Unexplained crashes, system freezes, slow responses, slow startups, lost files, and driver instability – particularly my display driver. In fact, I have reinstalled the OS three times.
Curiously, I tested Windows 7 Ultimate Edition RC on this same machine a year ago, and the extended test ran flawlessly.
Initially, I had to consider that deeply hidden malware might be an issue here, since I hadn’t wiped the the Hard Drive prior to installing the OS (sometimes, I don’t follow my own advice).
If in fact, it was a malware issue, it was possible that I had to deal with a Rootkit, (a Kernel Mode Trojan) – a malware program, (which can survive a reformat), or a combination of malware programs, designed to take low level control of a computer system.
Techniques used to hide rootkits include; concealing running processes from monitoring programs, and hiding files, or system data, from the operating system. In other words, the rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools. It’s easy to see then, that if a threat uses rootkit technology to hide, it is going to be very difficult to find.
Kudos to the major anti-malware companies though; many have come up with a free serviceable solution to rootkits. Enter the Rootkit detector which will provide you with the tool to find and delete rootkits, and to uncover the threats rootkits may be hiding.
Generally, rootkit detectors are capable of the following type of scans, although it is important to note that not all detectors scan, or handle rootkits, in precisely the same way.
- hidden processes
- hidden threads
- hidden modules
- hidden services
- hidden files
- hidden Alternate Data Streams
- hidden registry keys
- drivers hooking SSDT
- drivers hooking IDT
- drivers hooking IRP calls
We’ve written here a number of times on Rootkits, and free tools designed to uncover and remove these scourges. Tizer Rootkit Razor, which will allow you to identify and remove Rootkits from your computer, is the latest addition to this list.
I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.
Since the false positive issue, is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.
Here’s a reasonable test to determine if you have the skills necessary to use this application effectively. If you’re not capable of using, and interpreting, an application such as HiJackThis for example, it is unlikely that using this program would prove to be beneficial. On the other hand, if you can interpret the results of a HiJackThis scan, you’re probably “good to go”.
The user interface is dead simply – functional and efficient, as the following screens from my test system indicate. BTW, no Rootkits were found during this test. Or, scanning with the additional tools listed below.
Main Screen: This page displays information related to your operating system and memory usage.
Smart Scan: This feature automatically scans all the critical areas in the system and displays hidden objects, making things easier for the user.
NOTE: The user is provided with a feature to fix the hidden object (if any).
Process Scan: This module scans processes currently running on the machine. A process entry will be highlighted in red if it is a hidden rootkit. The user can click on an individual process to display any hidden modules loaded by the process.
NOTE: The user is provided with the option to terminate processes and delete modules.
Registry Scan: This module scan is for hidden registry objects.
Smart Scan: A smart scan will scan the critical areas of the registry.
Custom View: This module provides a virtual registry editor view, hence enables the user to navigate through the registry and check for hidden keys or values. (Hidden keys/values will be highlighted)
Kernel Module Scan: This module scans for loaded drivers in the memory. A module entry will be highlighted in red if it is hidden.
NOTE: The user is provided with a feature to unload and delete a driver module from memory.
Services Scan: This module scans all installed services on the local machine. A particular service entry will be highlighted if it is hidden.
NOTE: The user is provided with start, stop, pause, and resume features. They may also change the startup type of service.
SPI Scan: This module lists all the LSPs installed in the system. This is read only information.
NOTE: The user can check for any unauthorized LSP installed.
SSDT Scan: This module scans for any altered value in the System Service Descriptor Table (SSDT). The process of alteration is termed as “Hooking.”
NOTE: The user can restore the altered value to its original value.
Ports Scan: This module will scan all open TCP and UDP ports. A particular port entry will be highlighted if it is hidden.
NOTE: The user is provided with the option to terminate the connection.
Thread Scan: This module will enumerate all running processes. The user can click on a particular process to view and scan all threads running in context of that process. Any hidden threads will be highlighted in red.
NOTE: The user is provided with the option to terminate a thread.
File/Object Scan: This module will scan for any hidden files in the system. The user selects a location on the computer to scan.
Scanning for Rootkits occasionally, is good practice, and if you have the necessary skills, Tizer Rootkit Razor appears to be a good choice to help you do this.
System requirements: Windows XP, Vista, Win 7 – (there is no indication on the developer’s site that this app is x64 compatible).
Download at: Tizer Secure
If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything. To be safe, I use each of the rootkit detectors listed below, on my machines.
Microsoft Rootkit Revealer is an advanced root kit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. According to Microsoft, Rootkit Revealer successfully detects all persistent rootkits published at http://www.rootkit.com, including AFX, Vanquish and Hacker Defender.
IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.
This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.
Just a quick note: I’ve been testing the latest release of Ubuntu Linux, as an alternative to Windows, and I must admit, I’m blown away. What a terrific operating system! I’ll report on this shortly.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.