Not all rootkits/hidden components
detected by anti-rootkit (ARK) scanners and security tools are malicious
. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators
, virtual machines, sandboxes
and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook
into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.Hooking
is one of the techniques used by a rootkit to alter the normal execution path of the operating system. Rootkit hooks are basically installed modules which intercept the principal system services that all programs and the OS rely on. By using a hook, a rootkit can alter the information that the original OS function would have returned. There are many tables in an OS that can be hooked by a rootkit and those hooks are undetectable unless you know exactly what you're looking for.API Kernel hooks are not always bad
since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Most of the time, IRP hooks are made by legit drivers to filter IRPs. ARK scanners do not differentiate between what is good and what is bad...they only report what is found
. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.CD Emulators
(Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) in particular use rootkit-like techniques
techniques to hide from other applications and can interfere with investigative or security tools. This interference can produce misleading or inaccurate scan results, false detection
of legitimate files, cause unexpected crashes, BSODs
, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CD Emulators.
In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK or security scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous
if a critical component is incorrectly removed.
Generally when a system is infected with a malicious rootkit, there are other indications (signs of infection
) something is wrong such as very poor system performance, high CPU usage, browser redirects, BSODs, etc.
With that said, I am not familiar with Spybot's rootkit detection and I don't believe we have many members here who use it. You may want to contact contact Spybot Support
through their forums or by emailing one of their support teams.
They most likely will ask you to provide a log of what was detected.