F-Secure BlackLight Help

What is F-Secure BlackLight?

F-Secure BlackLight is a tool that detects files, folders and processes that are hidden from the user and other programs. BlackLight is also able to remove hidden malware by renaming them.

F-Secure BlackLight is intended for both advanced home users and corporate system administrators.

How do I install F-Secure BlackLight?

After you have downloaded the executable, you can start the program by double-clicking on its icon.

F-Secure BlackLight is a single, executable file. There is no installer. This means that you cannot start the program by selecting it from the Start menu or a Desktop icon unless you manually create a menu item or a shortcut.

How do I use F-Secure BlackLight?

After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program.

There are two scanning modes to select from. The default mode ("Normal mode") is faster and is recommended for most users. "Expert mode" is slower and more susceptiple to alerts on non-malicious hidden items. In order to start BlackLight in expert mode, use "/expert" command line argument.

To scan for hidden items, press "Scan". BlackLight will then look for hidden processes and go through all local hard drives searching for hidden files and folders.

BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.

You can interrupt the scan by pressing "Stop". Once the scan is complete, press "Next" to move to the next step. If no hidden items were found, this will show a summary of the scan.

After the scan the user is presented with a "Show all processes" button. This feature is here for the expert users. Some advanced rootkits do not hide themselves while a known anti-rootkit tool is running, others do not hide from them, and some only hide from Windows Task Manager. Therefore, to be absolutely sure, advanced users can view their real process list and possibly compare it to the process list from Task Manager.

blacklight-scan_scr_540x440

Figure 1. Step 1: Scanning for hidden items.

blacklightproc_scr_540x433

Figure 2. Step 1: Examining the process list. You can get additional information on each process by double clicking it.

What do the hidden items found by F-Secure BlackLight mean?

If BlackLight finds hidden items, it shows the item type and name for each item, allowing you to rename one or more of the hidden items (see Figure 2).

blacklighthidden_scr_540x441

Figure 3. Step 2: BlackLight showing hidden items.

blacklight-ex_scr_540x441

Figure 4. Step 2: Examining hidden items. By double clicking the item you can see the full path and other information on the item. If the full path is too long for the properties dialog, you can see it by moving the mouse pointer over the truncated path (tooltip).

Icons are used to represent different hidden item types. The meaning of each icon is explained in Figure 5.

Type	Explanation
	A hidden file
	A hidden process
	A hidden file and a process. This icon is shown when the file associated with a hidden process is also hidden.

Figure 5. Explanation of hidden item types.

See the description for hidden items for more information if BlackLight finds something on your computer.

F-Secure BlackLight found hidden items! What should I do?

If your computer has actually been hacked, removing the hidden items might not be sufficient. Even after a careful clean up the hacker might still be able to access your computer after it has been compromised once. The removed malware may have changed the system in a way that is impossible to detect or restore. An added or changed user right is a typical example of such changes. Formatting all hard disks and re-installing the computer is the only foolproof way to eliminate this risk.

First make sure the the hidden items are not a part of some harmless application you have installed on your machine. There are some benign applications that use hiding for various reasons. If after this you are convinced you have a rootkit on your system, you can disable it by using BlackLight's renaming functionality and then proceed with the cleanup. The first thing you should do in these cases is to make a copy of BlackLight's log file in order to make sure you have a list of hidden items at your disposal during cleanup.

If a full re-installation is not an option, removing the necessary hidden items can help in some situations.

You should always remember that not all hidden items BlackLight finds are necessarily malicious. In some cases, removing or renaming an important file could render the computer unusable.

An example scenario could be as follows. Your computer has been hacked and is being used as an illegal web server. The hacker has installed a rootkit which is hiding the web server root folder c:\www_root\. This folder contains thousands of JPEG images, which are also hidden. BlackLight will likely report as hidden files:

The rootkit binary and other files directly associated with the rootkit (e.g. a configuration file and a driver)
The c:\www_root\ folder
All the JPEG images in this folder

In this scenario, you should only rename the rootkit binary and other files directly associated with it. After this, the rootkit is disabled and the web server root folder and all the files inside it will become visible.

If you are sure your computer has been infected, do the following:

Disconnect the network cable from the computer.
Take a backup copy of all important information on your computer to an external media (e.g. CD-R)

If you want to use BlackLight to remove the hidden items, do the following:

Select the hidden items you wish to rename in Step 2. We suggest that you rename only the absolutely necessary items.
Close all other programs before continuing, and then select "Next".
Select "Restart now" to restart the computer so the changes take effect
After the reboot, the hidden items should be renamed and visible on the computer. Re-run BlackLight to verify that hidden items are no longer found.

F-Secure is very interested in all cases where hidden items are found by BlackLight. To help us fight new versions of malware, please consider sending an e-mail to feedback-blacklight@f-secure.com with the log file as an attachment. Do not attach the actual hidden files!

If you think that the hidden items are part of a malicious program, you can also follow the instructions on sending a sample to us.

System requirements

To use F-Secure BlackLight, your computer must have one of the following supported operating systems:

Windows 2000
Windows XP (32 and 64-bit)
Windows 2003 Server (32 and 64-bit)
Windows Vista (32-bit only)

Troubleshooting

Q: BlackLight shows that some important system files (e.g. explorer.exe, iexplore.exe) are hidden. What should I do?

A: It might be that a malicous program is trying to hide these system files for some reason, possibly by accident. You should not try to rename these files. If you are unable to distinguish important system files from malware, do not try to rename anything.

Q: I cannot find the log file. Where is it located?

A: BlackLight creates a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable.

If this directory is write-protected, the log file is created in the user's temporary directory. By default, you can access this directory by entering %TMP% or %TEMP% on the Windows Explorer address bar.
Q: I used the hidden file attribute to hide a file and BlackLight did not find it.

A: BlackLight is designed to only find files that users cannot see with regular Windows tools. That is, when BlackLight reports a file as hidden, it really means the file is hidden - not just that it has the hidden file attribute set. Removing the attribute with regular tools is easy, and many benign files have this attribute set.

Q: The scan seems to hang on a directory and nothing happens.

A: If the directory contains a lot of files (tens of thousands or more), it might take a while to scan it. Wait to see if the scan proceeds.

Q: I renamed a hidden file but I still can't see it. BlackLight does not find it, either.

A: The file might still have hidden or system file attribute set, even though it is no longer "really" hidden. Choose "Show hidden files and folders" and uncheck "Hide protected operating system files" from Windows Explorer Folder Options to see files with this attribute set. If you are comfortable with using the command line, you can use "attrib" command or "dir /a:h" to view files with hidden attributes.

Q: I have downloaded Blacklight and it scanned my system ok. How do I uninstall it? How can I find it?

A: BlackLight is not installed in the normal sense. It is a simple executable file that is downloaded into your computer and it can be run by double-clicking on the file. There are no items in the "start"-menu or keys in the registry. "Uninstallation" of BlackLight simply means deleting the file. Location of the file is dependant on how you downloaded the file and which browser you used. If you downloaded the file with IE and chose "run", blbeta.exe is usually stored in "C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files".