Member Panel

brent

i would like to try and clean it up...I dont do any important work on this computer such as banking...it is mainly school work, myspace, music, videos etc. Also, what exactly can a rootkit do?

chiaz

Rootkits have gotten a great deal of attention in the popular media lately as the "greatest threat to security" at the level of the individual system. For example, see:
http://www.computerworld.com/securitytopic...1,99843,00.html
PC World - Rootkits: Invisible Assault on Windows

Basically the defining characteristic of a rootkit is stealth. A rootkit hides its presence from the operating system. Then it usually does something else as well (since stealth for its own sake doesn't gain the rootkit author very much). This might include protecting/hiding other malware that spams or accepts remote access commands, opening a backdoor, or something slightly more mundane like enforcing digital rights management (Sony rootkit).

This can be dangerous for obvious reasons. Most of the interaction a user has with a system is through the "eyes" of the operating system. You never actually tell your hard drive to delete a file, for example --- you tell Windows to delete a file, and Windows in turn interprets your request and passes it down the driver chain until it reaches the physical device. Likewise, in the opposite direction, you never actually know what data (in the form of binary 1's and 0's) is present on your hard drive, or in your registry --- you only know the high-level interpretation of that data that Windows gives you. You see with the eyes of the operating system, and so a rootkit, which hides from the operating system, can make itself effectively undetectable by normal means.

Please download F-Secure BlackLight

Save BlackLight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click > Scan then > Next
After the scan you'll see a list of all items found. Please click Next and exit. Don't choose to rename anything yet! I want to see the log first, because legitimate items can also be present there.
There will be a log on your desktop with the name fsbl.xxxxxxx.log (where the xxxxxxx are numbers) Please post the contents of this log in your next reply.

brent

09/18/07 19:43:50 [Info]: BlackLight Engine 1.0.64 initialized
09/18/07 19:43:50 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/18/07 19:43:50 [Note]: 7019 4
09/18/07 19:43:50 [Note]: 7005 0
09/18/07 19:44:02 [Error]: 6024 1
09/18/07 19:44:02 [Error]: 6024 1
09/18/07 19:44:02 [Error]: 6024 1
09/18/07 19:44:02 [Error]: 6024 1
09/18/07 19:44:02 [Error]: 6024 1
09/18/07 19:44:02 [Error]: 6024 1
09/18/07 19:44:02 [Note]: 7006 0
09/18/07 19:44:02 [Note]: 7011 4336
09/18/07 19:44:02 [Note]: 7026 0
09/18/07 19:44:02 [Note]: 7026 0
09/18/07 19:44:03 [Error]: 6024 1
09/18/07 19:44:03 [Error]: 6024 1
09/18/07 19:44:03 [Error]: 6024 1
09/18/07 19:44:12 [Note]: FSRAW library version 1.7.1022
09/18/07 19:46:26 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\KDHQP.EXE
09/18/07 19:46:26 [Note]: 7002 32
09/18/07 19:46:26 [Note]: 7003 1
09/18/07 19:46:38 [Note]: 2000 1012
09/18/07 19:46:38 [Note]: 2000 1012
09/18/07 19:54:28 [Note]: 7007 0

chiaz

Run a scan with Blacklight again.

When the file KDHQP.EXE is reported, select it, and then press Next.
Then click "Restart Now" to reboot the computer.

After the reboot, run a new scan with Blacklight. Is the file still being detected?

brent

when i select it, and press next, the only option i get is "finish" and there is nothing that signals that that file was deleted. Also no option for a restart.

chiaz

Was there no option to rename the file?

brent

ya there was an option to rename...is that what you wanted me to do?

Member Panel

Sponsors and Ads

Noticeboard