After running a scan using IceSword on one host of my home network, there are several red entries. All fall into one of three categories, one for Zone Alarm, one for KAV (I use both applications), and the third, well, it's unidentifiable. According to instructions for IceSword, we're supposed to be able to discern a program folder and associated file name in SSDT for tagged red entries. However, under the KModule column, these unidentifiable red entries are showing up as "Unknown". Any suggestions? I'm a security engineer by profession, and have long used a varied and extensive defense-in-depth approach. However, that doesn't mean I can't be a victim like anyone else, and actually, here lately I've been experiencing too many instances of 100% CPU utilization and system lock-ups. It's frustrating because the rest of the myriad applications I use to monitor and scan all come back clean.

Thanks,
Chuck

Let's see if we can identify what's locking you up. Download and unzip this:

http://www.sysinternals.com/Utilities/processexplorer.html

You might also want to grab this:

http://www.sysinternals.com/Utilities/autoruns.html

Run the first (no installer) and see if you can spot what's tying up the CPU. You could have a rootkit or other malware, but I've also had pure hardware do something very similar (a small short in a floppy controller card once locked up one of my systems with a cascade of deferred procedure calls and gave me fits until I was able to isolate the problem). So, before one of the ReXs (the members here fully qualified to remove rootkits) comes on-board, let's eliminate what possible causes we can.

You should also run the second (also no installer) and check out all the start-ups. This is the most detailed start-up analyzer there is, and perhaps we can spot something from that as well.

One more question, when you say "... lately I've been experiencing too many instances of 100% CPU utilization and system lock-ups", do you mean with this one system, or with multiple systems?

Do you run Webroot's Spyware Sweeper? They recently released an uprade to version 5 and in my testing this new version will leave several "Unknown" red entries in the SSDT. Also I have found that when running both KAV and SWS on a system at the same time results in the system randomly freezing unless you are running some serious hardware.

Vince Hall
Owner
GetPCHelpNow

Mod Note: Post returned as promised. Thanks Vince.

Recently Webroot Spyware Sweeper released an upgrade to version 5. When this happens you will see several red "Unknown" entries in the SSDT with Icesword. Through my testing I have found that when running a system with both KAV 6 and Webroot Spyware Sweeper 5 on a system that is not the latest and the greatest you will see random system "freezes". I am curious to see if you to are currently running this combo. Please reply.

Vince Hall
Owner
GetPCHelpNow

Nearly all security programs use kernel level drivers that hook the SSDT to perform their monitoring functions. Therefore, using the SSDT function alone is not a reliable method of detecting a rootkit. That is one of the reasons DarkSpy does not have an SSDT function. Even IceSword, does not use it when performing its "System Check"(function). Red entries in IceSword's Win32 Service and Process functions are much better indicators of a rootkit.

Virtually all AVs, Firewalls, and HIPS programs hook the SSDT. So do Daemon tools, Alcohol, Sandboxie, and more. You may want to do a comparison of the SSDT hooks before and after a rootkit cleanup, but don't use it as the sole criterion to judge whether or not you have a rootkit. The 'unknown' hooks can also be created by Symantec programs.

Another rootkit detector you can try is kproccheck. Here are the directions:
Download the kproccheck Beta2 and extract it to C:\. It will create a folder called C:\kproccheck. Then, please download run-kproccheck and unzip it to the C:\kproccheck folder. It is important that run-kproccheck.bat reside in that same folder as the kproccheck executable and driver (kproccheck.exe and kprocchecks.sys). Next close all windows. Open Windows Explorer and navigate to the C:\kproccheck folder. Double-click on run-kproccheck.bat to run it. It will immediately open a notepad log file called kproccheck.txt, in the same folder. Please upload the kproccheck.txt file as an attachment in your next reply by using the "post reply" button .

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Thanks for the information, negster22. I appreciate the pointer to another rookit detector, "kproccheck" and I checked the site. The creator of the program said that it can crash a system. I think I will avoid it for now and perhaps try it when it is out of beta. I will be less concerned about IceSword's findings in the SSDT scan, though.

Yes - nearly every rootkit detector has that warning, but I understand your concern. I have used it many times with no problems. I like it because you get immediate feedback without performing a time consuming scan.

Another reason I like kproccheck is because it detects modification of kernel data structures DKOM) not just hooking, which is a method that the more advanced rootkits use to hide. I doubt you are infected though. If you really want to be sure you should pick several scanners to get a variety of opinions because they often target diffferent rootkit mechanisms.

I have had only one detector crash my system, and I will not advise anyone to use it. Not mentioning any specific names, but it is not one of the mainstream ones.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Hi ccisp - Yes, program conflicts can do some strange things especially when the programs operate at the kernel level.

I am glad your worked out your problem and thanks for letting us know about KAV & Spysweeper interfering with one and other. That info may help us troubleshoot future posts.

I have also had an instance where my CPU maxed out because of kernel drivers conflicts. The process utilization and other symptoms can closely mimic that of an infected computer, so I can understand your concern.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008