileVersion: 1.0.0.0
FileDescription: 易语言程序
ProductName: 易语言程序
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
Translation: 0x0804 0x04b0

Rootkit.Gen.2 also known as:

Bkav W32.AIDetect.malware2
CAT-QuickHeal Trojan.MauvaiseRI.S5255470
McAfee Artemis!CDF1BF212408
Cylance Unsafe
Sangfor [NULLSOFT PIMP INSTALL SYSTEM7]
K7AntiVirus Trojan ( 005246d51 )
K7GW Trojan ( 005246d51 )
Cybereason malicious.05fdc7
Baidu Win32.Rootkit.Agent.f
Cyren W32/S-9a0e6078!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Procpatcher-9875517-0
Kaspersky not-a-virus:RiskTool.Win32.ProcPatcher.a
NANO-Antivirus Riskware.Win32.ProcPatcher.eclpme
Avast Win32:PUP-gen [PUP]
Tencent Win32.Trojan.Obfuscator.Tdzd
Comodo Worm.Win32.Dropper.RA@1qraug
F-Secure Trojan.TR/Dropper.Gen
DrWeb Trojan.NtRootKit.18405
McAfee-GW-Edition BehavesLike.Win32.Trojan.ch
Trapmine suspicious.low.ml.score
FireEye Generic.mg.cdf1bf212408a425
Sophos Generic ML PUA (PUA)
SentinelOne Static AI – Malicious PE
Avira TR/Dropper.Gen
Antiy-AVL Trojan/Generic.ASCommon.FA
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm not-a-virus:UDS:RiskTool.Win32.ProcPatcher.a
GData Win32.Trojan.FlyStudio.I
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C1990216
VBA32 Rootkit.Gen.2
Malwarebytes PUP.Optional.ChinAd
Rising Rootkit.Agent!1.6784 (CLASSIC)
Ikarus Backdoor.Win32.BlackHole
MaxSecure Dropper.Dinwod.frindll
Fortinet W32/CoinMiner.65CA!tr
BitDefenderTheta Gen:NN.ZexaF.34806.1q0@aKsqf9ib
AVG Win32:PUP-gen [PUP]
Panda Trj/GdSda.A

How to remove Rootkit.Gen.2?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.