There is something annoying about certain pieces of malware: they are shy and hide from you.

However, they do some real nasty stuff in the background, so much so that you may want to get rid of them.

I was analyzing some malware samples and found this fake Soundman.exe (the real one is a process from RealTek sound cards). I use Process Explorer (a better Taskmanager-like utility) to show me what running processes are on my PC, and see this SoundMan.exe process, right there, doing some bad stuff.

Process Explorer tells me that the file is located under c:\Windows, but I can’t find it!

 Reason is, this file is a rootkit, which means it has capability of hidding itself from Windows, as well as other processes. If Windows won’t show it to you, most likely your Anti Virus won’t either. You may want to use a rootkit scanner to find it out, there are several free tools available. Keep it mind though that not all rootkit scanners will detect AND let you remove the files.

Personally, I prefer to use a more “hands on” approach: I grab a Linux boot CD (here I use Ubuntu, one of Linux’s several distros) and reboot the PC under the Linux OS. Then I mount the Windows disk, search for the file and voila!

It is there indeed Now I feel free to delete it from the system, and can safely reboot. Bye, bye Rootkit

By the way, the file is effectively malware:

Jerome Segura