Skip to main content
L
lostphone655
500 Points
Trend Micro Helping Hand II
Trend Micro Rising Star
Hotshot

Hotshot

 • 

28 Messages

 • 

790 Points

Friday, March 12th, 2021 6:35 AM

Closed

Resolved

KeyFreeze rootkit

i installed "KeyFreeze" and even though it got a bad rating on virustotal, i foolishly installed it

trend micro and virustotal don't detect the rootkit

after installing, it phones home to a server if it thinks it won't be detected, then windows update is modified to install a bios update, then it modifies the filesystem for remote access

i've been experiencing free space available fluctuations of hundreds of gigabytes and file system access anomalies, such as directories disappearing and reappearing

i believe it has the capability to remotely download files to my pc in hidden partitions/folders

one of the obvious indications that the rootkit is active is a white bar across windows explorer

exiting the program or deleting the original executable has no effect

downloading trend micro's rootkit buster is conveniently unavailable

Problem

 • 

Updated 

3 years ago

218

5

0

Accepted Solution

andrew3000

Neophyte

 • 

2 Messages

 • 

150 Points

3 years ago

KeyFreeze is a legit software and not a malware

2

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

then why does it infect windows explorer?

3 years ago

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

@andrew3000 my apologies, looks like legit software after all. hope you had an awesome friday night

3 years ago

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

3 years ago

0

0

amir

Prodigy

 • 

238 Messages

 • 

5.5K Points

3 years ago

Hi,

are you trend micro customer ?

which products?

4

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

@amir trend micro internet security

3 years ago

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

3 years ago

0

amir

Prodigy

 • 

238 Messages

 • 

5.5K Points

i suggestion use trend micro internet security and ATTK or housecall for Scan .

Also send sample to trend micro support

3 years ago

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

attk shows up as clean (expected, virustotal doesn't detect it)

as it only activates after phoning home, this was also expected

sample has been submitted with engineer name unknown323

3 years ago

0

Brand User
reine_roque

Legend

 • 

739 Messages

 • 

10.2K Points

3 years ago

Hi lostphone655,

 

Where did you download the installer for KeyFreeze? May I know some details for your machine:

  • Current Operating System Version
  • Any specific error message
  • Screenshot of the indication you had described where there's a white bar across windows explorer

How to take a screenshot to send to Trend Micro Technical Support

 

This information will be valuable for us to check your concerns. In the meantime, we will check the software KeyFreeze. Thanks!

 

TM_Reine

3

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

3 years ago

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

uploading the screenshot just hangs on "preview upload" so it was difficult to upload that screenshot

i downloaded KeyFreeze from sordum.org

3 years ago

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

looks like it's actually a windows bug as described here https://www.youtube.com/watch?v=nMGmUzrFqxE

i guess having 3-6 more people watch over me isn't such a big deal, looks like it's legit software after all

funny about that negative 10 rating on virus total

hope you're all well

3 years ago

0

Brand User
reine_roque

Legend

 • 

739 Messages

 • 

10.2K Points

3 years ago

Hi lostphone655,

 

Have you tried to check if there's an option to Exit Key Freeze from the system tray?

 

keyfreeze menu

 

- TM_Reine

3

0

lostphone655

Hotshot

 • 

28 Messages

 • 

790 Points

apparently it's not keyfreeze and it's a known windows bug with dark mode

3 years ago

0

Brand User
reine_roque

Legend

 • 

739 Messages

 • 

10.2K Points

Thanks for sharing this lostphone655, we'll check the detection of KeyFreeze with Trend Micro. I'll update this thread too.

 

- TM_Reine

3 years ago

0

Brand User
reine_roque

Legend

 • 

739 Messages

 • 

10.2K Points

Just an update about this lostphone655, we did an analysis with KeyFreeze - it's considered a normal file. Thank you for sharing here in the community that you found out it was a possible bug with Windows. 

 

To be sure, my recommendations are to keep your operating system updated and Trend Micro security enabled to prevent any possible malware from infecting your devices. You may also, enable Folder Shield on your specific folders to protect it from any kind of modifications from unknown sources.

 

How Folder Shield Works (Trend Micro Security for Windows)

 

- TM_Reine

 

3 years ago

Need Help?

Ask the Community

Latest Tech Insights

Loading...