Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot root kit


  • Please log in to reply
3 replies to this topic

#1 genel41

genel41

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 31 August 2016 - 07:52 PM

I just run a deep rootkit scan with Spybot  it says if you delete them you might need some of them because it says some software use rootkits to hide information from us users. So now that I have them what do I do with them ? Anybody got an idea ?  How can I save them to some place to some place incase I need it later?

Spybot found 2 in registrey and 15 more in C Home PC files . Before I ran a root kit scan and it just had 2 in registrey and I was able to save them but did not need them . But with 15 out of the C file I don't know what to do with them . Any help would be appreciated . Thank You

Edited by Queen-Evie, 31 August 2016 - 08:34 PM.
merged 2 separate topics into one post. Also moved from Windows 7 to the appropriate forum.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 AM

Posted 01 September 2016 - 03:52 PM

Not all rootkits/hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

Hooking is one of the techniques used by a rootkit to alter the normal execution path of the operating system. Rootkit hooks are basically installed modules which intercept the principal system services that all programs and the OS rely on. By using a hook, a rootkit can alter the information that the original OS function would have returned. There are many tables in an OS that can be hooked by a rootkit and those hooks are undetectable unless you know exactly what you're looking for.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Most of the time, IRP hooks are made by legit drivers to filter IRPs. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) in particular use rootkit-like techniques techniques to hide from other applications and can interfere with investigative or security tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CD Emulators.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK or security scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

Generally when a system is infected with a malicious rootkit, there are other indications (signs of infection) something is wrong such as very poor system performance, high CPU usage, browser redirects, BSODs, etc.

With that said, I am not familiar with Spybot's rootkit detection and I don't believe we have many members here who use it. You may want to contact contact Spybot Support through their forums or by emailing one of their support teams.They most likely will ask you to provide a log of what was detected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 robby501

robby501

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:04 AM

Posted 03 September 2016 - 05:30 AM

Just a quick question regarding this topic..........

 

Would one solution to be run a rootkit scanner from a different vendor (such as Zemana in deep-scan mode) to see if it gives a different scan result? My thoughts are that maybe some rootkit scanners are better at differentiating between malicious and legit rootkit behavior(s) than others??


Im a rookie and purely recreational pc user. Im utterly obsessed with security (even though I consider myself a safe and law-abiding internet user!) and run a combo of the following freeware security suites.....

Windows Defender/firewall

Regular scans with Malwarebytes, AdwCleaner, JRT, HitmanPro

 

 

 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 AM

Posted 03 September 2016 - 07:00 AM

There are many free anti-rootkit (ARK) tools but some require a certain level of expertise and investigative ability to use. Some ARK tools are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system. Most of the more effective ARK tools should only be used under the guidance of an expert who knows how to investigate its log for malicious entries before taking any removal action.

These are a few of the easier and safer ARKS for novice users:

-- Note: Malwarebytes Anti-Malware uses a proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits, zero-day malware and malware in the wild. The anti-rootkit technology in Malwarebytes Anti-Malware 2.0 is identical to that of Malwarebytes Anti-Rootkit (mbar). SUPERAntiSpyware Free offers technology to deal with rootkit infections as well. Both of these scanners are easy enough for any novice to safely use.

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users