I was at work and got a help desk call about a rather severe malware infection and it got me thinking about my own computer.
I am running Windows 7 64-bit RC1 on my everyday laptop. I run ESET NOD32 antivirus which does a good job of keeping itself up to date. I never turned off UAC.
I am also a computer professional so I have a pretty good idea when NOT to click OK on a windows dialog that looks rogue.
All that to say that I think I am clean but I wanted to be sure so I booted into safe-mode and downloaded and did a quick scan using the well-recommended anti-malware tool MalwareBytes tool. It only found a strange registry entry which I deleted. No file or folder problems were detected. I rebooted to complete the clean as it requested. I was surprised by this because all it did was clean a registry entry.
Oh yeah…one other thing run the professional edition of BillP Studio of WinPatrol.
After re-booting normally, WinPatrol warned about new program MalwareBytes which I expected and allowed. But to my surprise it also had me confirm the install/setup of userinit (I can't remember if it was dll or exe) but the program info was that this is the file that presents the startup screen to windows. I allowed it but it caught me off guard.
One last thing. I tried to also run root-kit revealer and IceSword so I could do a rootkit scan on my machine and neither of them would run and I am pretty sure it is because I am running a 64-bit OS.
So here are my questions:
-
Is it normal for userinit to be "re-installed" or "re-init" after doing a scan using MalwareBytes? If not, why was a prompted for allow permissions for that file?
-
Is there a known/recommended way to do a rootkit scan of 64-bit windows system?
-
Is it possible that my machine is LESS likely to have a rootkit problem BECAUSE I am running as 64-bit OS. Wouldn't a rootkit have to run as a 64-bit process and isn't it likely that right now that rootkits will not be written to target 64-bit since it is a smaller target audience? Is my risk surface-area actually less?
Thanks in advance.
Seth
Best Answer
I use combofix successfully on 64bit Vista regularly. In my experience, 64bit does take advantage of system operations regardless of whether or not application does. Although I wouldn't agree that vista 64 is 100% rootkit free, it is a lot harder to get rootkits on a 64bit OS. It is difficult for manufacturers of hardware to make drivers for 64bit still, I don't think we will see too many 64bit root kits for a while. And if you hate on 64bit get used to it, whether you like it or not, 4gb of ram will become obsolete. When it does 64bit will be required.