F-Secure BlackLight is a tool that detects files, folders and processes that are hidden from the user and other programs. BlackLight is also able to remove hidden malware by renaming them.
F-Secure BlackLight is a Response Lab Tool and is intended for use in customer cases. Product support is not provided.
After you have downloaded the executable, you can start the program by double-clicking on its icon.
F-Secure BlackLight is a single, executable file. There is no installer. This means that you cannot start the program by selecting it from the Start menu or a Desktop icon unless you manually create a menu item or a shortcut.
After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program.
There are two scanning modes to select from. The default mode ("Normal mode") is faster and is recommended for most users. "Expert mode" is slower and more susceptiple to alerts on non-malicious hidden items. In order to start BlackLight in expert mode, use "/expert" command line argument.
To scan for hidden items, press "Scan". BlackLight will then look for hidden processes and go through all local hard drives searching for hidden files and folders.
BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.
You can interrupt the scan by pressing "Stop". Once the scan is complete, press "Next" to move to the next step. If no hidden items were found, this will show a summary of the scan.
After the scan the user is presented with a "Show all processes" button. This feature is here for the expert users. Some advanced rootkits do not hide themselves while a known anti-rootkit tool is running, others do not hide from them, and some only hide from Windows Task Manager. Therefore, to be absolutely sure, advanced users can view their real process list and possibly compare it to the process list from Task Manager.
Figure 1. Step 1: Scanning for hidden items.
Figure 2. Step 1: Examining the process list. You can get additional information on each process by double clicking it.
If BlackLight finds hidden items, it shows the item type and name for each item, allowing you to rename one or more of the hidden items (see Figure 2).
Figure 3. Step 2: BlackLight showing hidden items.
Figure 4. Step 2: Examining hidden items. By double clicking the item you can see the full path and other information on the item. If the full path is too long for the properties dialog, you can see it by moving the mouse pointer over the truncated path (tooltip).
Icons are used to represent different hidden item types. The meaning of each icon is explained in Figure 5.
|A hidden file|
|A hidden process|
|A hidden file and a process. This icon is shown when the file associated with a hidden process is also hidden.|
Figure 5. Explanation of hidden item types.
See the description for hidden items for more information if BlackLight finds something on your computer.
If your computer has actually been hacked, removing the hidden items might not be sufficient. Even after a careful clean up the hacker might still be able to access your computer after it has been compromised once. The removed malware may have changed the system in a way that is impossible to detect or restore. An added or changed user right is a typical example of such changes. Formatting all hard disks and re-installing the computer is the only foolproof way to eliminate this risk.
First make sure the the hidden items are not a part of some harmless application you have installed on your machine. There are some benign applications that use hiding for various reasons. If after this you are convinced you have a rootkit on your system, you can disable it by using BlackLight's renaming functionality and then proceed with the cleanup. The first thing you should do in these cases is to make a copy of BlackLight's log file in order to make sure you have a list of hidden items at your disposal during cleanup.
If a full re-installation is not an option, removing the necessary hidden items can help in some situations.
You should always remember that not all hidden items BlackLight finds are necessarily malicious. In some cases, removing or renaming an important file could render the computer unusable.
An example scenario could be as follows. Your computer has been hacked and is being used as an illegal web server. The hacker has installed a rootkit which is hiding the web server root folder c:\www_root\. This folder contains thousands of JPEG images, which are also hidden. BlackLight will likely report as hidden files:
In this scenario, you should only rename the rootkit binary and other files directly associated with it. After this, the rootkit is disabled and the web server root folder and all the files inside it will become visible.
If you are sure your computer has been infected, do the following:
If you want to use BlackLight to remove the hidden items, do the following:
To use F-Secure BlackLight, your computer must have one of the following supported operating systems: