Rootkit Checks on J on 2008-09-13

I ran some additional rootkit checks on a system, J, that had been infected with malware on September 8, 2009 [see Infection by Virantix - braviax.exe and Infection Checks on 2008-09-10]. I had checked the system with the BlackLight rootkit detector from F-Secure on September 10, but it reported "no hidden items found."

I installed Rootkit Hook Analyzer on the system to check for any rootkits on the system.

Rootkit Hook Analyzer 3.02

The program looks for software that uses "kernel hooks". Kernel hooks can be used by legitimate software, such as antivirus software, but are also sometimes used by malware. So, if the program finds software using a kernel hook, the user should ascertain whether the software which has been detected using a kernel hook is legitimate software for that system.

The developer describes the software as follows:

RootKit Hook Analyzer is a security tool which will check if there are any rootkits installed on your computer which hook the kernel system services. Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on. If any of these system services are intercepted and modified it means that there is a possibility that the safety of your system is at risk and that spyware, viruses or malware are active.

When I scanned the system on which I installed it, Rootkit Hook Analyzer reported it did not find any kernel hooks.

Hook Analyzer Results

The software lists all of the services and modules found. If you want to see only hooked services, there is a checkbox at the bottom of its window where you can specify it should "show hooked services only".

When I clicked on the Export button to save a copy of its results, I saw an error message.

Hook Analyzer
Access Violation

I next installed RootkitRevealer v1.71. It showed 4 hidden items, but none of them appeared to be associated with malware.

RootkitRevealer Found

So, if there is any malware remaining on the system, it does not appear to be using rootkit techniques.