Using Blacklight to detect and remove Rootkits from your computerBy Lawrence Abrams on May 18, 2006 | Last Updated: February 27, 2012 | Read 135,924 times.
Table of Contents
Rootkits are scary and becoming a larger and larger menace to our computers every day. In the past if our computers were infected with a piece of malware, we simply removed it and we were clean of the infection. Now that rootkits are commonly bundled with other malware, this cleaning process has become even harder to do. This tutorial will cover how to use F-Secure Blacklight to scan your computer for rootkits and help you to remove them.
Note: Blacklight is scheduled to not be available past June 1st 2006. There are rumors though that it may be extended.
The first step is to download Blacklight. You can download Blacklight directly from F-Secure's web site at this link:
Once you click on the above link you will be presented with a prompt asking what you would like to do with the file. I suggest you save the file directly to your desktop where we will run it from there. Once the file has finished downloading you will see an icon similar to the one in Figure 1 below.
Table 1. Different types of found items in Blacklight
In order to tag a particular file or process that you would like to clean, you need to left-click once on an entry with your mouse so that it is highlighted, and then press the Rename button. When you do this, the action will change from None to Rename. Once you set a file to Rename, you can untag it by pressing the None button so that no action is performed on this particular item.
If you would like more information about the entry, you can double-click on it with your mouse. This will bring up a small screen showing you more detailed information about the file or process such as the location of the file, the description information, and the company information. It is common for the description and company information to be blank so do not be worried if there is nothing listed there.
It is important to note that rootkits can hide legitimate processes and files. For example the rootkit in the screen above is hiding Explorer.EXE and Winlogon.exe which are both legitimate Microsoft Windows files and processes. So when selecting the files you would like to rename please make sure you are only renaming the malware files as renaming the wrong files can cause problems with your Windows installation.
They would now be named:
As long as these files are confirmed as being malware, you can then delete them from your computer. Blacklight when it performs a scan will create a log file in the same folder that you ran the program from. If you followed the steps in this tutorial, that folder would be your Windows Desktop. The file name of the log file will start with fsbl- followed by the data and some other numbers. An example is fsbl-20060518203951.log.
Once these rootkit files have been deleted, it is advised that you scan your computer with an antivirus and an antispyware software in order to remove any leftover files. Most of the programs below have a free trial use that expires after a certain amount of time.
Reputable antispyware programs are:
Recommended antimalware and antivirus software are:
AVG Antivirus (Free version available for personal use)
Now that you know how to use Blacklight you have another tool in your arsenal in the growing threat of rootkits. As rootkits are now commonly bundled with other malware, if you become infected with a spyware, worm, or other malware, you should run this program and let it check for rootkits as well. If you have concerns about renaming and deleting any found files yourself, feel free to post the log of your scan as a topic in our Am I infected? What do I do? forum. Someone will examine your log and then let you know what should be done.
Comments:blog comments powered by Disqus
|Tech Support Forums | The Computer Glossary | RSS Feeds | Startups | The File Database | Virus Removal Guides | Downloads|